Log in, Log out, Log in, Log out…
Folks,
Until recently, I was a happy user of just one S-ID that granted me access to many SAP websites (like SCN and Support Portal). All I needed to do was to flash my digital certificate and the virtual bouncers would just smile and roll out the red carpet for such valued member of SAP society.
But then my employer decided to assign me a new S-ID, just for the giggles. Apparently, no one at SAP AG was able to foresee such exotic move because no provisions were made to allow the SCN members to change the S-ID in their profile. You might ask why I started using S-ID on SCN in the first place? Well, you see, it was actually possible to switch S-IDs on SCN up until about 2010. It was cumbersome, your account could’ve been “guestified” for a while, your “member since” date might be off, you had to email someone, ask nicely and then wait, etc. But it was a possibility. Of course, this had to be “improved” and now “UPDATE User_Profile WHERE SID =… ” no longer works.
This is not breaking news, it’s been a known issue for a while (see Exhibit A, B, and C just from the top of the Google search). But now it affects me personally, so it just got “super duper cereal”.
In absence of other options, I had to bite the bullet and create new SCN account with so called P-ID thus becoming Jelena The Second. With the new account, I lost the ties to my old SCN posts, my followers and followees. But I’m also still Jelena The First and need to access other SAP sites, sometimes using both old and new S-ID.
I use mostly Chrome browser because Firefox has some kind of beef with our corporate spyware and IE… well, who really uses IE voluntarily these days? There are 2 digital certificates installed on my PC (for both S-IDs) and I asked Chrome to remember my login information for SCN because I don’t like typing. The following happens daily when I go to the SCN home page.
I do not want to use a digital certificate on SCN, so it’s important to click Cancel and close the pop-up. If I try to access SCN while undercaffeinated and accidentally click on a new certificate, I will end up cleaning up cookies and my Inbox till lunch time.
If I don’t mess up this step, I arrive at the SCN Welcome page where I’m greeted by the picture of the aftermath of an extinction event that evaporated all humans but left the buildings intact. Probably rather accurate representation of SAP Community these days. Note that at this point SCN still does not recognize me and I have to click on the Login button explicitly. (By the way, why do we use “Single sign-on” to “log in“? English is confusing.)
After that, SCN finally admits me into the club. Unless I venture to check my Notifications:
Anyways, at least this takes care of SCN access. But apparently the SAP websites are like the casinos – they don’t want you to leave and visit other places. If after stopping by SCN I decide to do some club-hopping to the Support Launchpad, this is what I see:
Err, I kind of already did that for not just one but two S-IDs, so why is it pretending we have not been introduced? Okay, I’ll just click the button and maybe then it’ll let me pick a certificate?
I guess not. Well, I’m too lazy to search for my S-ID and password (which needs to be exactly 8 characters with a punctuation symbol or The Matrix will blow up) and type it in, so let me just close this. And now I have the pristine blue screen (because Launchpad thinks I want to use my P-ID, which is meant solely for SCN) but hey, there is a Log Out button, maybe it will work?
Hm, what do I want to do next? Go to Launchpad? I thought I’m already here… This reminds me of Eddy Izzard’s impression of the American colonists: “This is Plymouth? We just came from Plymouth!” 🙂 But OK, let’s go back to Plymouth, err, Launchpad. Aaaand here we go again with the wrong credentials:
This seems like a good opportunity to use the cure-all of IT “have you tried turning it off and on again”. But, surprisingly, after closing the browser and opening it again, the SCN presents me with a choice of certificates (as in the very first screenshot above) yet Launchpad stubbornly insists on using the SCN credentials and ignores the certificates. What the deuce?
Of course, sitting all day singing “log in, log out, hey!” to the tune of this song is not the best use of one’s time. At some point you just cut the losses and power up another browser, like the evil IE. With the pesky SCN out of the way, Support Launchpad allows to juggle the two digital certificates somewhat decently by using “Log out” and going back to Ply… Launchpad.
But SCN and Launchpad are not the only SAP clubs I need to visit. There is also Jam and the Mentor app, for example. And even after you’ve managed to log in (or on?) there, sometimes things just don’t work as expected. Inevitably you hear: “yeah, that does not work well in Internet Explorer, have you tried Chrome?”
Image source: Wikipedia
Why, just today the virtual bouncers at the support portal kicked me out. Or rather didn't let me in. So the search was on for my... my... my what??? Was it my p-ID or my S-ID or my email and if so, which one. This is just for someone who wants to navigate between SCN and Support, mind you - not even venturing into those exclusive clubs hosted on Jam.
#headdesk or maybe #headwall
I’d like to think that in the wake of human extinction, I would be the protagonist in I Am Legend. (I need these fantasies to survive a typical day — let alone an apocalypse.)
But to some of the points at hand…
You’ve linked to several posts about this issue, and I know that after exhibits A, B, C, you could also present exhibits [the rest of the alphabet]. In response, I could point to multiple comments back from our team (such as recent posts from Gali and Oliver) to confirm that it’s a big problem we recognize, and it’s a complicated issue to resolve. But I know that’s a bad idea, and it’s smart thinking that helped me survive the fall of humanity.
So rather than try to get by with the same old, same old, I’m taking time out of my vampire-killing schedule to see if there’s anything new to report about this issue. If there is, we'll share here. If not...well...maybe I'll learn when it's best to step away from the keyboard.
In the meantime, I want to confirm something specific from your post: You’re saying that you log in on the welcome page, and when you go to notifications, you have to log in again? Because I just had a long conversation about “auto login” with Steffi in Coffee Corner, and I thought I was in the clear, and then Veselina pointed me here…and…well…here I am.
Anyway, if you can confirm, I can see what’s up with that at least.
–Jerry
Oh…wait…it just occurred to me that the guy in I Am Legend was the true monster…
To start with the small stuff - sometimes (not always) when you try to access Notifications, it does not see your login and the screen I've shown appears. It's a known bug, reported a while ago (I'm too lazy to search since my Q&A history is no longer in my profile). Someone recently claimed it was fixed but it happened to me again right after I read it. I can't reproduce it easily though and don't see any special pattern, unfortunately. But this has been mentioned by others as well as a sporadic issue.
On to the bigger picture. SAP known about this problem for years and for years you (don't mean you personally, of course) have been feeding us with "we are working on it". SAP messed up big time with allowing SIDs to be used on SCN in 2012 migration. It was a perfect opportunity to address this and disconnect SCN login from the rest of SAP but someone thought exactly the opposite was a great idea. Wrong.
You might notice I'm not even calling to action here. All I can do at this point is to demonstrate once again the absurdity of the status quo. SAP needs to get their s*t together and fix this. Don't tell us how difficult this is and how you're working on it. Just get this done. Enough is enough.
I was the responsible architect for the SCN migration in 2012, and preventing SAP customers from contributing to SCN using their SAP user wasn’t something that we had thought of back then. And even if we avoided this problem, you would still have the same issues on SMP, Jam, SAP CP, and many other SAP sites. All the cloud companies and products we added in the last 5 years have only complicated matters further. This ID situation is much bigger than SCN, and needs to get resolved for all SAP sites and products. In 2017 I know that this company may seem slow in taking action, but I also know that this company is able to reflect, focus, analyse, and bring all necessary units together to fix problems like this. We at SAP are working on this. But it will take longer than you would like it to.
Oliver, I'm not denying the fact that this is a complex issue. You're saying someone is working on it. But considering that this has been identified as an issue at minimum back in 2013 (that's about when the questions from the alarmed SCN members started to appear) SAP already had 4 years to work on it.
I don't know what transpires at SAP but it seems odd that in all those years of adding new companies and products either no one raised the login as a problem or such concern was not taken seriously.
Of course, SCN is just part of this (did it really have to be though?) but I believe it was hurt the most because of people losing their accounts and their content ownership. As you can see from the comments, many former active SCN contributors moved to other platforms, as a result.
This is the biggest annoyance about SAP right now. Here are my solutions:
Thanks, Nathan! I keep forgetting about the private / incognito mode (don't use it much). It might help to some extent but really wish this day and age we wouldn't have to resort to creativity.
My biggest annoyance right now is that I’m on my smartphone and for the life of me can’t tell if I liked this blog or not.
Well, I did click the button several times, but see no response. Need to check on my desktop later on. *sigh*
This blog is a reminder for me to not jump to a P-user, come what may.
and such a pity you can't bookmark it so you can find it on your desktop a heap faster 🙂
Having changed jobs over the last 6 months, I share your pain.
I now have a mix of P and S id's - none that really work.
Losing my history was annoying - and I personally find Jam the worst. I had 2-3 accounts from my previous job and now I have more. Documents are "shared" via Jam - but I cannot access the groups - as they point to my old accounts.
I therefore ask for documents to be mailed to me - so I can read them !!
It should not be so complex - any progress however small would be welcome
Rest assured, it's worse than you think. Even with an SAP Passport (Certificate) SSO (if there is any) doesn't work consistently :-´)
This has been my problem since forever as I never used an S-user for SCN. It’s quite amazing how SAP has been unable to fix this is like 6 years or more.
I basically used IE for s-user and Chrome for the P.
This has been an ongoing problem for years and while SAP recognizes the problem there's no timeline offered for a solution or if someone is really looking at fixing it.
Anyway, I could help but think of this movie line
Oh yes... When did I ask for the first time... mhh.. search.. mhh.. another story to tell 😉
This is really an ongoing problem and I think with SCN it was not good, but better.. at least for me.
~Florian
LOL!
Ever since OSS first ventured off SAPGUI connection to Walldorf onto a World Wide Web page with this newfandangled "HTTP" technology back in 200? they required people to type their ID and password in twice. Authentication is something the world's smartest software company has never quite figured out.
I have also written several times about the simple idea that people might might just have one ID for personal / continual use and several different S-IDs for different projects/sites. In all these years they still haven't cracked it. Welcome to the ID-rage club.
The only solution is Nathan's: use different browsers.
Exactly - why is this so difficult to understand that people want to use SCN as themselves (= a person) while they may have to use the rest of SAP under different work "disguises"?
And even PID option - you still can't change an email assigned to it! Why?! Would love to be in that design meeting. "Hey, folks, we are going to introduce this feature but let's take a moment to think of the ways to make it as painful as possible."
Another awesome blog and loved the “SAP websites are like the casinos – they don’t want you to leave and visit other places” (even their own properties and even customer facing ones) which the infamous 1DX was supposed to fix (another poorly designed, lack of execution “improvement” by SAP). Now try having 20+ S and P user ID’s (sadly that is me) + multiple JAM ID’s, + multiple communities (SAP SCN, SuccessFactors) + lots of different SuccessFactors and SAP websites all requiring additional ID’s. I have become a bit of an expert in using different browsers, got 1Password last year (excellent) but EVERY day I have some form a log-on issues that I have to work around.
Why can’t I have one profile with all my ID’s linked as would that be to much to ask.
Does this impact customers, FOR SURE, in a number of ways, consultants cant find what they are looking for, extra time wasted is often billable time, information being all over the place (ie Two Communities for SAP and SuccessFactors for example) + how many different HANA, APP Stores, Education etc websites are there out there all with different user names and ID’s.
Much like Indirect Licensing,SAP Customer Support/Satisfaction, SAP Education, SAP SCN Community Fixes, SuccessFactors SuccessConnect repeated stumbles, and other items SAP “claims” to know about the problem but no real timeline, no real fixes planned and they wonder why some of the Cloud “upstarts” like Workday/SalesForce/Tableau have been able to win (and continue to win) many long time SAP Shops.
If i had the time, i would have logged in with all my accounts and give you 3 likes....cause this post shows exactly what everyone that uses the web-ecosystem of SAP has to go through.
Thanks Jelena for taking the time and effort in placing this on the radar of the SAP community staff once more.
Nice blog - it does provide a realistic view of the experience when having multiple S userids etc. Not sure SAP are going to be able to fix this as the problems I believe relate to the Browser AND the device being used. I normally run Chrome and find that I can only run a single Incognito session at any point in time otherwise my laptop gets confused. At points in time, I do have Chrome, Edge and IE all running and yes it does make it a tad confusing but it also separates them so that I know which is which.
It would be good to have an overarching account ID that was then able to hold a number of different S userids that you could then select when you login however we are talking about security here so it cannot be too easy to get into ;-). Security is complex at the best of times so I am guessing this is why this area is slightly complex to build a workable solution for.
Thanks for the comment!
Perhaps it does not need to be complex. (And unnecessary complexity is exactly where the problems usually start. SAP should know this of all companies.) Just give every SAP professional their own unique ID. E.g. I have one from the US government - it's called SSN. Even with SID, the customers still manage access by customer account and by installation. Assigning access to a "universal ID" would be no different here than to SID. Even simpler - a consultant would already have their UID, so no need to create SID for them and then remember to delete it.
And SCN is a public community website, IMHO it never had any business to be included in the same security as the official SAP sites for partners/customers.
Great Blog...Have to admit that though with 10 S-UserID's, I have no issues as i use LastPass (basic version is free and is sufficient)
I too, like you, got frustrated with multiple S-User ids and could see that SAP weren't going to align things anytime soon, so started looking for alternatives.
<img />
LastPass just works similarly to how many of you are asking for this to work.
Choosing the ID you want isn't the problem, it's how do you interact on here once you've logged in?
I can't use an S-user for SCN, because it's tied to my SAP system. I can't use a P-user to get at notes and OSS stuff. A password manager doesn't help.
SAP have these stupidly contradictory approaches to combine searching questions and SAP notes at the same time. Yet P-users are still not allowed to view SAP notes (why???).
Hi Mike,
recently SAP introduced so called "SAP Knowledge Base Articles - Preview". A kind of showing of the Note and/or Knowledge Base Article preview where no S* ID is needed. It is publicly available. Also google does index it so we can search on it.
E.g. https://apps.support.sap.com/sap/support/knowledge/preview/en/2465736
But (big BUT) it is just a preview (not whole content is displayed). So your question is very valid: why we need S* ID to access SAP Notes...
cheers
m./
To me, the most disappointing part was moving the old best practices documentation to downloads section.
Often functional consultants get authorizations just to view notes in the launchpad, but not for downloads, which is a reasonable thing to do.
Protecting SAP notes to be viewed by S-users is understandable, but this specific decision does not make sense to me, especially when the S/4HANA documents are accessible without such limitation.
Not just consultants. I'm a "permie" developer but the new corporate overlords only give download access to Basis people.
If anything, I'd email best practices to every single SAP consultant out there to make sure they follow them instead of reinventing the wheel and selling their clients terrible custom "solutions".
I have shared a similar diagram (July 2016) to explain this issue before (behind the scenes) to explain the complexity of my account setups issues and identity management. There are a heap more accounts but it would have taken too long to map them all out.
I have been in the SAP ecosystem for almost 15 years and have been a mixture of employee and consultant. In this time:
This setup means I have to do the following
This is a great demonstration as to how important security is in design and how much security not impacts user experience
So for those who like visualisation, this is my account mess and it's a cut down version but more so it's no where near as bad as other's when it comes to SAP community impacts as I luckily by accident created a p number when I first joined.
Regards
Colleen
Wow, your scenarios are actually not that unusual, but only SAP can make a simple thing soooo complicated.
I dont think any other company on the planet can create so many identity crises,
This is why I use IE for dull stuff like support.sap.com and Chrome for other dull stuff like moderating. 😉
Hey Jelena,
I'm so glad that despite all those obstacles, you're still here! Thanks for that!
I only have one S-User (so lucky!) but I had that "People smiling at you, because you have to log in AGAIN!"-thing in the past, too:
When I log in (=> click) I seem logged in all right, but when I do the next move (usually click on messages), I get that smiling bunch and am NOT logged in. With another click (generic avatar) and one more (Certificate-OK), I'm in.
...but I got so used to clicking a lot, that I don't really pay attention (/care) that much anymore.
best
Joachim
Just confirming: smiling people are still there! I got them, when I clicked on "messages"!
Thanks for sharing your thoughts on this - they are just as entertaining as the situation is annoying. I have accumulated three different S-Users and one P-User over time, each of which can do different things, so my situation is even a little more confusing. Nowadays I mostly use the P-User for SCN with Chrome and the most recent S-User with IE (yes, I know) for the support launchpad. That way at least I can reduce the logon/logoff frenzy a bit.