NWIDM One Identity and Access Management Scenario

7/30/2019 NWIDM One Identity and Access Management Scenario

http://slidepdf.com/reader/full/nwidm-one-identity-and-access-management-scenario 1/21

PUBLIC

One Identity and Access Management Scenario

Document Version: 1.0 - 2013-05-07




Table of Contents

1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Scenario Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

3 Scenario Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Setting Up the Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

4.1 Installing the Identity Center Designtime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.2 Installing the Identity Center Runtime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.3 Installing the Identity Management User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4.4 Installing the Secure Login Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4.5 Setting up the SAP ID Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5 Configuring the Back-end Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.1 Configuring the Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.2 Configuring the AS ABAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.3 Configuring the AS Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5.4 Configuring SAP Business Objects Business Intelligence Platform 4.0. . . . . . . . . . . . . . . . . . . . . . . . . .11

5.5 Setting up SAP HANA Database as a Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

6 Customizing SAP NetWeaver Identity Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

6.1 Customizing the Identity Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

6.2 Setting Up the Connectivity between HCM and SAP NetWeaver Identity Management. . . . . . . . . . . . . . 14

6.3 Setting Up the Connectivity between Active Directory and SAP NetWeaver Identity Management. . . . . . 15

6.4 Setting Up the Connectivity between the AS ABAP and SAP NetWeaver Identity Management. . . . . . . . 15

6.5 Updating SAP User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

7 Configuring the Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

7.1 Configuring the SAP GUI to Support Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

7.2 Customizing the Internet Explorer Settings to Support Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . 17

7.3 Configuring the NetWeaver Business Client to Support Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . 17

7.4 Configuring the Web Intelligence Rich Client to Support Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . 18

8 Disclaimer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

9 Open Source Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

2P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.


Table of Contents



1 Introduction

SAP System landscapes consist of many application servers, both on premise as well as more and more on

demand. Scenarios usually consist of more than one application, running on different application servers. This is

especially true for the NetWeaver end-to-end Scenarios in 2013.

The task of managing users in these complex landscapes confronts organizations with many challenges. It usually

takes a lot of effort to implement and maintain. Employees require a long time until they can finally work with the

applications they need.

Employees have to remember their authentication credentials for every application they need to access. User IDs

may vary for each system, and passwords are often complex to comply with company policies. As a result, many

users note down their passwords and store them in unsafe locations, posing a security risk. Or they call the

company helpdesk to reset forgotten passwords, creating an administrative overhead that can add up to a

considerable cost factor in larger enterprises.

The One Identity and Access Management scenario describes a straightforward approach to set up harmonized

user management and single sign-on for heterogeneous system landscapes using SAP NetWeaver Identity

Management and SAP NetWeaver Single Sign-On. The ultimate goal is to centrally create and manage users, who

can then access all systems after logging in only once. The scenario consists of these main components:

● SAP NetWeaver Identity Management

○ Streamlines identity management processes in heterogeneous system landscapes.

○ Creates efficient administrative processes and reduces total cost of ownership.

○ Is centered around and triggered by business processes and identity-relevant business events with a tight

integration with the SAP Business Suite, for example, with SAP ERP HCM.

○ Supports compliance and segregation-of-duties checks through the integration with access control.

● SAP NetWeaver Single Sign-On

○ Higher user productivity and increased security by alleviating the burden on users of having to remember

dozens of passwords and perform separate login procedures for each software application.

○ Lower help desk costs through significantly fewer help desk calls to recover passwords.

○ Confidentiality through data encryption during data transmission between client and server systems.

● SAP ID Service covers the processes for managing the authentication lifecycle within the SAP HANA Cloud.

Users have one SAP identity and use single sign-on when browsing SAP web sites or using SAP's on-demand

applications.


Introduction

P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved. 3



2 Scenario Overview

The ultimate goal of this scenario is that a new employee is able to log on to all relevant systems right from thefirst day with the company.

Note

This scenario uses only a few of the features and possibilities offered by the products involved. For a full

overview of SAP NetWeaver Identity Management and SAP NetWeaver Single Sign-On, see SCN pages under

Related Links respectively.

There are two major technical aspects to this scenario: User creation and single sign-on.

User Creation Process

1.The personnel department creates a newly hired employee in the SAP Human Capital Resource (HCM)system. The users’ data is automatically extracted to SAP NetWeaver Identity Management and in addition

also to SuccessFactors, including information about the employees’ managers. Alternatively, if you do not use

an SAP Human Capital Resource (HCM) system, the administrator can create the new employee directly in

SAP NetWeaver Identity Management using the standard web application.

2. SAP NetWeaver Identity Management automatically deploys this user to all relevant systems of the system

landscape, that is ABAP and Java systems, and BW on HANA. Depending on the configuration, roles can be

derived automatically based on some user/HCM attributes, or a manager workflow can be added where the

manager specifies the initial set of needed roles. Access to systems and roles in systems can be automatically

adjusted - including deprovisioning - based on changes of the same user/HCM attributes.

3. The user is assigned a Microsoft Windows account, and an e-mail account. In parallel, the employee’s

manager receives a confirmation mail informing him that the user was created. This mail includes the

employee’s initial domain password. The manager gives this password to the new employee.



Scenario Overview



With this single logon the new employee is granted access to all relevant systems. The relevance is determined

based on the employee's job or position. For example, promotions or a new job can automatically be taken into

account. Most importantly, for compliance reasons, when an employee leaves the company, the HCM system

automatically triggers an event to lock or de-provision of the user account information in all systems. This isespecially important for on-demand systems, as the user might still have access to the company account and

data via the Internet even without having physical access to the company building.

SSO Process

1. With their initial password (from the user creation process), the new employee logs on to his Microsoft

Windows account. The employee is prompted to change the initial password to a productive password that is

only known to the employee. This is the only password the employee has to remember and has to change

regularly.

2. As all other subsequent logins to the on-premise landscape are based on the Microsoft Windows login and the

Kerberos token (implemented for SAP NetWeaver using SPNego), the employee can access all on-premise

applications, which correspond to his or her job or position, without additional logons, for example:

○

The employee starts SAP NetWeaver Business Client.○ The employee starts SAP Enterprise Portal.

SAP NetWeaver Identity Provider brokers the user's Kerberos token for a SAML token authenticating the

employees to HANA Cloud and enabling them to also access all on-demand applications for which they are

registered.

Related Links

Solution in Detail: Business-Driven, Compliant Identity Management

SAP NetWeaver Single Sign-On for High - Productivity and Security in Your Company

Simplify Business Users' Experience and Enhance Security with Single Sign-On

SCN page for SAP NetWeaver Identity Management

SCN page for SAP NetWeaver Single Sign-On SCN


Scenario Overview


http://scn.sap.com/community/netweaver-sso

http://scn.sap.com/community/netweaver-idm

http://scn.sap.com/docs/DOC-4439





3 Scenario Landscape

As part of this example scenario, we integrate the components listed below. For a full list of supported

components and products, see the documentation for SAP NetWeaver Identity Management and SAP NetWeaver

Single Sign-On.

● Core Scenario Products

○ SAP NetWeaver Identity Management 7.2 SP7 and above

○ SAP NetWeaver Single Sign-On 2.0 and above

○ SAP ID Service

○ Identity Center databases and Microsoft Windows Server as stated in the Product Availability Map.

● Supported SAP Products

○

SAP NetWeaver Application Server ABAP 7.40 and higher (see SAP Note 1798979) and SAP NetWeaverApplication Server Java 7.30 and above, incl. EP, BI, PI, CE/BPM

○ SAP HANA Cloud with SAP ID Service. The connection to the SAP HANA Cloud is supported but not part

of this documentation.

● Supported Products (For more information, see the respective product descriptions.)

○ Business Suite (for example, HCM, and CRM on ECC 6.0 EhP 4)

○ SAP Business Objects Platform 4.0 (Only SAP Business Objects Web Intelligence Client is supported.)

○ SAP HANA database

● Supported Third-Party Products (For more information, see respective product documentation.)

○ Microsoft Active Directory Server

○Microsoft Exchange Server

Related Links

SAP NetWeaver Identity Management

SAP NetWeaver Single Sign-On

Product Availability Matrix for SAP NetWeaver Identity Management 7.2

Product Availability Matrix for SAP NetWeaver Single Sign On 2.0

SAP Note 1798979 - SPNego ABAP: Downport



Scenario Landscape

http://help.sap.com/nwidm

https://service.sap.com/sap/support/notes/1798979

https://service.sap.com/sap/support/pam?hash=pvnr%3d67837800100900006373

https://service.sap.com/sap/support/pam?hash=pvnr%3D01200314690900002535%26pt%3Dg%257Cd

http://help.sap.com/nwsso

http://help.sap.com/nwidm



4 Setting Up the Scenario

To set up the One Identity and Access Management scenario, execute the tasks described below.

4.1 Installing the Identity Center Designtime

1. Download the latest Identity Center Designtime from the SAP Software Download Center at http://

service.sap.com/swdc.

Choose Support Packages and Patches Browse our Download Catalog SAP NetWeaver and

Complementary Products SAP NW IDENTITY MANAGEMENT SAP NW IDENTITY MANAGEMENT 7.2

Comprised Software Component Versions IDENT. CENTER DESIGNTIME 7.2 Windows on x64 64 bit .

2. Install and configure your database as described in the database-specific documents.

3. Install the management console as described in SAP NetWeaver Identity Management Identity Center:

Installing the Management Console.

4. Import the SAP provisioning framework as described in the SAP NetWeaver Identity Management for SAP

System Landscapes: Configuration Guide under Importing the Provisioning Framework for SAP Systems.

5. Import the SAP HCM staging area identity store as described in the SAP NetWeaver Identity Management for

SAP System Landscapes: Configuration Guide under Importing the Staging Area Template .

Related Links

Identity Center - Installing the Database (Oracle)

Identity Center - Installing the Database (MS SQL Server)

SAP NetWeaver Identity Management Identity Center: Installing the Management Console

SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide

4.2 Installing the Identity Center Runtime

1. Download the latest Identity Center Runtime Components from the SAP Software Download Center at:

http://service.sap.com/swdc.



Comprised Software Component Versions IDENTITY CENTER RUNTIME 7.2 # OS independent .

2. Install the runtime components as described in SAP NetWeaver Identity Management Identity Center:

Installing the Runtime Components.

Related Links

SAP NetWeaver Identity Management Identity Center: Installing the Runtime Components


Setting Up the Scenario


https://scn.sap.com/docs/DOC-26538




http://service.sap.com/~sapidb/011000358700001223892010E







4.3 Installing the Identity Management User Interface

1. Download the latest user interfaces for your AS Java 7.0x or AS Java 7.1x installation at http://

www.service.sap.com/swdc.



Comprised Software Component Versions NW IDM 7.2 UIS FOR NW 7.00 # OS independent .

2. Install and configure the Identity Management user interface as described in SAP NetWeaver Identity

Management Identity Center: Installing and configuring the Identity Management User Interface.

Related Links

SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User

Interface

4.4 Installing the Secure Login Client

1. Download the latest Secure Login Client for your operating system from the SAP Service Marketplace at

http://www.service.sap.com/swdc.

○ 32 Bit OS


Complementary Products SAP NW SINGLE SIGN ON SAP NW SINGLE SIGN ON 1.0 Comprised

Software Component Versions SECURE LOGIN CLIENT 32BIT 1.0 Win32 .

○ 64 Bit OS


Complementary Products SAP NW SINGLE SIGN ON SAP NW SINGLE SIGN ON 1.0 Comprised

Software Component Versions SECURE LOGIN CLIENT 32BIT 1.0 Win64 .

2. Install the Secure Login Client as described in Secure Login Client.

Related Links

Secure Login Client

4.5 Setting up the SAP ID Service

The SAP ID Service can authenticate users in the SAP HANA Cloud with an on premise identity provider for single

sign-on.

Prerequisites









● SAML Identity Provider (IdP) is installed on SAP NetWeaver AS Java as described in the SAP NetWeaver

Identity Management Identity Provider implementation guide.

● The SAP ID Service is available. To purchase SAP ID Service usage, please contact your SAP representative.

● You have a SAP HANA Cloud account.

● You bought or subscribed to an application for your account. Alternatively, you develop an application and

deploy it in your account.

To configure your own local SAML2 service provider and register it with SAP ID Service, do the following:

1. Take the SAML2 metadata of SAP ID Service from the SAP ID Service documentation.

2. To specify custom local provider settings and configure trust to SAP ID Service as SAML 2.0 identity provider

using the following data, see Using a Custom Identity Provider in the SAP HANA Cloud Platform

Documentation.

○ The single sign-on URL is indicated in the SAP ID Service documentation.

○ The signing certificate is part of the SAML2 metadata of SAP ID Service described in the SAP ID Service

documentation.

3. Request registration of these settings with the SAP ID Service.

The SAP HANA Cloud team receives the request and hands it to the SAP ID Service team. The operations

team processes the request. You then receive the connection information to connect to the SAP ID Service

Administration Console.

4. Register the SAP NetWeaver AS Java identity provider as the identity provider of your organization with the

SAP ID Service.

a) Configure the SAP NetWeaver AS Java identity provider and export its metadata. For more information,

see the SAP NetWeaver Identity Management Identity Provider implementation guide and Adding and

Deleting an Identity Provider.

b) Use the SAP ID Service Administration Console to add the SAP NetWeaver AS Java identity provider as an

identity provider for the organization. For more information, see the service providers document.

c) Assign the application you are subscribed to to this identity provider.

Related Links

SAP ID Service documentation: not available yet

Using a Custom Identity Provider

Implementation Guide - SAP NetWeaver Identity Management Identity Provider

Service Providers Document: Not available yet.

Adding and Deleting an Identity Provider: Not available yet.




https://help.netweaver.ondemand.com/default.htm?using_identity_provider.html#concept_0B49F10346C94249845EC16364FFF66D_104

http://help.sap.com/




http://help.sap.com/download/documentation/sapnetweaver_identitymanagement_identityprovider.pdf

https://help.netweaver.ondemand.com/default.htm?using_identity_provider.html#concept_0B49F10346C94249845EC16364FFF66D_104




5 Configuring the Back-end Repositories

This section describes how to configure your connected target systems for them to accept provisioned usersfrom Identity Management and to accept Kerberos tokens to use for single sign-on.

Prerequisites

● The back-end systems are installed, up and running, and operational.

● Microsoft Windows accounts for the systems are created in Microsoft Active Directory.

● The Service Principal Name is set in the Microsoft Active Directory and is mapped to the Microsoft Windows

accounts.

5.1 Configuring the Active Directory

In this task, you create an account for each system in the landscape.

1. Define a Service Principal Name for the ABAP systems as described in the Secure Login Library under Secure

Login Library Configuration.

2. Define a Service Principal Name for the Java systems as described in the AS Java documentation underConfiguring Key Distribution Centers.

3. Define a Service Principal Name for the SAP BusinessObjects system as described in section 2 of SAP Note

1631734.

Related Links

Secure Login Client

Configuring Key Distribution Centers

SAP Note 1631734: Configuring Active Directory Manual Authentication and SSO for BI4

5.2 Configuring the AS ABAP

On the AS ABAP, you have to install Secure Network Communication (SNC) and SPNego.

1. Install SNC.

a) On the AS ABAP, install the Secure Login Library as described in the Secure Login Library Installation

Guide under Secure Login Library Installation.

b) Using the command line tool, provided by Secure Login Library, create a Kerberos keytab as described in

the Secure Login Library Installation Guide under SNC Kerberos Configuration and the following sections.

2. Set up SPNego.



Configuring the Back-end Repositories



http://help.sap.com/saphelp_nw73/helpdata/en/4a/3f289e43901cc5e10000000a42189b/frameset.htm




For more information, see the SAP NetWeaver SSO documentation and Using Kerberos Authentication on

SAP NetWeaver AS ABAP in the SAP Library.

Related Links

Secure Login Library

Using Kerberos Authentication on SAP NetWeaver AS ABAP

5.3 Configuring the AS Java

To configure the use of SPNego on the AS Java, execute the following steps:

1. Activate SPNego authentication as described in the SAP Library.

2. Activate the "Principal only" user mapping as described in the SAP Library.

Related Links

Using Kerberos Authentication

Changing User Mapping for Kerberos

5.4 Configuring SAP Business Objects Business IntelligencePlatform 4.0

The provisioning for SAP Business Objects Business Intelligence Platform does not require the installation of a

separate connector but uses the Active Directory connector.

● The Business Objects Central Management Server runs on Microsoft Windows to enable Microsoft Windows

Active Directory authentication.

● To enable single sign-on to the database, the reporting servers also run on Microsoft Windows. These

Windows machines are joined to the appropriate Active Directory domain.

Activate the Active Directory user store and the Kerberos-based single sign-on as described in SAP Note

1631734.

Related Links

SAP Note 1631734: Configuring Active Directory Manual Authentication and SSO for BI4

5.5 Setting up SAP HANA Database as a Repository

The SAP HANA database is installed as described in the SAP HANA documentation.

The steps contained in this summary are described in detail in the SAP NetWeaver Identity Management for SAP

System Landscapes: Configuration Guide.





http://help.sap.com/saphelp_nw73/helpdata/en/f4/1978c3a37a441b87a89d61c1a08689/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/4a/3fc8279c09044fe10000000a421937/frameset.htm

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/c7/b12d71977e4b0682e327b4ecf81e9b/frameset.htm




In the Identity Center, create a repository using the SAP HANA template to store data on the connection to

your SAP HANA database system as described in the configuration guide under Creating Repositories.

Related Links

SAP NetWeaver Identity Management Identity Center: Installing the Runtime Components

SAP HANA Appliance Software




http://help.sap.com/hana_appliance/




6 Customizing SAP NetWeaver IdentityManagement

For the One Identity and Access Management scenario, SAP NetWeaver Identity Management must accept users

from the HCM system, assign users to the correct Business roles, and must provision them to the attached back-

end systems. The subsequent sections describe the necessary customizing tasks.

As a general prerequisite, the administrator needs authorization for the Identity Center Management console.

Deprovisioning

Provisioning and deprovisioning are both executed using event-triggered tasks. To delete, for example, a user, the

relevant task is triggered when the last account privilege is removed from a user. The account privilege can be

removed in two cases. Either directly by removing the privilege from the user, or indirectly when setting the

MX_INACTIVE attribute on the user. This removes all assignments, including the account privilege. The task

inactivates the account in the repository. How this is done is system dependent.

For more information about provisioning and deprovisioning, see the Related Links section.

Related Links

SAP NetWeaver Identity Management 7.2 Identity Center Tutorial - Provisioning

SAP NetWeaver Identity Management 7.2 Identity Center Tutorial - Working with Roles and Privileges

SAP NetWeaver Identity Management Identity Center Tutorial - Context-based assignments

SAP NetWeaver Identity Management 7.2 Identity Center Tutorial - Provisioning

6.1 Customizing the Identity Center

The oneLogin_generateSNCName global script generates an SNC name for a new user in your Windows domain.

That is, it generates an SNC name only for the single user that is currently processed. In steps 8 and 9, you

configure that the script is executed after a new user is created. By default, the generated SNC name is

automatically provisioned together with the other user data from the Identity Center to the connected ABAPsystems.

1. In the Identity Center, create a global constant named ONELOGIN_SNC_NAME_PATTERNwith the following

value: p:[email protected]. YOUR.DOMAIN must match your Windows Domain configuration, for

example, SAP.CORP.

2. In the Identity Center, create a global script named oneLogin_generateSNCNamewith the following content:

function oneLogin_generateSNCName(Par){var params = Par.split("!!");var mskeyvalue = params[0].toUpperCase();var sncpattern = "%$glb.ONELOGIN_SNC_NAME_PATTERN%";var result = sncpattern.replace(/\$USERID/gi, mskeyvalue);

uInfo("Generated SNC name: " + result);


Customizing SAP NetWeaver Identity Management









return result;}

3. In the the Master ID Store, create a new folder named OneLogin.

4. Choose New Action task Empty job to create a job named Generate_SNCName.

5. In the job, choose New Link global script oneLogin_generateSNCName .

6. In the job, choose New To Identity store to create the new To Identity Store pass.

7. On the Destination tab, select the MX_PERSON entry type. Then enter the following attribute-value pairs and

choose Apply.

Table 1: Attribute-Value Pairs

Attribute Value

MSKEYVALUE %MSKEYVALUE%

MX_SNC_NAME $FUNCTION.oneLogin_generateSNCName(%MSKE

YVALUE%)$$

8. In Identity Store Schema Entry Types of your master identity store, open the MX_PERSON entry type.

9. On the Event Tasks tab page, set the Add event task to the newly created task.

6.2 Setting Up the Connectivity between HCM and SAP

NetWeaver Identity Management

The steps contained in this summary are described in detail in Setting up an SAP HCM System in the SAP

NetWeaver Identity Management for SAP System Landscapes: Configuration Guide.

1. In the Identity Center, create a repository using the Business Suite AS ABAP template to store data on the

connection to your HCM system as described in the configuration guide under Creating Repositories.

2. In the Identity Center, create and run the job to read the value help content from the HCM system as

described in the configuration guide under Running the Read Help Values Job.

3. In the Virtual Directory Server, create an HCM LDAP endpoint using the template HCM LDAP Extract for IDM

as described in the configuration guide under Setting up the Identity Center to Assign the User Account Name.4. In the Virtual Directory Server, activate the LDAP endpoint.

5. In the HCM system, create the query for the export as described in the configuration guide under Configure

the SAP HCM System and Export the Data.

6. In the HCM system, specify the attribute mapping between the HR fields and LDAP attributes.

7. In the HCM system, create an TCP/IP destination for the LDAP Connector.

8. In the HCM system, configure the connection parameters for the VDS.

9. In the HCM system, maintain the attribute mappings.

10. In the HCM system, schedule the extraction report.

Related Links

SAP System Landscapes: Configuration Guide, Setting up an SAP HCM System











6.3 Setting Up the Connectivity between Active Directoryand SAP NetWeaver Identity Management



Note

Regarding the provisioning of a user's domain password, SAP NetWeaver Identity Management can provision

productive passwords to Microsoft Active Directory. As a prerequisite for password provisioning, you need to

configure SSL for the connection as described in Identity Center: SSL Security in the Security Guide. For

setting-up the Active Directory repository, see Repository Constants for Active Directory for Provisioning

Framework in the SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide.

1. In the Microsoft Active Directory, create a service user with sufficient rights to manage users.

2. In the Identity Center, create a repository using the ADS for SAP PF template to store connection details to

your Active Directory.

3. In the Identity Center, create and run the LDAP (ADS) - Initial Load job to synchronize already existing

users and groups from Active Directory to SAP NetWeaver Identity Management.

Related Links

SAP System Landscapes: Configuration Guide

SAP NetWeaver Identity Management 7.2 Documentation; Security Guide

6.4 Settin g Up the Connectivity between the AS ABAP and

SAP NetWeaver Identity Management



1. In the AS ABAP, create a service user with the SAP_BC_SEC_IDM_COMMUNICATION role.

2. In the Identity Center, create a repository using one of the following templates to store connection details for

your AS ABAP:

○ SAP NetWeaver AS ABAP (Load-Balanced Connection)

○ SAP NetWeaver AS ABAP (Specific Application Server)

3. In the Identity Center, create and run the ABAP Read Help Values job to synchronize additional data (for

example, Salutation or Academic Title) from AS ABAP to SAP NetWeaver Identity Management.

4. In the Identity Center, create and run the ABAP - Initial Load job to synchronize existing data (for

example, roles, profiles, users, company addresses) from AS ABAP to SAP NetWeaver Identity Management.

Related Links

SAP System Landscapes: Configuration Guide











6.5 Updating SAP User Accounts

As a final Customizing step, you have to enhance the SAP user accounts with the SNC name by triggering an

Update Job for each repository. To this end, you could link the Identity Management attributeSNCName to the

Update Job. Of course other possibilities exist, which you should consider according to your organization's

requirements.

In addition, you have to create a job that is triggered after a new employee is created in the HCM Staging area.

This job creates the user ID in Identity Management and provisions the accounts. You must ensure that the user

ID in Microsoft Active Directory has the exact same writing as the first part of the SNCName in Identity

Management. In the function shown in Customizing the Identity Center the SNCName is in uppercase letters.

Tip

Therefore, we strongly recommend that the user IDs in Identity Management and Active Directory are in

uppercase letters, too.

Related Links

Customizing the Identity Center [page 13]

The oneLogin_generateSNCName global script generates an SNC name for a new user in your Windows domain.






7 Configuring the Clients

The subsequent tasks describe the configuration necessary for the user's clients to use single sign-on (SSO).

7.1 Configuring the SAP GUI to Support Single Sign-On

1. Create a new connection to your SNC-enabled AS ABAP system.

2. On the Network tab, select the Activate Secure Network Communication checkbox.

3. Enter the SNC name of your AS ABAP system. If you connect using the message server, the value is prefilled.

7.2 Customizing the Internet Explorer Settings to Support

Single Sign-On

1. In the Internet Explorer, choose Tools Internet Options .

2. On the Security tab, choose Local Intranet Sites .

3. On the Local Intranet window, set the Include all local (intranet) sites not listed in other zones flag, and choose

the Advanced pushbutton.

4. On the Local intranet window, enter the web address of the host name in the Add this website to the zone:

field, so that SSO can be enabled for the web sites listed in the Websites: field.

5. On the Advanced tab of the Internet Options window, scroll to Security. Ensure that the Enable Integrated

Windows Authentication* flag is set.

7.3 Configuring the NetWeaver Business Client to Support

Single Sign-On

As SAP NetWeaver Business Client uses the same logic for the initial logon as Internet Explorer does, it is

sufficient, to configure your desktop PC as described in Customizing the Internet Explorer Settings to Support

Single Sign-On.

Related Links

Customizing the Internet Explorer Settings to Support Single Sign-On [page 17]


Configuring the Clients




7.4 Configuring the Web Intelligence Rich Client to Support

Single Sign-On

Web Intelligence Rich Client does not offer its own single sign-on (SSO) capabilities.

Make sure that the Internet Explorer is configured to support single sign-on.

To use SSO, open the BI Launchpad with Internet Explorer.

Now you can launch the Web Intelligence Rich Client.

Related Links

Customizing the Internet Explorer Settings to Support Single Sign-On [page 17]



Configuring the Clients



8 Disclaimer

SAP Library document classification: PUBLIC.

This document is for informational purposes only. Its content is subject to change without notice, and SAP does

not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF

MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.

Coding Samples

Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and

are not intended to be used in a productive system environment. The Code is only intended better explain and

visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness

of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code,

except if such damages were caused by SAP intentionally or grossly negligent.

Accessibility

The information contained in the SAP Library documentation represents SAP's current view of accessibility

criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure

accessibility of software products. SAP specifically disclaims any liability with respect to this document and no

contractual obligations or commitments are formed either directly or indirectly by this document.

Gender-Neutral Language

As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed

directly with “you, or a gender-neutral noun (such as “sales person” or “working days”) is used. If when referring

to members of both sexes, however, the third person singular cannot be avoided or a gender-neutral noun does

not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the

documentation remains comprehensible.


Disclaimer




9 Open Source Licenses

For the scenario, the open source licenses apply as stated in the product documentation of the relevant products.



Open Source Licenses



www.sap.com/contactsap

© 2013 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software

vendors. National product specifications may vary.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only, without

representation or warranty of any kind, and SAP Group shall not be

liable for errors or omissions with respect to the materials. The only

warranties for SAP Group products and services are those that are

set forth in the express warranty statements accompanying such

products and services, if any. Nothing herein should be construed asconstituting an additional warranty.

SAP and other SAP products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks

of SAP AG in Germany and other countries.

Please see http://www sap com/corporate-en/legal/copyright/

http://www.sap.com/corporate-en/legal/copyright/index.epx

http://www.sap.com/contactsap

Documents

NWIDM One Identity and Access Management Scenario