One of the most annoying things
about having multiple systems within an SAP environment is the fact that people
have to remember passwords for every component system within the landscape.
SSO resolves this problem, for the
most part, but there's still that annoying little fact that initial passwords
must be changed at first login, and passwords may be set to expire every so
often.
Well, you're options for avoiding
these problems are as follows:
1. Deactivate passwords
2. Have the component systems
ignore expired passwords when utilizing SSO
Option 1 is great, if your users
will never need to enter a userID and password. This puts the entire
authentication burden on some other application (like Active Directory).
But this is not necessarily the right solution for all clients.
Option 2 is what I choose,
primarily. In order to do this, you need to set profile parameters in all
ABAP and Java systems in your landscape.
For the ABAP systems set the
following profile parameter:
login/password_change_for_SSO
This profile parameter determines precisely
how the system will react in the situation in which a user accesses the system
through SSO and their password is expired (or initial). Here are the
values:
0 =
Ignore password change request, and allow access
1 =
Present a pop-up window with options 2 and 3 below
2 =
Require the password be changed, including old password and new password
3 = Deactivate the password
This is a dynamically switchable parameter and can be turned
on in RZ11 without the need for a restart, though you will have to modify the
profile to make the change permanent.
For the Java systems, open Visual Administrator, and under
the UME Provider service, set the following parameter to False:
ume.logon.force_password_change_on_sso
This is not dynamically switchable and will require the
cluster to be restarted.
Now both your ABAP and Java systems will ignore expired
passwords.
Hope this helps…
