05 Sso Miis Mom

8/13/2019 05 Sso Miis Mom

1/28

Identity Management,Single-Sign On,

Operations

Tilo BoettcherSnr. Program ManagerMicrosoft [email protected]


2/28

Introduction

Identity Management

Single Sign On

Operations using System Center Operations Manager


3/28

3

What the user has

ERP CRM ESS Groupware

Intranet Workflow Internet ...

PC

Logon

Logon Logon

Logon


4/28

4

What the user wants

ERP CRM ESS Groupware

Intranet Workflow Internet ...

PC

Logon

Access


5/28

5

What the administrator wants

Central user management

Single point of administration

Assign user rights in various applications with one keystroke

Lock or Delete users centrally

Central user repository

Avoid redundant user information


6/28

Identity Management

Introduction

Single Sign On



7/28

7

User Management integration w/o MIIS

using SAP standard interfaces

SAP NetWeaver

Microsoft Windows Server

Enterprise

Portal

Microsoft Active Directory

mySAP Business Suite

and SAP R/3

UME

HR

SAP Web AS

ABAP

CRM ERP R/3

CUA

User store LDAP synchronisation
http://www.sap.com/index.epx


8/28

8

Data export from mySAP HR

using LDAP interface

Employee data:

Personel number

First Name

Last Name

...

WebAS>= 6.10

Extraction

Active

Directory

SAP HR

SAP data field ->

LDAP attribute

Mapping

RFC LDAP

Create / update users

User attributes

Cn

Sn

givenName

...

LDAP

=4.7


9/28

9

DEMOSAP UME OVER MS ADS

SAP EP 6.0Microsoft

Active Directory (LDAP)SAP ECC 5.0

Login over MS ADS SSO LOGIN into ERP

user

Sales HR


10/28

10

SAP LDAP user synchronisation

SAP ABAP user management data can be synchronized with a LDAP directorywith systems based on WebAS 6.10 or higher

SAP Systems with Release 4.5 and higher can be integrated into LDAP usingCUA

LDAP directory interface provides mapping capabilities of LDAP attributes andSAP data fields

SAP User synchronisation and distribution can be performed by backgroundjobs

CUA onWebAS

Mandatory for 4.5 & 4.6optional for 4.7 and higher

LDAP ALELDAP

4.7 andhigher


11/28

11

Result of SAP user LDAP sync.

User is created / updated with

basic user data from LDAPdirectory

First Name

Last Name

eMail

Roles (optional)

Users are created withoutpassword

Passwords are not needed ifSSO using SAP Logon Ticketsis used

No security risk since userscannot log on without usingSSO via Enterprise Portalusing an initial password


12/28

12

Identity Management using MIIS

in a Microsoft Environement

SAP Standard Interfaces

SAP Web AS ABAP: LDAP Synchronisation with Active Directory

SAP Web AS JAVA: Support of LDAP Directories (ActiveDirectory) as user store

SAP HR: LDAP Interface HR Data Retrieval in a LDAP EnabledDirectory Service

Microsoft Identity Integration Server

MIIS 2003 SP1 SAP Management Agent

MIIS will get additions withIdentity Lifecycle Manager ILM 2007 soonhttp://www.microsoft.com/windowsserver/ilm2007/default.mspx


13/28

13

MIIS 2003 SP1: SAP Agent

Goals

Use supported SAP interfaces SAP certification in progress

Dont require reconfiguration of SAP

Support default configurations out of the box

Make it possible to use any BAPI on the SAP application serverthat can be called remotely

Use SAP technology to connect directly to SAP

Leverage SAP security infrastructure

Eliminate manual file creation processes

Scenarios

Employees as authoritative data for provisioning

Feed updated email, user ID attributes back to SAP

Provision and manage SAP HR/CUA users


14/28


15/28

User Management integration with MIIS

SAP is the example

connected data source

BAPIs (a set of APIs for interacting with

SAP) are used for import and export

The SAP Management Agent is built using

an easy-to-use set of .NET interfaces Import employees, users, customers

Export users, updates to employees and

customers

MIIS Server

Provisioning, Deprovisioning, Synchronization,Password Synch., Users, Customers, Employees

MIISSync

Engine

SAP MA

File MA

SAPBAPI

BAPIExport


16/28

MIIS usage


17/28

17

User Management integration with MIIS

SAP NetWeaver


EnterprisePortal


mySAP Business Suite

and SAP R/3

UME

HR

SAP Web AS

ABAP

CRM ERP R/3

CUA

User store Provisioning Data extraction

MIIS
http://www.sap.com/index.epx


18/28

Single Sign On

Introduction

Identity Management


SAP EP SSO SAP b k d li i


19/28

20

SAP EP: SSO to SAP backend applications

Initial

Logon

SAP

Logon

Ticket

SAPLogon

Ticket

SAP

Logon

Ticket

SAP

Logon

Ticket

SAPGUI for Windows

Windows

SAP

Web

WebAS

SAP

SAP

ITS

WebDynpro

WebDynpro

BSP-Pages

SAPGUI for HTML

SSO SAP L Ti k t


20/28

21

SSO SAP Logon Tickets

Portal Server issues an SAP logon ticket to a user after

successful initial authentication

SAP logon ticket is stored as per session cookieon the client browser

SAP logon ticket is used to authenticate user to applications

User gets access to multiple applications and services

After initial logon no further user logons required

SAP logon tickets contains user name(s)

SAP Logon Ticket is signed using digital signatures

SAP EP: Authentication Methods


21/28

22

SAP EP: Authentication Methods

Initial Logon Procedure

Authentication methods

User ID / password

LDAP Directory (for example Active Directory)

Portal Database

SAP System

X.509 digital certificates

Third-party authentication

Integrated windows authentication

SAP authentication (SAP Web AS or R/3)

Others through JAAS interface (pluggable JAAS loginmodules, e.g. RSA)

SAP EP SSO


22/28

23

SAP EP: SSO

to SAP and MS backend applications

SAP NetWeaver - Portal Framework

SAP

Enterprise

Portal


mySAP

Business

Suite and

SAP R/3

Authentication

Identify

user

IIS

SAP

Kerberos

Ticketing

BridgeSAP

Logon

Ticket

Kerberos

Ticket

SAP

Logon

Ticket

User

(Windows

Workstation)

SSO

or

Authentication



23/28

Operations using System Center MOM

Introduction

Identity Management

Single Sign On

S t C t O ti i M


24/28

25

System Center Operatioins Manager

9,000+ customers

Award Winning Capabilities:

Windows IT Pro 2005 ReadersChoice Winner

Proven InfrastructureManagement

Proven Partner MPs

Strong Product Roadmap

MOM: Analyst Momentum


25/28

26

MOM: Analyst Momentum

GartnerCompanies considering a management tool for their Windows centricserver environment should definitely place MOM 2005 on theirevaluation list.

David Coyle, April 05

ForresterWith the release of MOM 2005, Microsoft has made importantimprovements to the product it is set to become the No. 1 or No. 2player in the Windows server platform management market within thenext three years.

Thomas Mendel, Sept 04

IDC

Sept 05 numbers show MOM growing at 5x the market rate:

Windows Perf Mgmt growing @ 13% yr/yr growth

MOM growing at @ 60% yr/yr

H i f SAP Tid l S ft


26/28

27

Horizon for SAP Tidal Software

What does Horizon do? SAP Monitoring in MOM

Automates SAP Performance Management through Expert-in-a-Boxtechnology, modeled on the same processes used by expert SAP BasisAdministrators

Uses MOM Reporting to deliver extensive SLA Reporting: trend and trackSAP service to the business

Automates manual repetitive tasks

How does Horizon add Value? Reduces cost and increases effectiveness of SAP administration and

operation Automates many routine tasks performed by SAP Basis Administrators Informs administrators of impending issues before customers call for help. Faster diagnosis of transient outages with Snap Shot monitoring

Reduced number of experts required to diagnose complex multi-tierproblems Automates creation and distribution of Service Level reporting for

management and operations Embedded SAP best practices make junior administrators more

experienced, offload Basis work to Operations, and improve quality of afterhours coverage


27/28

28

DEMOSystem Center MOM

SAP NetWeaver 2004sMicrosoft System Center

Operations Manager

No Agent needed: Use of WS-Management


28/28

www.microsoft-sap.com

Documents

05 Sso Miis Mom