SPNego: User ID Mapping
Hi Gurus,
We have a requirement, to have SSO between, user Microsoft Credentials and SAP Portal.
The Chalenge here is that the user name, in Microsoft credentials is different from the Portal user, so we need authenticate the user against ADS and then setup the SAP Logon Ticket with the Portal user ID.
We will be using the same ADS, for both SPNego and SAP Portal UME, but as we need a different ID for SAP Portal we will do an attribute Mapping for that porpoise.
For example
ADS User = 20 characters
Portal user= 8 characters
SAPLogon Ticket generated with 8 characters Portal user.
Thanks in Advanced.
Rogelio
Hi Rogelio,
please have a look into SAP Library. There you will find detailed instructions how to <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm">use Kerberos authentication for Single Sign-on with SAP NetWeaver Portal</a>. Contemplating your requirements (Kerberos Principal Name is different from portal user name), I suggest you pay special attention to sub section <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4bba9d9e5e5f6ce10000000a1553f6/frameset.htm">Configuring the UME</a> and <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4c363ac31e30f3e10000000a11466f/frameset.htm">Configuring the UME when Using ADS Data Sources for Kerberos</a>.
Best regards,
Martin
Similar Messages
-
Dear SDNs,
I write a user defined mapping program under a namespace, and I want to use it in other namespaces by drag and drop instead of importing, is that possible?Hi,
<i>>>>Prakash, I'm a little confused, I think mapping program like java and XSLT can only imported in user defined function in Mapping, isn't it?</i>
No, you will be importing it under Imported Archive. You will find User Defined Function inside the Graphical Mapping.
Refer this link for UDF
http://help.sap.com/saphelp_nw04/helpdata/en/22/e127f28b572243b4324879c6bf05a0/content.htm
<i>>>>What do you mean by the "F4"? Can you explain it to me ?</i>
F4 is Value request. In the Interface mapping when you are assigning the mapping program you will click on the "?" button which is nothing but F4. You can also press F4 which is equal to pressing "?"
Thanks,
Prakash -
Cannot add users to mapped third party group
when i try to add a user to a group i get the following message
"cannot add users to mapped third party group"If a group was mapped in via AD/LDAP/SAP then the users must be added in the 3rd party (AD/LDAP/SAP) you cannot create members inthe CMC. This is by product design. If you want to add members to groups in the CMC they must be enterprise groups only (groups created in the CMC not mapped in from 3rd parties).
Regards,
Tim -
Table that stores the business role and user id mapping
Hi,
i want to know the table that stores the Business role and the business role and user id mapping in CRM system.
Thanks in Advance.
Regards,
PricyHi Mary,
There is no direct table but there is a way to find it.
HRP1263 is the table where business roles are stored when maintained at org level. These are stored against the Position.
For getting user ID and position linkage refer table HRP1001.
In HRP1001 table use below criteria to get the User and Position.
OTYPE = CP
SCLAS = US
SOBID = User ID
ENDDA = 31.12.9999
Get the OBJID
Query the HRP1001 table again with following
OTYPE = CP
OBJID = OBJID from above Query
ENDDA = 31.12.9999
SCLAS = S
SOBID = Thats Position.
Pass the position to HRP1263 as below.
OTYPE = S
OBJID = POSITION
PROFILE - Thats business role assigned for the given position and user.
Hope this is helpful.
Regards,
Naresh -
GRC AC 10.0 Maintain Master User ID Mapping
Hi,
I try to configure "Maintain Master User ID Mapping" in the transaction
SPRO->GRC->Access Control
Example:
SYSTEM: A
USER ID: B
MASTER USER ID: C
If i try to launch the PSS for the C user, also change the password of the B user?
This, not working.
RegardsHello Prashant,
I want to talk to you regarding GRC upgrade / Migration.
Could you please provide me your contact details or email me on my mail id i.e. [email protected]
I hope you remember me, we had worked together in Mumbai (CG) around 4-5 years back.
Regards,
Atul Rajwade -
How to create mass users and map them to existing hrms users
Hi,
Im running oracle ebusiness suite 12i . I want to create mass users , and map them to existing hrms users.
The users I want to create exist in an excel spreadsheet with the columns employee id, user name. They will all be granted the same responsibility. I want to map them to existing hrms users using the employee id key.
I have read about the package FND_USER_PKG.CREATEUSER and I can loop over it by using sql loader to create a temporary table, but I m lost on how to automatically map them to hrms users as part of the script.
Any help.
dulaThanks a lot Omka,
I managed to create the users by running the script:
declare
Cursor C1 is
select d.product_code,b.responsibility_key from FND_USER_RESP_GROUPS_ALL a,fnd_responsibility b,fnd_user c,fnd_application d
where a.user_id = c.user_id
and a.responsibility_id = b.responsibility_id
and b.application_id = d.application_id
and c.user_name ='JOCHIENG';
Cursor employee is
SELECT EMPLOYEE_ID,EMPLOYEE_NAME from eldoret_final;
BEGIN
for e in employee loop
fnd_user_pkg.createuser
x_user_name => e.EMPLOYEE_NAME
*,x_owner => ''*
*,x_unencrypted_password => 'welcome123'*
*,x_start_date => SYSDATE - 10*
*,x_end_date => NULL*
*,x_description => 'CBK Employee'*
*,X_EMPLOYEE_ID => e.EMPLOYEE_ID*
fnd_user_pkg.addresp(upper (e.EMPLOYEE_NAME),'PER', 'CBK_EMPLOYEE_DIRECT_ACCESS','STANDARD', 'DESCRIPTION', sysdate, null);
end loop;
commit;
end;
I had first created the user JOCHIENG and assigned it the responsibility for Self service. So the script just assigns the responsibilities by copying from the one assgined to this user.
Everything seems ok. However, when trying to log in as the new user, the login error: Login failed. Please verify your login information or contact the system administrator.
is returned. But I can reset the password using the forms under Security > Define. Even with the correct password, the login doesn't go through.
Any idea?
dula -
How to prevent a rdp user from mapping drives on the server ?
Hi,
User A from Domain A (using Win7 pro) is able to rdp to Server Z (Windows Server 2008) which is in Domain Z and is able to map drive.
My question is : How do I prevent User A from mapping any drive in Server Z ?
Please advise. TIA !Hi,
if a user has access to the other share there is no way to prevent that user from mapping a drive.
However, you can remove the "map Network drive" functionality via policy, please see
http://msdn.microsoft.com/en-us/library/ms812045.aspx
That does not prevent users from mapping their drive manually using the "net use ..." command from a shell. While it is possible to restrict running of the net command, I do not recommend that (see
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b5012142-cfe9-4b24-99b9-d7ff3b84f0f4/what-security-policy-blocks-use-of-the-net-command-for-nonadmin-users?forum=winserverGP).
( What you may consider when having Shares cross-forest, you can remove that authorized users permission from the share replacing it by DOMAIN\Domain users groups, etc. So access to the share is limited instead of using a share that a user has access to.
Please Keep in mind that even when you remove the Network drives a user can still Access the resource via UNC. )
Regards,
Martin -
Problems with User Defines Mapping Objects - Dynamic Configuration
We have a mapping object that takes data passed in from R3 and does an HTTP Post to another system using a URL and file name that is passed from the header record. We had a consultant set this up for us last year and in creating the new one we just pretty much copied what he did. The problem is, it is not working for us. We have the url and file name, we pass it to the user defined code that is supposed to pass it to the url and file name in the configuration. The java code looks like this:
public String getPcurlOut(String pcurl,Container container){
String ourSourceFileName = "START";
DynamicConfiguration conf = (DynamicConfiguration) container.getTransformationParameters().get(StreamTransformationConstants.DYNAMIC_CONFIGURATION);
if (conf != null) {
DynamicConfigurationKey key = DynamicConfigurationKey.create("http://sap.com/xi/XI/System/File","Directory");
conf.put(key, pcurl + ".xml");
ourSourceFileName = conf.get(key);
} else {
ourSourceFileName = "conf == null";
Basically we want to pass a url and file name to our communication channel based on values that come from our file in R3
It is almost exactly like the one that works. Can anyone help with this?
Thanks
Mike
Message was edited by:
Michael CurtisHi Michael
<i>Basically we want to pass a url and file name to our communication channel based on values that come <b>from our file in R3</b></i>
--> This means you have file as a sender adapter.
Check adapter specific message properties in sender adapter.
Please refer this blog , it is really worth.
/people/michal.krawczyk2/blog/2005/11/10/xi-the-same-filename-from-a-sender-to-a-receiver-file-adapter--sp14
Also
DynamicConfigurationKey key = DynamicConfigurationKey.create("http://sap.com/xi/XI/System/File","Directory")
Try writing this as
DynamicConfigurationKey key = DynamicConfigurationKey.create("http://sap.com/xi/XI/System/File","<b>FileName</b>")
Regards -
Importing Roles-User Groups Mapping from one Environment to Another
Hi,
I have this situation. I am using WLP8.1 SP4
I have two environments (E1 and E2)and I have 2 MS Active Directory server (MS1 and MS2). The LDAP authenticator in E1 is configured to use MS1 and the LDAP authenticator in E2 is configured to use MS2. The user groups are stored in the Active Directory servers and the role-user groups mappings are done within the Weblogic.
I imported the role-user groups mappings from E1 to E2 and it works. After that, if I map another user group to an existing role and do an import again from E1 to E2, it does not take any effect. Why is it so? Any kind soul can help me? I am very lost now.?:|Hello! :)
Unfortunately, I'm already using Catalog Manager in transferring files. I'd really like to find out if there is a particular file that defines the permissions of the objects that I should also transfer, or if I should really do that manually for each of the objects?
Thanks for the reply! :) -
SAML - USer Principal mapped on a SAML attribute - How to do ???
Dear security experts,
I have configured on my weblogic platform a Sender vouches SAML profile.
I am trying to map the UserPrincipal (the one I get from the webServiceContext in my web service) to a SAML attribute (different from the SAML subject).
I have written a class that implement the interfaces SAMLIdentityAssertionNameMapper and SAMLIdentityAssertionAttributeMapper .
Here is an overview of the simplified implementation :
public String mapNameInfo(SAMLNameMapperInfo info, ContextHandler handler) {
return "user2";
public void mapAttributeInfo(Collection<SAMLAttributeStatementInfo> attribStmts, ContextHandler contextHandler) {
Set<Principal> principals = new HashSet<Principal>();
principals.add(PrincipalFactory.getInstance().createWLSUser("user1"););
((SecurityTokenContextHandler)contextHandler).addContextElement(ContextElementDictionary.SAML_ATTRIBUTE_PRINCIPALS, principals);
After weblogic has loaded my SAML assertion, I can see in the log that my uibject has two User Principal : user1, user2. When I call getUserPrincipal in my webservice, I always get "user1". I need to get "user2".
Why mapNameInfo() always has the priority ? Is it the good way to implement this mechanism ?
Thanks for your help.Gyan:
How is that possible? If you import the VOImpl inside EOImpl, the import statement is ok. But how would you use that? There is no findViewObject method? The OADBTransaction class that I can use has only findObject method that one can use and I tried that but wasn't successful. Shouldn't you have to import OAApplicationModule and a host of other classes? Is that even possible?
I thought about the entity expert approach but I don't have a need to execute any query. I just need to refer to the view attribute from within the EOImpl. That's what I am looking for. If there is a way to refer to a view attribute from within the EOImpl without having to populate that attribute in a session/transaction variable that would be a better solution for me because there may be more attributes that I need from different VOs later on and everytime I need some VO attribute I don't have to create and populate a session/transaction variable.
Please let me know if it can be done. Can you please elaborate more on your proposal? I really appreciate your time and help. Thanks!
- Muzammil -
Mac Users + OVI Maps Build ClientIndex
For Mac users unable to use Nokia Maploader for Mac here is how to merge index links provided by ovikovi
IndexAsia
IndexAustralia/Oceania
Index Africa
Index NorthCentralAmerica
Index South America
Index Europe
Unzip folders and drag respective folders to Documents as here
Documents
It is probably helpful to open this screenshot now
Merge ClientIndex
Create a New Folder in Documents ClientIndex
Open Terminal on Mac > Finder > Go > Utilities > Terminal
Type after $ prompt cd Documents <hit return>
Type after $ prompt cp -r Africa/* ClientIndex <hit return>
Repeat with index for other countries as in terminal screenshot
When finished drag ClientIndex folder to E:\CITIES\diskcache
This procedure also works for merging individual maps and is documented elsewhere on forum.
Happy to have helped forum in a small way with a Support Ratio = 37.0
Solved!
Go to Solution.England
Northern Ireland
Scotland
Wales
French regions:
Alsace
Aquitaine
Auvergne
Bretagne
Bourgogne
Centre
Champagne-Ardenne
Corsica
Franche-Comté
Langedoc-Roussillon
Limousin
Lorraine
Midi-Pyrénées
Normandie
Nord-Pas-de-Calais
Paris-Ile-de-France
Pays-de-la-Loire
Poitou-Charentes
Provence-Alpes-Côte-d'Azur
Rhône-Alpes
German regions:
Baden-Württemberg
Bayern
Berlin/Brandenburg
Hessen
Mecklenburg-Vorpommern
Niedersachsen/Bremen
Nordrhein-Westfalen
Rheinland-Pfalz/Saarland
Sachsen
Sachsen-Anhalt
Schleswig-Holstein/Hamburg
Thüringen
Italian Regions:
Abruzzo
Basilicata
Calabria
Campania
Emilia-Romagna
Friuli-Venezia Giulia
Lazio
Liguria
Lombardia
Marche
Molise
Piemonte
Puglia
Sardegna
Sicilia
Toscana
Trentino-Alto Adige
Umbria
Valle d'Aosta
Veneto
Spanish regions:
Andalucía
Aragón
Asturias
Islas Canarias
Cantabria
Castilla y Léon
Castilla la Mancha
Catalunya
Ceuta
Communidad Valénciana
Extremadura
Galicia
Islas Baleares
La Rioja
Madrid
Melilla
Murcia
Navarre
País Vasco
Happy to have helped forum in a small way with a Support Ratio = 37.0 -
Hi,
How do I create roles and map them to users on Enterprise Portal. We are on CRM 5.0 and EP 6
Thanks
Guest01Thx Gregor, I have now changed my screen name. It was a lazy work on my part that I opened my user with guest and continued the same.
We actually dont have any portal administrator at the moment and I need to take this mantle for some time. I will explore the user mapping as suggested by you.
thanks
Kumar -
SGD 4.31 - User application mapping( AD enable )
Dear Forum users,
Objective: Assign AD authenticated users with specific applications.....
I have installed SGD 4.31 in my SFV240 server. Have configured and enable AD for users to authenticate.
These are my DNS SGD servers lookup:
portal-01.esuria.com.bn ---> 172.16.2.82
172.16.2.82 ---> portal-01.esuria.com.bn
portal-02.esuria.com.bn ---> 172.16.2.83
172.16.2.83 ---> portal-02.esuria.com.bn
Note: In our existing DNS server, our admin configured the Domain as "ESURIA.COM.BN"
These are my Array Manager AD Settings:
URL: ad://esuria.com
Base Domain: esuria.com
Default Domain: esuria.com
Note: Our existing AD server, admin has configured the Domain as "ESURIA.COM"
Object Manager Settings:
Note: These are created by default( dc=bn, dc=com, dc=esuria )
I created Active Directory Container( cn=Users )
I created Person object ( cn=ali ) and assign some applications to ali.
Note:
1) User Ali is created in AD server only.
2) The reason i created the above AD Container and Person object is to assigned specific applications to user Ali.
Open a firefox browser and type the sgd url and click login. Enter username ali and password and i am successfully login to SGD webtop. Unfortunately, every time i login to webtop, i saw the LDAP Applications NOT the applications i specified in the Object Manager( Person Object ).
Here are the logs output:
root@portal-02 # tail -f server-login.log
2007/11/12 18:43:25.152 (pid 11467) server/login/moreinfo #1194864205152
Attempted login for ali
using disambiguation attributes {}.
2007/11/12 18:43:25.165 (pid 11467) server/login/moreinfo #1194864205165
The login authority com.sco.tta.server.login.ens.SearchENSLoginAuthority
has found a potential login candidate
.../_ens/dc=bn/dc=com/dc=esuria/cn=Users/cn=ali.
2007/11/12 18:43:25.177 (pid 11467) server/login/moreinfo #1194864205177
The login authority com.sco.tta.server.login.ens.SearchENSLoginAuthority
has found a potential login candidate
.../_ens/dc=bn/dc=com/dc=esuria/cn=Users/cn=ali.
2007/11/12 18:43:26.568 (pid 11467) server/login/info #1194864206568
Login attempt for ali.
Login successful.
2007/11/12 18:43:26.571 (pid 11467) server/login/info #1194864206571
User .../_service/sco/tta/ldapcache/CN=Ali,CN=Users,DC=ESURIA,DC=COM
logged in using profile
.../_ens/o=Tarantella System Objects/cn=LDAP Profile
from 172.16.2.109.
I believe i had missed some steps. Can the forum experts, help me to archive my objective..
Thanks.This docs page describes the steps that are required:
http://docs.sun.com/source/820-1088/ldap_mirroring.html
It's worth noting that the location of the users in ENS must map directly to the location of the users in LDAP/AD.
So a user located in active directory under domain "esuria.com" must be positioned in ENS under "dc=com,dc=esuria". I can see from the example you gave you are using "dc=bn,dc=com,dc=esuria". These will not match.
So instead of of creating a user in ENS under "dc=bn,dc=com,dc=esuria,cn=Users" you would create them under "dc=com,dc=esuria,cn=Users".
HTH
Deany Dean
Edited by: deanydean_sgd on Nov 13, 2007 5:10 AM -
Dear Experts,
I have a scenario where the Project/Support team members won't be mapped into the organizational structure. But they must be able to view the shopping cart details. Could you please help me in providing some clue to achieve this.
As of now, I am getting the below error if the user is trying to view the shopping cart details when the user is not mapped into the organizational struture.
Thanks in advance for your help.
Best Regards,
BharathiHi Bharathi,
Make it more simple. Create a separate organizational unit for the Support/Admin team and intergrate the users there.
It's the common practic.
Regards
Konstantin -
Business Partner to User Id Mapping
Hi All,
Can anybody tell me where do we map the System User ID to the Businesss Partner.
Answers would be awarded.
Thanks & Regards,
StephenHi Stephen,
You can do the same in transaction BP.
Select Business Partner with Employee Role --> Goto Identification tab.
There you can maintain the PERNR and SY-UNAME.
Let me know if this helps.
Regards,
Vivek Pandey
Maybe you are looking for
-
How to select data from a PL/SQL table
Hi, I am selecting data from database after doing some screening i want to store it in a PL/SQL table (temporary area) and pass it to oracle reports. Is there any way to select the data from a PL/SQL table as a cursor. Or is there any other way of ho
-
How to handle spaces in Sender File
I have sender file and it is reading wrongly as it is not reading spaces. It is fixed file lengthe with no seperator. Following r the parameters I am using but still it is not picking up spaces. ignoreRecordsetName tru
-
Until Friday, I could upload documents using google's facility within Firefox . Suddenly, the 'select files to upload' stopped working. Internet Explorer does this ok. I noticed on the Google forum that several users have reported this and someone su
-
No support for content-type in response header?
When loading both movies and images Strobe Media Playback does not recognize content-type from the response header.I can't find any documentation for this, but when i look in the source code, there sees to be support for this kind of metadata. For ex
-
Revel Private Albums create duplicate photos in Elements 12
The problem is: some photos are duplicated in Photoshop Elements 12. The duplicates appear after sharing a 'Private Web Album' to Adobe Revel. The Private Web Album works correctly: In Photoshop Elements, it is listed as a 'Mobile Album.' Online