Upload
martinbzm
View
217
Download
0
Embed Size (px)
Citation preview
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 1/21
PUBLIC
One Identity and Access Management Scenario
Document Version: 1.0 - 2013-05-07
One Identity and Access Management Scenario
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 2/21
Table of Contents
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Scenario Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
3 Scenario Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Setting Up the Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
4.1 Installing the Identity Center Designtime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 Installing the Identity Center Runtime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3 Installing the Identity Management User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.4 Installing the Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.5 Setting up the SAP ID Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5 Configuring the Back-end Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1 Configuring the Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.2 Configuring the AS ABAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.3 Configuring the AS Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.4 Configuring SAP Business Objects Business Intelligence Platform 4.0. . . . . . . . . . . . . . . . . . . . . . . . . .11
5.5 Setting up SAP HANA Database as a Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6 Customizing SAP NetWeaver Identity Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
6.1 Customizing the Identity Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.2 Setting Up the Connectivity between HCM and SAP NetWeaver Identity Management. . . . . . . . . . . . . . 14
6.3 Setting Up the Connectivity between Active Directory and SAP NetWeaver Identity Management. . . . . . 15
6.4 Setting Up the Connectivity between the AS ABAP and SAP NetWeaver Identity Management. . . . . . . . 15
6.5 Updating SAP User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7 Configuring the Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.1 Configuring the SAP GUI to Support Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.2 Customizing the Internet Explorer Settings to Support Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . 17
7.3 Configuring the NetWeaver Business Client to Support Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . 17
7.4 Configuring the Web Intelligence Rich Client to Support Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . 18
8 Disclaimer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9 Open Source Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
2P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Table of Contents
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 3/21
1 Introduction
SAP System landscapes consist of many application servers, both on premise as well as more and more on
demand. Scenarios usually consist of more than one application, running on different application servers. This is
especially true for the NetWeaver end-to-end Scenarios in 2013.
The task of managing users in these complex landscapes confronts organizations with many challenges. It usually
takes a lot of effort to implement and maintain. Employees require a long time until they can finally work with the
applications they need.
Employees have to remember their authentication credentials for every application they need to access. User IDs
may vary for each system, and passwords are often complex to comply with company policies. As a result, many
users note down their passwords and store them in unsafe locations, posing a security risk. Or they call the
company helpdesk to reset forgotten passwords, creating an administrative overhead that can add up to a
considerable cost factor in larger enterprises.
The One Identity and Access Management scenario describes a straightforward approach to set up harmonized
user management and single sign-on for heterogeneous system landscapes using SAP NetWeaver Identity
Management and SAP NetWeaver Single Sign-On. The ultimate goal is to centrally create and manage users, who
can then access all systems after logging in only once. The scenario consists of these main components:
● SAP NetWeaver Identity Management
○ Streamlines identity management processes in heterogeneous system landscapes.
○ Creates efficient administrative processes and reduces total cost of ownership.
○ Is centered around and triggered by business processes and identity-relevant business events with a tight
integration with the SAP Business Suite, for example, with SAP ERP HCM.
○ Supports compliance and segregation-of-duties checks through the integration with access control.
● SAP NetWeaver Single Sign-On
○ Higher user productivity and increased security by alleviating the burden on users of having to remember
dozens of passwords and perform separate login procedures for each software application.
○ Lower help desk costs through significantly fewer help desk calls to recover passwords.
○ Confidentiality through data encryption during data transmission between client and server systems.
● SAP ID Service covers the processes for managing the authentication lifecycle within the SAP HANA Cloud.
Users have one SAP identity and use single sign-on when browsing SAP web sites or using SAP's on-demand
applications.
One Identity and Access Management Scenario
Introduction
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 3
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 4/21
2 Scenario Overview
The ultimate goal of this scenario is that a new employee is able to log on to all relevant systems right from thefirst day with the company.
Note
This scenario uses only a few of the features and possibilities offered by the products involved. For a full
overview of SAP NetWeaver Identity Management and SAP NetWeaver Single Sign-On, see SCN pages under
Related Links respectively.
There are two major technical aspects to this scenario: User creation and single sign-on.
User Creation Process
1.The personnel department creates a newly hired employee in the SAP Human Capital Resource (HCM)system. The users’ data is automatically extracted to SAP NetWeaver Identity Management and in addition
also to SuccessFactors, including information about the employees’ managers. Alternatively, if you do not use
an SAP Human Capital Resource (HCM) system, the administrator can create the new employee directly in
SAP NetWeaver Identity Management using the standard web application.
2. SAP NetWeaver Identity Management automatically deploys this user to all relevant systems of the system
landscape, that is ABAP and Java systems, and BW on HANA. Depending on the configuration, roles can be
derived automatically based on some user/HCM attributes, or a manager workflow can be added where the
manager specifies the initial set of needed roles. Access to systems and roles in systems can be automatically
adjusted - including deprovisioning - based on changes of the same user/HCM attributes.
3. The user is assigned a Microsoft Windows account, and an e-mail account. In parallel, the employee’s
manager receives a confirmation mail informing him that the user was created. This mail includes the
employee’s initial domain password. The manager gives this password to the new employee.
4P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Scenario Overview
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 5/21
With this single logon the new employee is granted access to all relevant systems. The relevance is determined
based on the employee's job or position. For example, promotions or a new job can automatically be taken into
account. Most importantly, for compliance reasons, when an employee leaves the company, the HCM system
automatically triggers an event to lock or de-provision of the user account information in all systems. This isespecially important for on-demand systems, as the user might still have access to the company account and
data via the Internet even without having physical access to the company building.
SSO Process
1. With their initial password (from the user creation process), the new employee logs on to his Microsoft
Windows account. The employee is prompted to change the initial password to a productive password that is
only known to the employee. This is the only password the employee has to remember and has to change
regularly.
2. As all other subsequent logins to the on-premise landscape are based on the Microsoft Windows login and the
Kerberos token (implemented for SAP NetWeaver using SPNego), the employee can access all on-premise
applications, which correspond to his or her job or position, without additional logons, for example:
○
The employee starts SAP NetWeaver Business Client.○ The employee starts SAP Enterprise Portal.
SAP NetWeaver Identity Provider brokers the user's Kerberos token for a SAML token authenticating the
employees to HANA Cloud and enabling them to also access all on-demand applications for which they are
registered.
Related Links
Solution in Detail: Business-Driven, Compliant Identity Management
SAP NetWeaver Single Sign-On for High - Productivity and Security in Your Company
Simplify Business Users' Experience and Enhance Security with Single Sign-On
SCN page for SAP NetWeaver Identity Management
SCN page for SAP NetWeaver Single Sign-On SCN
One Identity and Access Management Scenario
Scenario Overview
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 5
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 6/21
3 Scenario Landscape
As part of this example scenario, we integrate the components listed below. For a full list of supported
components and products, see the documentation for SAP NetWeaver Identity Management and SAP NetWeaver
Single Sign-On.
● Core Scenario Products
○ SAP NetWeaver Identity Management 7.2 SP7 and above
○ SAP NetWeaver Single Sign-On 2.0 and above
○ SAP ID Service
○ Identity Center databases and Microsoft Windows Server as stated in the Product Availability Map.
● Supported SAP Products
○
SAP NetWeaver Application Server ABAP 7.40 and higher (see SAP Note 1798979) and SAP NetWeaverApplication Server Java 7.30 and above, incl. EP, BI, PI, CE/BPM
○ SAP HANA Cloud with SAP ID Service. The connection to the SAP HANA Cloud is supported but not part
of this documentation.
● Supported Products (For more information, see the respective product descriptions.)
○ Business Suite (for example, HCM, and CRM on ECC 6.0 EhP 4)
○ SAP Business Objects Platform 4.0 (Only SAP Business Objects Web Intelligence Client is supported.)
○ SAP HANA database
● Supported Third-Party Products (For more information, see respective product documentation.)
○ Microsoft Active Directory Server
○Microsoft Exchange Server
Related Links
SAP NetWeaver Identity Management
SAP NetWeaver Single Sign-On
Product Availability Matrix for SAP NetWeaver Identity Management 7.2
Product Availability Matrix for SAP NetWeaver Single Sign On 2.0
SAP Note 1798979 - SPNego ABAP: Downport
6P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Scenario Landscape
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 7/21
4 Setting Up the Scenario
To set up the One Identity and Access Management scenario, execute the tasks described below.
4.1 Installing the Identity Center Designtime
1. Download the latest Identity Center Designtime from the SAP Software Download Center at http://
service.sap.com/swdc.
Choose Support Packages and Patches Browse our Download Catalog SAP NetWeaver and
Complementary Products SAP NW IDENTITY MANAGEMENT SAP NW IDENTITY MANAGEMENT 7.2
Comprised Software Component Versions IDENT. CENTER DESIGNTIME 7.2 Windows on x64 64 bit .
2. Install and configure your database as described in the database-specific documents.
3. Install the management console as described in SAP NetWeaver Identity Management Identity Center:
Installing the Management Console.
4. Import the SAP provisioning framework as described in the SAP NetWeaver Identity Management for SAP
System Landscapes: Configuration Guide under Importing the Provisioning Framework for SAP Systems.
5. Import the SAP HCM staging area identity store as described in the SAP NetWeaver Identity Management for
SAP System Landscapes: Configuration Guide under Importing the Staging Area Template .
Related Links
Identity Center - Installing the Database (Oracle)
Identity Center - Installing the Database (MS SQL Server)
SAP NetWeaver Identity Management Identity Center: Installing the Management Console
SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide
4.2 Installing the Identity Center Runtime
1. Download the latest Identity Center Runtime Components from the SAP Software Download Center at:
http://service.sap.com/swdc.
Choose Support Packages and Patches Browse our Download Catalog SAP NetWeaver and
Complementary Products SAP NW IDENTITY MANAGEMENT SAP NW IDENTITY MANAGEMENT 7.2
Comprised Software Component Versions IDENTITY CENTER RUNTIME 7.2 # OS independent .
2. Install the runtime components as described in SAP NetWeaver Identity Management Identity Center:
Installing the Runtime Components.
Related Links
SAP NetWeaver Identity Management Identity Center: Installing the Runtime Components
One Identity and Access Management Scenario
Setting Up the Scenario
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 7
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 8/21
4.3 Installing the Identity Management User Interface
1. Download the latest user interfaces for your AS Java 7.0x or AS Java 7.1x installation at http://
www.service.sap.com/swdc.
Choose Support Packages and Patches Browse our Download Catalog SAP NetWeaver and
Complementary Products SAP NW IDENTITY MANAGEMENT SAP NW IDENTITY MANAGEMENT 7.2
Comprised Software Component Versions NW IDM 7.2 UIS FOR NW 7.00 # OS independent .
2. Install and configure the Identity Management user interface as described in SAP NetWeaver Identity
Management Identity Center: Installing and configuring the Identity Management User Interface.
Related Links
SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User
Interface
4.4 Installing the Secure Login Client
1. Download the latest Secure Login Client for your operating system from the SAP Service Marketplace at
http://www.service.sap.com/swdc.
○ 32 Bit OS
Choose Support Packages and Patches Browse our Download Catalog SAP NetWeaver and
Complementary Products SAP NW SINGLE SIGN ON SAP NW SINGLE SIGN ON 1.0 Comprised
Software Component Versions SECURE LOGIN CLIENT 32BIT 1.0 Win32 .
○ 64 Bit OS
Choose Support Packages and Patches Browse our Download Catalog SAP NetWeaver and
Complementary Products SAP NW SINGLE SIGN ON SAP NW SINGLE SIGN ON 1.0 Comprised
Software Component Versions SECURE LOGIN CLIENT 32BIT 1.0 Win64 .
2. Install the Secure Login Client as described in Secure Login Client.
Related Links
Secure Login Client
4.5 Setting up the SAP ID Service
The SAP ID Service can authenticate users in the SAP HANA Cloud with an on premise identity provider for single
sign-on.
Prerequisites
8P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Setting Up the Scenario
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 9/21
● SAML Identity Provider (IdP) is installed on SAP NetWeaver AS Java as described in the SAP NetWeaver
Identity Management Identity Provider implementation guide.
● The SAP ID Service is available. To purchase SAP ID Service usage, please contact your SAP representative.
● You have a SAP HANA Cloud account.
● You bought or subscribed to an application for your account. Alternatively, you develop an application and
deploy it in your account.
To configure your own local SAML2 service provider and register it with SAP ID Service, do the following:
1. Take the SAML2 metadata of SAP ID Service from the SAP ID Service documentation.
2. To specify custom local provider settings and configure trust to SAP ID Service as SAML 2.0 identity provider
using the following data, see Using a Custom Identity Provider in the SAP HANA Cloud Platform
Documentation.
○ The single sign-on URL is indicated in the SAP ID Service documentation.
○ The signing certificate is part of the SAML2 metadata of SAP ID Service described in the SAP ID Service
documentation.
3. Request registration of these settings with the SAP ID Service.
The SAP HANA Cloud team receives the request and hands it to the SAP ID Service team. The operations
team processes the request. You then receive the connection information to connect to the SAP ID Service
Administration Console.
4. Register the SAP NetWeaver AS Java identity provider as the identity provider of your organization with the
SAP ID Service.
a) Configure the SAP NetWeaver AS Java identity provider and export its metadata. For more information,
see the SAP NetWeaver Identity Management Identity Provider implementation guide and Adding and
Deleting an Identity Provider.
b) Use the SAP ID Service Administration Console to add the SAP NetWeaver AS Java identity provider as an
identity provider for the organization. For more information, see the service providers document.
c) Assign the application you are subscribed to to this identity provider.
Related Links
SAP ID Service documentation: not available yet
Using a Custom Identity Provider
Implementation Guide - SAP NetWeaver Identity Management Identity Provider
Service Providers Document: Not available yet.
Adding and Deleting an Identity Provider: Not available yet.
One Identity and Access Management Scenario
Setting Up the Scenario
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 9
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 10/21
5 Configuring the Back-end Repositories
This section describes how to configure your connected target systems for them to accept provisioned usersfrom Identity Management and to accept Kerberos tokens to use for single sign-on.
Prerequisites
● The back-end systems are installed, up and running, and operational.
● Microsoft Windows accounts for the systems are created in Microsoft Active Directory.
● The Service Principal Name is set in the Microsoft Active Directory and is mapped to the Microsoft Windows
accounts.
5.1 Configuring the Active Directory
In this task, you create an account for each system in the landscape.
1. Define a Service Principal Name for the ABAP systems as described in the Secure Login Library under Secure
Login Library Configuration.
2. Define a Service Principal Name for the Java systems as described in the AS Java documentation underConfiguring Key Distribution Centers.
3. Define a Service Principal Name for the SAP BusinessObjects system as described in section 2 of SAP Note
1631734.
Related Links
Secure Login Client
Configuring Key Distribution Centers
SAP Note 1631734: Configuring Active Directory Manual Authentication and SSO for BI4
5.2 Configuring the AS ABAP
On the AS ABAP, you have to install Secure Network Communication (SNC) and SPNego.
1. Install SNC.
a) On the AS ABAP, install the Secure Login Library as described in the Secure Login Library Installation
Guide under Secure Login Library Installation.
b) Using the command line tool, provided by Secure Login Library, create a Kerberos keytab as described in
the Secure Login Library Installation Guide under SNC Kerberos Configuration and the following sections.
2. Set up SPNego.
10P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Configuring the Back-end Repositories
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 11/21
For more information, see the SAP NetWeaver SSO documentation and Using Kerberos Authentication on
SAP NetWeaver AS ABAP in the SAP Library.
Related Links
Secure Login Library
Using Kerberos Authentication on SAP NetWeaver AS ABAP
5.3 Configuring the AS Java
To configure the use of SPNego on the AS Java, execute the following steps:
1. Activate SPNego authentication as described in the SAP Library.
2. Activate the "Principal only" user mapping as described in the SAP Library.
Related Links
Using Kerberos Authentication
Changing User Mapping for Kerberos
5.4 Configuring SAP Business Objects Business IntelligencePlatform 4.0
The provisioning for SAP Business Objects Business Intelligence Platform does not require the installation of a
separate connector but uses the Active Directory connector.
● The Business Objects Central Management Server runs on Microsoft Windows to enable Microsoft Windows
Active Directory authentication.
● To enable single sign-on to the database, the reporting servers also run on Microsoft Windows. These
Windows machines are joined to the appropriate Active Directory domain.
Activate the Active Directory user store and the Kerberos-based single sign-on as described in SAP Note
1631734.
Related Links
SAP Note 1631734: Configuring Active Directory Manual Authentication and SSO for BI4
5.5 Setting up SAP HANA Database as a Repository
The SAP HANA database is installed as described in the SAP HANA documentation.
The steps contained in this summary are described in detail in the SAP NetWeaver Identity Management for SAP
System Landscapes: Configuration Guide.
One Identity and Access Management Scenario
Configuring the Back-end Repositories
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 11
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 12/21
In the Identity Center, create a repository using the SAP HANA template to store data on the connection to
your SAP HANA database system as described in the configuration guide under Creating Repositories.
Related Links
SAP NetWeaver Identity Management Identity Center: Installing the Runtime Components
SAP HANA Appliance Software
12P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Configuring the Back-end Repositories
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 13/21
6 Customizing SAP NetWeaver IdentityManagement
For the One Identity and Access Management scenario, SAP NetWeaver Identity Management must accept users
from the HCM system, assign users to the correct Business roles, and must provision them to the attached back-
end systems. The subsequent sections describe the necessary customizing tasks.
As a general prerequisite, the administrator needs authorization for the Identity Center Management console.
Deprovisioning
Provisioning and deprovisioning are both executed using event-triggered tasks. To delete, for example, a user, the
relevant task is triggered when the last account privilege is removed from a user. The account privilege can be
removed in two cases. Either directly by removing the privilege from the user, or indirectly when setting the
MX_INACTIVE attribute on the user. This removes all assignments, including the account privilege. The task
inactivates the account in the repository. How this is done is system dependent.
For more information about provisioning and deprovisioning, see the Related Links section.
Related Links
SAP NetWeaver Identity Management 7.2 Identity Center Tutorial - Provisioning
SAP NetWeaver Identity Management 7.2 Identity Center Tutorial - Working with Roles and Privileges
SAP NetWeaver Identity Management Identity Center Tutorial - Context-based assignments
SAP NetWeaver Identity Management 7.2 Identity Center Tutorial - Provisioning
6.1 Customizing the Identity Center
The oneLogin_generateSNCName global script generates an SNC name for a new user in your Windows domain.
That is, it generates an SNC name only for the single user that is currently processed. In steps 8 and 9, you
configure that the script is executed after a new user is created. By default, the generated SNC name is
automatically provisioned together with the other user data from the Identity Center to the connected ABAPsystems.
1. In the Identity Center, create a global constant named ONELOGIN_SNC_NAME_PATTERNwith the following
value: p:[email protected]. YOUR.DOMAIN must match your Windows Domain configuration, for
example, SAP.CORP.
2. In the Identity Center, create a global script named oneLogin_generateSNCNamewith the following content:
function oneLogin_generateSNCName(Par){var params = Par.split("!!");var mskeyvalue = params[0].toUpperCase();var sncpattern = "%$glb.ONELOGIN_SNC_NAME_PATTERN%";var result = sncpattern.replace(/\$USERID/gi, mskeyvalue);
uInfo("Generated SNC name: " + result);
One Identity and Access Management Scenario
Customizing SAP NetWeaver Identity Management
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 13
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 14/21
return result;}
3. In the the Master ID Store, create a new folder named OneLogin.
4. Choose New Action task Empty job to create a job named Generate_SNCName.
5. In the job, choose New Link global script oneLogin_generateSNCName .
6. In the job, choose New To Identity store to create the new To Identity Store pass.
7. On the Destination tab, select the MX_PERSON entry type. Then enter the following attribute-value pairs and
choose Apply.
Table 1: Attribute-Value Pairs
Attribute Value
MSKEYVALUE %MSKEYVALUE%
MX_SNC_NAME $FUNCTION.oneLogin_generateSNCName(%MSKE
YVALUE%)$$
8. In Identity Store Schema Entry Types of your master identity store, open the MX_PERSON entry type.
9. On the Event Tasks tab page, set the Add event task to the newly created task.
6.2 Setting Up the Connectivity between HCM and SAP
NetWeaver Identity Management
The steps contained in this summary are described in detail in Setting up an SAP HCM System in the SAP
NetWeaver Identity Management for SAP System Landscapes: Configuration Guide.
1. In the Identity Center, create a repository using the Business Suite AS ABAP template to store data on the
connection to your HCM system as described in the configuration guide under Creating Repositories.
2. In the Identity Center, create and run the job to read the value help content from the HCM system as
described in the configuration guide under Running the Read Help Values Job.
3. In the Virtual Directory Server, create an HCM LDAP endpoint using the template HCM LDAP Extract for IDM
as described in the configuration guide under Setting up the Identity Center to Assign the User Account Name.4. In the Virtual Directory Server, activate the LDAP endpoint.
5. In the HCM system, create the query for the export as described in the configuration guide under Configure
the SAP HCM System and Export the Data.
6. In the HCM system, specify the attribute mapping between the HR fields and LDAP attributes.
7. In the HCM system, create an TCP/IP destination for the LDAP Connector.
8. In the HCM system, configure the connection parameters for the VDS.
9. In the HCM system, maintain the attribute mappings.
10. In the HCM system, schedule the extraction report.
Related Links
SAP System Landscapes: Configuration Guide, Setting up an SAP HCM System
14P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Customizing SAP NetWeaver Identity Management
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 15/21
6.3 Setting Up the Connectivity between Active Directoryand SAP NetWeaver Identity Management
The steps contained in this summary are described in detail in the SAP NetWeaver Identity Management for SAP
System Landscapes: Configuration Guide.
Note
Regarding the provisioning of a user's domain password, SAP NetWeaver Identity Management can provision
productive passwords to Microsoft Active Directory. As a prerequisite for password provisioning, you need to
configure SSL for the connection as described in Identity Center: SSL Security in the Security Guide. For
setting-up the Active Directory repository, see Repository Constants for Active Directory for Provisioning
Framework in the SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide.
1. In the Microsoft Active Directory, create a service user with sufficient rights to manage users.
2. In the Identity Center, create a repository using the ADS for SAP PF template to store connection details to
your Active Directory.
3. In the Identity Center, create and run the LDAP (ADS) - Initial Load job to synchronize already existing
users and groups from Active Directory to SAP NetWeaver Identity Management.
Related Links
SAP System Landscapes: Configuration Guide
SAP NetWeaver Identity Management 7.2 Documentation; Security Guide
6.4 Settin g Up the Connectivity between the AS ABAP and
SAP NetWeaver Identity Management
The steps contained in this summary are described in detail in the SAP NetWeaver Identity Management for SAP
System Landscapes: Configuration Guide.
1. In the AS ABAP, create a service user with the SAP_BC_SEC_IDM_COMMUNICATION role.
2. In the Identity Center, create a repository using one of the following templates to store connection details for
your AS ABAP:
○ SAP NetWeaver AS ABAP (Load-Balanced Connection)
○ SAP NetWeaver AS ABAP (Specific Application Server)
3. In the Identity Center, create and run the ABAP Read Help Values job to synchronize additional data (for
example, Salutation or Academic Title) from AS ABAP to SAP NetWeaver Identity Management.
4. In the Identity Center, create and run the ABAP - Initial Load job to synchronize existing data (for
example, roles, profiles, users, company addresses) from AS ABAP to SAP NetWeaver Identity Management.
Related Links
SAP System Landscapes: Configuration Guide
One Identity and Access Management Scenario
Customizing SAP NetWeaver Identity Management
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 15
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 16/21
6.5 Updating SAP User Accounts
As a final Customizing step, you have to enhance the SAP user accounts with the SNC name by triggering an
Update Job for each repository. To this end, you could link the Identity Management attributeSNCName to the
Update Job. Of course other possibilities exist, which you should consider according to your organization's
requirements.
In addition, you have to create a job that is triggered after a new employee is created in the HCM Staging area.
This job creates the user ID in Identity Management and provisions the accounts. You must ensure that the user
ID in Microsoft Active Directory has the exact same writing as the first part of the SNCName in Identity
Management. In the function shown in Customizing the Identity Center the SNCName is in uppercase letters.
Tip
Therefore, we strongly recommend that the user IDs in Identity Management and Active Directory are in
uppercase letters, too.
Related Links
Customizing the Identity Center [page 13]
The oneLogin_generateSNCName global script generates an SNC name for a new user in your Windows domain.
16P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Customizing SAP NetWeaver Identity Management
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 17/21
7 Configuring the Clients
The subsequent tasks describe the configuration necessary for the user's clients to use single sign-on (SSO).
7.1 Configuring the SAP GUI to Support Single Sign-On
1. Create a new connection to your SNC-enabled AS ABAP system.
2. On the Network tab, select the Activate Secure Network Communication checkbox.
3. Enter the SNC name of your AS ABAP system. If you connect using the message server, the value is prefilled.
7.2 Customizing the Internet Explorer Settings to Support
Single Sign-On
1. In the Internet Explorer, choose Tools Internet Options .
2. On the Security tab, choose Local Intranet Sites .
3. On the Local Intranet window, set the Include all local (intranet) sites not listed in other zones flag, and choose
the Advanced pushbutton.
4. On the Local intranet window, enter the web address of the host name in the Add this website to the zone:
field, so that SSO can be enabled for the web sites listed in the Websites: field.
5. On the Advanced tab of the Internet Options window, scroll to Security. Ensure that the Enable Integrated
Windows Authentication* flag is set.
7.3 Configuring the NetWeaver Business Client to Support
Single Sign-On
As SAP NetWeaver Business Client uses the same logic for the initial logon as Internet Explorer does, it is
sufficient, to configure your desktop PC as described in Customizing the Internet Explorer Settings to Support
Single Sign-On.
Related Links
Customizing the Internet Explorer Settings to Support Single Sign-On [page 17]
One Identity and Access Management Scenario
Configuring the Clients
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 17
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 18/21
7.4 Configuring the Web Intelligence Rich Client to Support
Single Sign-On
Web Intelligence Rich Client does not offer its own single sign-on (SSO) capabilities.
Make sure that the Internet Explorer is configured to support single sign-on.
To use SSO, open the BI Launchpad with Internet Explorer.
Now you can launch the Web Intelligence Rich Client.
Related Links
Customizing the Internet Explorer Settings to Support Single Sign-On [page 17]
18P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Configuring the Clients
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 19/21
8 Disclaimer
SAP Library document classification: PUBLIC.
This document is for informational purposes only. Its content is subject to change without notice, and SAP does
not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF
MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
Coding Samples
Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and
are not intended to be used in a productive system environment. The Code is only intended better explain and
visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness
of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code,
except if such damages were caused by SAP intentionally or grossly negligent.
Accessibility
The information contained in the SAP Library documentation represents SAP's current view of accessibility
criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure
accessibility of software products. SAP specifically disclaims any liability with respect to this document and no
contractual obligations or commitments are formed either directly or indirectly by this document.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed
directly with “you, or a gender-neutral noun (such as “sales person” or “working days”) is used. If when referring
to members of both sexes, however, the third person singular cannot be avoided or a gender-neutral noun does
not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the
documentation remains comprehensible.
One Identity and Access Management Scenario
Disclaimer
P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 19
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 20/21
9 Open Source Licenses
For the scenario, the open source licenses apply as stated in the product documentation of the relevant products.
20P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.
One Identity and Access Management Scenario
Open Source Licenses
7/30/2019 NWIDM One Identity and Access Management Scenario
http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 21/21
www.sap.com/contactsap
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are
set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed asconstituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP AG in Germany and other countries.
Please see http://www sap com/corporate-en/legal/copyright/