AD SSO with entry point for SAP users....

A client would like to use Active Directory (AD) Single Sign On rather than SAP for authentication purposes.  There are two potential scenarios we would need to support:
Scenario 1, access to SAP BW (General Ledger, Profit Centre Accounting) and relational systems.  There would be no security restrictions at the database level (OLAP and relational).  The majority of users would access data from this scenario. 
Scenario 2, access to HR SAP BW OLAP cube.  SAP Security roles would be enforced. 
Scenario 1 user and a scenario 2 user are not mutually exclusive.  Therefore an HR user could have the rights to query a relational system or a non HR SAP system.  Second, not all users in Scenario 1 will have an SAP account, but they will need to access non HR SAP data.  Valero does not want to create new SAP accounts for these people.
I see two possible solutions:
1.  Create two infoview entry points (eg different ports).  One for AD SSO, the other for a SAP challenge and response.  We used to have two infoviews in XIR2 when we deployed the SAP integration kit.  How would I do this in 3.1?
2.  Use Server Side Trust and SNC. 
Can anyone offer any opinions of ideas?
Thanks,
Steve
Edited by: Steve Bickerton on Dec 17, 2008 5:43 PM

Hi Steve,
you are correct that SNC  for the client authentication and the server side trust (based on SAP Crypto. lib.) will solve this
Ingo

Similar Messages

  • Creating second InfoView entry point for SAP users in XI 3.1

    Hi All,
    I have BOE XI 3.1 up and running with the Business Objects Integration kit SAP Solutions kit I would like to create a second infoview entry point for SAP users on the same physical box (single server) as regular InfoView. 
    I am trying to mock this up and have detailed the following steps below.  I suspect I am missing a few steps (for example, where do I specify the entry port?).  I am sure step 2 is wrong, as I the desktoplaunch no longer exists in Xi 3.1
    1.  Copy the InfoView.war file to a new directory ( Program Files/Business Objects/ Business Objects Enterprise 12.0/java/applications/sap).  I imagine I would need to rename the war file (say SAPInfoview.war)?
    2.  Create a xml file with the following logic (the part in bold I consider to be wrong...):
    <Context docBase="Program Files\Business Objects\Business Objects Enterprise 12.0\java\applications\sap\SAPInfoview.war" path="/
    businessobjects/enterprise115/desktoplaunch"
    crossContext="false" debug="0" reloadable="false"
    trusted="false"/>
    3.  Save the xml file (what name? does it matter) in Program Files\Business Objects\Tomcat55\conf\Catalina\localhost
    4.  Restart Tomcat
    5.  Change the web.xml to make SAP security the default.  But this should not be the regular infoview web.xml.  I'm not sure where this would reside.
    Thanks,
    Steve
    Edited by: Steve Bickerton on Jan 15, 2009 9:19 PM

    Hi Ingo,
    You've been working with Duncan and Sartaj on this.  The client has two set of users:  non HR which has no BW or R/3 authorization restrictions, and HR, which has authorization restrictions.
    They have deployed SSO using AD for the non HR users.  They also want to leverage InfoView rather than the SAP portal.  For the HR users, we therefore need to capture the SAP id and password at login time to enforce security at the BW and R/3 levels.  We could use the existing Infoview entry point (SSO will fail and they will be prompted for a SAP login).  I do remember that we offered a second InfoView entry point for SAP users in XIR2.  I thought this may be more elegant.
    Thanks,
    Steve

  • Filtering Entry Points for Anonymous User

    Hi,
    Iu2019m using the new feature u201CFiltering Entry Pointsu201D available since SPS14, it works fine for authenticated users, but when using anonymous users, the filter is completely ignored.
    Any hint?
    Thanks and Regards,
    John

    Hello,
    This is a known Issue, this feature did not work with Anonymous Users. It was fix for SP17.
    Regards
    Yuval,

  • What is the best way to follow the scenario for Out look integration with share point using SAP Gateway?

    1)what is the best way to follow the scenario for Out look integration with share point using SAP Gateway?
    2)workflow concepts for Purchase order?
    3)Email triggering from out look for an approval process of PO? how these scenario can be best implemented with updated functions in Duet Enterprise.

    Hi,
    I do not have much idea on gateway integration with outlook but found out this document GWPAM Workflow Template which can be helpful for you to start with.
    also you may want to post your question in SAP Microsoft Interoperability forum
    Regards,
    Chandra

  • GLOBAL TEMPORAY TABLE  with the ability for a user to see others's entries

    I have a list of record available for many user at the same time for them to work on.
    Every one has the tendency to chosse the first record...
    I want each of the users to be able to chose a different record once the preceding record has been selected by another user.
    It would have been somthing like a GLOBAL TEMPORAY TABLE but with the ability for every user to see others records
    so I would do and anti-join...
    Does anyon have an idea on how I could implement such a behavior?

    You will not be able to use a global temporary table for such a requirement.
    It sounds like you will need a permanent table, which you will need to lock certain records (prohibiting users from taking those already in use), you can look at using the DBMS_LOCK package for this.
    That's just speculation based on what you've typed, if you provide more details you make get more specific help.

  • Transport KM rooms as entry point for broadcasting from Portal 7.01 to Portal 7.4 possible?

    Hallo together,
    is it possible to transport entry points (for broadcasting) from one portal to another?
    For our upgrade BW 7.01 to BW 7.4 we want to transport the KM Content (including the rooms).
    Transporting the rooms and room structures is no problem, but the transported rooms are not visible in ENTRY POINTS -> My Room Folders.
    Only rooms that are newly created in the 7.4 Portal are visible in that folder.
    Is there are way to make the transported rooms also visible there?
    Thanks and best regards!
    Christian

    Hi Ramakrishna!
    I know that WP-PI 6.00 will work fine with R/3 4.6C but my doubt is if I can use WP-PI 6.00 (which is
    EP 6.00 plug-in) to connect the R/3 4.6c with an EP 7.00. 
    I didn´t find anything like WP-PI 7.00 in SAP Marketplace. I´ve already read the note you pointed out but it refers to EP 6.00. It also says you can use WP-PI 6.00 por EP 5.0 or Sap Workplace. But can I also use it with EP 7.00?
    Thanks for your help.
    Fernando

  • Doubt in configuring entry points for iviews

    Hi, I have followed the steps of the help about configuring entry points for iviews:
    1.-> in the pcd I have created a folder to store iviews for WPC.
    2.->I have gived read permission.
    3.->I have desactivated the hide root folder check por pcd repository.
    4.->I have created a folder in km.
    I am loosing in the step "Create a entry point for the folder that you created in step x".
    How link the pcd folder that store the iviews with the km folder?
    when I try to create a entry point I only can see km folders, How can I choose my pcd folder?
    Thanks.
    Regards.

    Try this:
    Procedure
    1. Choose System Administration &#8594; System Configuration &#8594; Knowledge Management &#8594; Content Management &#8594; User Interface &#8594; Mapping &#8594; Component.
    2. Edit the wpcDragExplorerEntryPoints configuration object.
    Use the following parameters:
    <u>Parameter: Description</u>
    displaymode:Specify <i>select</i>
    maxproviderprio: Highest priority number that standard entry points can have and still be displayed in the Web content browser
    entriesperrow: Number of entry points displayed in each row (default: 5)
    entrypointsprefix: Prefix of the entry point repository: If you specify a value for this parameter, standard KM entry points are also displayed in the Web content browser.
    Default: /entrypoints
    sharedcontent: Semicolon-separated list of paths to be displayed as global entry points for shared content
    Examples of parameter values (for sharedcontent param):
    displaymode=select,maxproviderprio=30,entriesperrow=5,entrypointsprefix=/entrypoints,sharedcontent=/wpccontent/Cross-Site Content;<b>/pcd</b>

  • Entry points for integrating Openoffice writer into Java swing application

    I googled the web and also took a look in below 2 web sites, just seems it is very difficult to get an entry point for me to try my frist application with open office writer integrated with my swing application.
    http://wiki.services.openoffice.org/wiki/Documentation/DevGuide/OpenOffice.org_Developers_Guide
    http://api.openoffice.org/
    What my question is:
    1. Where can I get the completed jar files for using the open office writer api for my java application?
    2. Is there any step by step practical example for using the api? It seems that the above links are quite messy and difficult to find an entry point to get a start, but just contain many segments separated through out the web site.
    Thanks much for any suggestion.

    Information regarding OOo is not on Sun websites, or in these forums. There may be 3rd-party sites that have some info regarding OOo use.

  • Entry point to SAP Netweaver Solution Development

    Hello,
    I come from the ABAP-developer side and have experience on SAP Netweaver ( esp. XI ) and what I would like to do is to develop a custom application that could be integrated in SAP Netweaver Platform as a service - what would be a good entry point for relevant information ?
    Thanks  for any ideas,

    Hi,
    Is the application developed using SAP NW Developer Studio or some other J2EE platform?
    In case you would like to service-enable an existing application that was developed using SAP NW Developer Studio, I think you should check out https://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/949ded1f-0b01-0010-f59f-d77cec1bf85d">this [original link is broken] [original link is broken]
    Please let me know if this is what you are looking for.
    Regards
    Shehryar
    Message was edited by:
            Shehryar Khan

  • Password Policy implementation for SAP users

    Dear Friends,
    We are planning to implement the Password Policy for SAP users in our organization...
    Here my question is,
    Letu2019s say that the Password Policy is implemented today, what will happen to the SAP usersu2019 passwords?
    Will they be locked out until they create a new password that follows the policy?  Will there be a dialog box that will tell them what the criteria is for new passwords and its the time to change the password?
    Thank you,
    Nikee

    Hi
    Letu2019s say that the Password Policy is implemented today, what will happen to the SAP usersu2019 passwords?
    SAP Users password will be intact till it prompts for next password change. Say, 90 Days. (Provided Parameter is not set)
    Will they be locked out until they create a new password that follows the policy? Will there be a dialog box that will tell them what the criteria is for new passwords and its the time to change the password?
    They will not be locked out until they create a new password that follows the policy (provided parameter is not set),  During the time of changing the password they would get a dialog box if they have not met the specified criteria indicating that it should have specific values.
    Once the password change prompt appears, in order to login to SAP they are forced to change password with password criteria set, other wise they can not login.
    Thanks and Regards
    Arun R

  • I have created a form that contains fields with default text for a user to update/personalize.  Is there a way to style the text so I can quickly identify changes to default text in a field?

    I have created a form that contains fields with default text for a user to update/personalize.  Is there a way to style the text so I can quickly identify changes to default text in a field?

    George - Thanks you so much!  Actually, i'd love for the text color to be red font color.  Could you send me the script for that? And I assume I just copy and paste the script into the field properties (see screenshot)?
    thanks again!
    Seth

  • No profile with entry tool for task list QP01

    Hi all,
    I am trying to upload Inspection Plan through LSMW. When I reach the Create batch Input step, I encounter an error saying No profile with entry tool for task list Q 141 2 in session 5_INSP_PLAN. How do I fix this?
    Please help

    Solution is to check on config for Inspection Planning for QM.
    SPRO > QM > Quality Planning > Inspection Planning > Maintain Profile for Default Values (OQ84)
    Entry tool must be checked and Profile field in LSMW must correspond with Inspection Plan Profile

  • ECATT integration with Mercury QuickTest for SAP

    For the past few months I have been evaluating Quick Test Professional from Mercury and eCATT (extended Computer Aided Testing Tool) from SAP as testing tools for SAP. Mercury has a strong partnership with SAP and the two companies have offered ways to integrate their two products. Has anyone ever used eCATT in conjunction with QTP? What are your thoughts on this partnership? Is it worth $10,000 to pick up Mercury's QTP when SAP's eCATT is Free with SAP? I think the functionality is comparable, although QTP is easier to use and can interact with 3rd party applications. If anyone has used both QTP and eCATT, do you think these two tools are an either/or option or do they compliment each other?

    Ben,
    Good to hear you liked the article. Look out for another contribution in SPJ in the near future
    I have attempted to answer your questions - all prefixed with <b>==> SAP (JM)</b> in your original text:
    This document describes the functionality, abilities and benefits that would be lost in an SAP automated testing solution that excludes Mercury’s QuickTest. Assuming that SAP’s eCATT is the only tool used for SAP testing there will be the following limitations:
    Script Creation
    SAP eCATT cannot record certain types of report screens in TCD(Record) mode. i.e. MB58(view stock levels)
    <b>==> SAP (JM):</b> This is true - but you can use the SAPGUI command, which uses the same technical interface as QTP.
    Although the ‘active screen simulator’ in eCATT contains data, it is usually not visible and the user has to guess where to click in order to capture a value. The other option is to forgo the active screen and do all of the work through the command interface.
    The active screen in QuickTest allows the user to see the exact state of the screen that was recorded and access the fields in that screen.
    <b>==> SAP (JM):</b> A valid criticism of eCATT. From Release 6.40 (SAP NetWeaver 04), a script-wide search function makes using the command interface easier.
    The recorded script is one command, (i.e. TCD(VA01, VA01_1) is the command for an entire sales order), therefore Scripting logic must be placed before, after or around a transaction. There is less freedom in scripting inside of a transaction.
    In the Expert view of QTP users can add or delete visual basic statements during any portion of the transaction. Each step, down to a click or keystroke is recorded as an individual statement that can be modified or deleted. Logic such as loops and conditions can be placed around any set of steps.
    <b>==> SAP (JM):</b> Using the SAPGUI command in eCATT, you can create commands that cover a single screen, providing more of the kind of flexibility that you find in QTP.
    The eCATT tool does not allow individual steps in a single transaction recording to be rearranged or deleted. If a user makes a mistake while recording, the entire transaction must be re-recorded.
    QuickTest allows users to freely remove steps that were mistakes or errors after a transaction has been recorded.
    <b>==> SAP (JM):</b> Again, using SAPGUI in eCATT, this is possible. Admittedly tricky in Release 6.20, but very simple in Web AS 6.40.
    SAP’s eCATT cannot inherently read excel spreadsheets for data driven testing. The eCATT tool allows for data driven testing through its own data tables. These are useful for entering small sets of data. For eCATT to test large sets of data created in excel spreadsheets there are three solutions:
    1. Purchase conversion software from SAP
    2. Write an in-house conversion script
    3. Enter data manually into the eCATT data table
    QuickTest stores its data table as an excel-readable .xls file.
    <b>==> SAP (JM):</b> 1. Who is selling the conversion software?
    <b>==> SAP (JM):</b> You can use the class CL_GUI_FRONTEND_SERVICES to upload a tab-delimited file into an internal table in a test script (using an Inline ABAP routine)
    <b>==> SAP (JM):</b> Data upload/download is available in Web AS 6.40
    Test scripts in eCATT are limited to about 40 parameters.
    In QucikTest the only limitation to the number of parameters or number of iterations is the maximum number of columns and rows in an excel worksheet.
    <b>==> SAP (JM):</b> Where does this limitation come from? Does it seem to be technical, or more practical in nature?
    Scripts that enter a single line item in a table cannot be modified to enter multiple items later. A new script with multiple line items must be recorded.
    A script in QTP can be modified to add a single line item or multiple line items to a table regardless of how many items were entered when the transaction was recorded.
    <b>==> SAP (JM):</b> This is possible in eCATT if you use the SAPGUI command. Because a single SAPGUI command can cover a small part of a transaction, you can isolate the "line item" section in a single command, then put a loop around it. I have an example of this if you need one.
    Script Execution and Analysis
    SAP eCATT will respond with a pass/fail status based on its own criteria before any checkpoints have been added. Although eCATT allows for additional checkpoints, there is a minimum level of pre-set requirements that eCATT looks for in order to allow a test to pass. These pre-set requirements cannot be viewed or changed and tests may “fail” even when, from the user’s perspective, the transaction has responded exactly as expected.
    Quick Test will only fail a test if the script if it was unable to recognize an object on the screen or complete every statement. Otherwise failure points are completely determined by the insertion of check points by the Test engineer. QuickTest also provides the option to ignore missing objects or uncompleted steps.
    <b>==> SAP (JM):</b> Default conditions in eCATT (for example, fail if an error message occurs) can be overwritten. See eCATT documentation on http://help.sap.com for details (use the NetWeaver 2004 documentation - it is more comprehensive). Then, the only conditions under which the test would fail automatically would be a system error (RFC destination not available, or similar)
    If SAP experiences a system failure, eCATT will fail too and test results may be lost.
    If SAP were to crash QuickTest can take a screenshot and pinpoint the location in the code where the script failed.
    <b>==> SAP (JM):</b> If you are working remotely (test case and application under test in different systems) you will get a log in the central test system, even if the SUT fails. The only circumstances under which everything is lost would be a full GUI crash!
    eCATT cannot use the SAP logon pad to open a new session and log on as a new user.
    In QuickTest new sessions can be opened and different users can be logged in with encrypted passwords.
    <b>==> SAP (JM):</b> eCATT uses System Data Containers and RFC destinations to log onto multiple systems as a specified user. This is more flexible than using hard-coded user names in a script and allows you to leverage concepts such as Trusted RFC or SSO.
    Aside from printing results on paper, users cannot view test results without an SAP logon to the system where the tests were executed.
    Mercury provides a test viewer that can be installed on any machine and allows users without the QuickTest application to view and analyze test results.
    <b>==> SAP (JM):</b> eCATT logs can be downloaded in a variety of formats from the log view in transaction SECATT (via the Print Preview function, then List -> Save).
    Cannot view a screenshot of the failed step.
    QuickTest provides the option to capture a screen shot at the point of failure.
    <b>==> SAP (JM):</b> Again, a valid criticism. This has been rectified for the next release of eCATT (will be available with Solution Manager 4.0). When playing back a SAPGUI command, you will be able to capture screenshots at various points in time ranging from "every screen" to "on error".

  • Best practise for SAP users who leave the company

    Hi
    Could anyone reccommend a best practise document or give advice on how to deal with SAP user ID's when employee's/contractors/consultants leave? I am the basis admin just starting an SAP implementation and we have no dedicated authorisation team at the moment, so I have been asked to look into this :
    Currently we set the validity date in SU01 to the termination date.
    We chack there are no background jobs scheduled under that user id, if there are, we change the job owner to a valid user (we try to run all background jobs under an admin account).
    We do not delete the user as from an audit point of view I believe it restricts information you can report on and there are implications on change documents etc, so best to lock it with validity dates.
    Can anyone advise further?
    We are running SAP ECC 5.0 on Windows 2003 64 Bit/MS SQL 2000.
    Thanks for any help.

    Hi,
    Different people will tell you different versions of what they believe is best practice, but in my opinion you are already doing reasonably well.
    What I prefer is
    1. Lock ID & set validity date.
    2. Assign user to user group LEAVER or EXPIRED or something similar (helps with reporting) out of SUIM/S_BCE* reports.
    3. Delete role assignment (should you need it, the role assignment will be in the change history docs anyway).
    4. Check background jobs & act accordingly.
    For ease of getting info I prefer not to delete the ID though plenty of people do.

  • Entry point for copying room content

    Hi ,
      We are having a lot of collaboration rooms ,and am thinking if there is
    an easy way of transferring content from one room document folder to another
    room's document folder. Copying shows some entry points like public documents,
    personal documents etc but copying to any of these is not what I need.
    Afterwards how can I  copy to the respective room document folder which is
    identifiable only by a long roomid in KM Content ?It s a long list .
    So is it possible to add an entrypoint for our rooms in entrypoint
    providers? If so what entry can i have for the provider class?
    Thanks in advance
    Regards
    Vineeth

    Hello,
    If you want to make a extra entrypoint read the following.
    in the help link they describe how you can add one using the entry points provider etc...
    http://help.sap.com/saphelp_nw04/helpdata/en/54/3d754067025537e10000000a1550b0/frameset.htm
    Another entry point like solution for your problem could be to make a folder with links to all KM folders you need to link to. You can add a picture to each of these links by picking the properties > settings > rendering tab.
    If you change the layoutset of this folder to the entrypoints layoutsset. you have a screen that looks like entry points.
    Best

Maybe you are looking for