Using an LDAP Directory for User Mapping with
Tickets for SSO
If you use an LDAP directory as the data source for user data, you can use this procedure to enable portal users to access back-end systems with Single Sign-On (SSO) with a different user ID. The user ID for the back-end system is stored in the LDAP directory as a user attribute. When the portal creates the ticket for SSO, it writes both the portal user ID and the mapped user ID into the ticket.
This configuration enables you to map users automatically. The UME simply reads the user ID for the back-end system directly out of the LDAP directory. Either the user ID for the back-end system was already in the LDAP directory or you configured synchronization between the LDAP directory and an ABAP system. The synchronization process then enters the back-end user ID into the directory service.
The LDAP directory stores the back-end user IDs in unencrypted form. To prevent these IDs from being manipulated, you must make sure that no unauthorized users have write-access to the LDAP directory, in particular to the attribute containing the back-end user ID.
A malicious user could otherwise manipulate these IDs so that their ticket contain a different back-end user ID. This back-end user ID could have more extensive authorizations in the back-end system than the user should otherwise have.
More information: User Mapping and the Portal
● Users have the same ID in all back-end systems that are configured to use tickets for SSO. Passwords can be different.
● The back-end system that are configured to use tickets for SSO accept tickets from the portal.
More information: Configuring Component Systems to Accept Portal Logon Tickets
● The UME uses an LDAP directory as the data source.
● This procedure requires you to restart the AS Java, so you should plan for the required downtime while the AS Java restarts.
● The reference system and any target systems must exist in the portal system landscape.
For the system to appear in the user mapping interface, you must have done the following:
○ You have created a system alias for the reference system.
The reference system needs a system alias for the system to appear in the mapping interface.
Changing the default system alias does not affect user mapping. However, if all system aliases are removed, user mapping is lost to that system, even if a new system alias is created with the same name as the previous default.
○ You have assigned end user permission to those users, groups, and roles, which access the reference system.
More Information:
●
Maintaining a System Alias
List
●
Setting Permissions in the Permission
Editor
...
1. Customize a data source configuration file to include the attribute containing the ABAP user ID.
Define the attribute mapping from the logical attribute REFERENCE_SYSTEM_USER to the physical attribute that actually stores the back-end user ID in your LDAP directory. By default the logical attribute is mapped to sapusername.
Depending on whether you make the LDAP directory read-only or read-write affects whether or not end users or administrators can maintain the user mapping information.
If the mapped user ID is stored in a read-only LDAP directory, the User field is disabled and cannot be modified.
More information:
○
Customizing a UME Data
Source Configuration
○ Example: User Mapping with LDAP and Tickets
2. Configure the UME to get the back-end user ID for users from the logical user attribute REFERENCE_SYSTEM_USERin the LDAP directory.
Set the UME property user.usermapping.refsys.mapping.type as follows:
ume.usermapping.refsys.mapping.type=attribute
More
information:
Editing UME
Properties
3. Configure the UME to use the new data source configuration file.
More
information:
Configuring the UME to
Use an LDAP Directory as Data Source
4. Restart the AS Java.
5. Configure the reference system in the portal system landscape.
○ Under User Management:
■ Set Logon Method to SAPLOGONTICKET.
■ You must set User Mapping Type for the system to appear in the user mapping function.
○ Under Connector, set System Type.
More information:
○
System Properties for
User Mapping
6. Configure any target systems in the portal system landscape.
Under User Management, set Logon Method to SAPLOGONTICKET.
7. Start User Management Configuration.
More
information:
Configuring Identity
Management
8. Choose the User Mapping tab.
9. In Reference System, select the system alias of the back-end system to use as the reference system.
10. Save your changes.
11. Map users to back-end systems and users.
The following options for mapping users exist:
○ Map users manually
The options available to you for mapping users manually are dependent on the values you entered for the system for User Mapping Type.
If the mapped user ID is stored in a read-only LDAP directory, the User field is disabled and cannot be modified.
You have the following options for performing this mapping:
■ The administrator maps the users to their users in the back-end system.
This requires the administrator to keep track of user IDs in the portal and their user IDs and optionally their passwords in the reference system.
When the administrator configures a mapping for a user, the UME by default checks the mapped user ID and password against the reference system. You can disable the check for administrators.
To disable the check, set the UME property ume.usermapping.admin.pwdprotection=FALSE.
More information: Configuring User Mappings on the Behalf of Users
■ Let users map themselves.
This requires users to know which system is the reference system and their user ID and passwords in the reference system.
To map their own user IDs, users require authorizations for self-management.
More information:
● Setting Portal Preferences
○ Map users automatically
To map users automatically, configure synchronization between the LDAP directory and the reference system. Map the physical attribute to the logical attribute REFERENCE_SYSTEM_USER with the ABAP user ID.
More
information:
Synchronization of SAP
User Administration with an LDAP-Compatible Directory Service