User Guide

1. When a user logs in to SAP Enterprise Portal, SAP authenticates the user against the SAP

provider and issues an SAP logon ticket. SSO to SAP is enabled at this time.

2. The user navigates to a Hyperion product. The SAP logon ticket is passed to the Hyperion

product, which decrypts the SAP logon ticket using a SAP certificate stored on the Shared

Services server machine to retrieve the user name.

3. Accepting the user name, retrieved from the SAP ticket, as a valid, the Hyperion product

queries user directories to determine the user's groups. The SAP provider must be configured

as a user directory in Shared Services for this process to work.

4. Using the group information, Hyperion product gets the provisioning information for the

user from Shared Services.

Assumptions in both scenarios:

● If using a non-SAP corporate directory, the corporate user directory used by SAP Enterprise

Portal is supported by Shared Services. See Hyperion Installation Start Here for a list of

supported user directories.

● Users accounts and groups are already defined on the corporate user directory.

● The corporate user directories are configured to work with Shared Services.

● Users and groups are provisioned to access Hyperion products.

Nested SAP Groups

After configuring an SAP user directory, available SAP users and groups are displayed in User

Management Console. Shared Services considers the SAP roles to be the equivalents of groups

created by any corporate directory server. Each role from the SAP user directory is displayed as

a distinct group in User Management Console. Shared Services, however, does not retrieve the

relationships that exist between simple and composite roles within the SAP user directory. If

needed, nested groups can be created in Native Directory to mimic the relationship that existed

between the simple and composite roles in the SAP user directory.

Setting Up Authentication