Hi,
We are looking to install SAP NW SSO IdP component to act as the central identity provider for the SAP landscape. Key landscape components include:
- NW SSO 2.0 with UME pointing to Active Directory
- Portal 7.4 with UME pointing to ERP 6 EhP5
- Gateway 7.4 for Fiori Apps
The apps will be accessed from desktop as well as mobile device, through internet browser in both cases.
From authentication point of view:
- We will be setting up Kerberos integration so that desktop users who authenticate on the network against the AD are automatically assigned a SAML token
- Trust between IdP and SAP Portal will be set up to allow users to log on to Portal
- We are also looking to set up SSO to Successfactors. We'll configure a Portal URL iView to point to SF and we'll set up the trust between IdP and SF. The SAML assertion from IdP should allow us access to the SF
- As we are looking to set up IdP initiated SSO, mobile users will also be given the IdP URL to log on to the network and get an SAML assertion to access the Portal
- W'll set up SAP logon tickets based access from Portal to the ERP and Gateway
- Trust will also be set up between Gateway and ERP
The challenge we have is that our Network ID (held in AD), SAP ID (held in ERP), and Employee ID (acts as user ID on Successfactors) are all different. So we need to maintain user mapping between the three IDs on the IdP I believe. What would be the best solution to configure the mappings between these three IDs?
One option could be to update the AD to hold the information but that is not the preferred approach due to several reasons. Can someone suggest what other options could exist without writing any custom code? We can do it but I'd like to avoid if possible.
Thanks and regards,
Shehryar