Centrify for SAP

Active Directory-Based Single Sign-On for SAP NetWeaver on UNIX and Linux

Reduce help desk calls, improve end-user satisfaction, and strengthen security with single sign-on for SAP NetWeaver, centrally managed using Microsoft Active Directory

Centrify for SAP NetWeaver AS and AS Java on UNIX and Linux delivers secure single sign-on to SAP and centralized identity management by seamlessly integrating SAP with Microsoft Active Directory. Centrify for SAP on UNIX and Linux is non-intrusive, easy to deploy and manage, fully supported by Centrify and is certified by SAP. The benefit for end-users is that they can now silently authenticate to the heterogeneous systems, applications and databases they are allowed to access without being challenged to re-type a username or password. The benefit for IT managers is that administrators and helpdesk personnel can now use a single administrative tool — Microsoft Active Directory — to define consistent security policies for and to control access to a mix of different vendors' databases, heterogeneous operating systems, and web-based applications within their organization. Click one of the following topics to learn more:

Features and Benefits

  • Enhance User Productivity (and put smiles on their faces!): Users no longer have to remember their username and password specifically for SAP. In fact, users will no longer prompted for their username and password. Through the use of Kerberos users will log into their Windows or Mac desktop once, and leverage Active Directory provided Kerberos tickets to access SAP. Finally users are able to access their critical business information and tasks more reliably and quicker than without Centrify for SAP Single Sign-On.
  • Reduce Helpdesk Burden: According the IDC and other respected industry analysts, as many as 40% of helpdesk calls are password or account resets. This results in lost productivity for users and frustration and unneeded expense for helpdesk personnel. Centrify for SAP returns this value and quickly pays for itself in improved productivity and as much as a 95% reduction in SAP account reset calls.
  • Central Management for SSO: Centrify for SAP talks directly to Active Directory; therefore, all native Active Directory features are supported. This includes support for a centrally managed password policy and flexible user-naming conventions of Active Directory. The resulting solution is easier to configure and maintain. Administrators have fully centralized control over user and group access rights with the Centrify Administrator's Console. Management costs can be reduced because less time is required to maintain SAP.
  • Zero Maintenance Solution: With an extremely short TTV (Time to Value), Centrify can be quickly deployed and adopted by end users. Through 7 easy steps, the first user can be silently signing on to SAP using their Active Directory provided Kerberos credentials:
    1. Install Centrify DirectControl on the UNIX or Linux SAP server and join the server to Active Directory
    2. Configure SAP to use Secure Network Communications (SNC)
    3. Configure Centrify's gold standard MIT Kerberos for the SAP server
    4. Install the Centrify for SAP server agent
    5. Map the SAP users to Active Directory users in the SAP SNC tab
    6. Install the Centrify for SAP client agent
    7. Configure the SAPgui client to use SNC
    That's it, a quick one-time configuration and no ongoing maintenance. Because Centrify turns your UNIX/Linux-hosted SAP server into a Kerberized application, you don't need to install an agent on each individual client computer. Do more with your scarce IT resources and investments while improving both users and IT's productivity.
  • Best-in Class Support for Active Directory: Best in class support for complex, real-world Active Directory deployments including automatic discovery of the nearest domain controller, support for the global catalogue, one/two-way trusts, multi-site, DC failover, and disjoint AD-DNS namespaces. Other vendors including the UNIX and Linux distributions may claim support for Kerberos but only Centrify provides native support for all the complexity and nuance of Active Directory.
  • Secure the SAP Server Operating System: Much like a Windows desktop is a secured network resource by joining Active Directory, so too is the UNIX or Linux server that SAP runs on when DirectControl is used to join the machine to Active Directory. Administrators can use their Active Directory credentials to log in to UNIX or Linux, configure and manage the server through Group Policy, and even capture the shell sessions for later audit and reporting. All of the same benefits of using Centrify DirectControl are valid in the context of the Centrify for SAP solution.
  • Certified by SAP: For SAPgui users, Centrify leverages SAP Secure Network Communication; BC-SNC is a mature SAP-provided and supported layer for security vendors to integrate with. In addition, Centrify passed the rigorous SAP-created test program that certifies the proper functioning of Centrify's SNC libraries and the DirectControl Agent through the successful completion of hundreds of automated and manual tests.

    For browser users of NetWeaver AS Java applications, Centrify leverages Java Authentication and Authorization Services; BC_AUTH_JAAS is the SAP-certified interface for providing authentication plug-ins to NetWeaver AS Java.

How It Works

Single sign-on for SAP on UNIX and Linux is an add-on component for any version of the Centrify Suite, which provides a single, Active Directory-based, unified architecture for access control, authentication, authorization and auditing of UNIX or Linux.

The Centrify for SAP Single Sign-On solution consists of the following major components:

  • SAP Secure Network Communications (SNC): According to SAP's website, SNC is a software layer in the SAP system architecture that provides an interface to an external security product — in this case Centrify for SAP. The interface used for the integration is the GSS-API V2 (Generic Security Services Application Programming Interface Version 2).

    With SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide (for example, the use of Active Directory for user authentication, the assurance of the integrity of communication between SAP components and the privacy through encryption of network traffic).
  • Centrify for SAP module: An SAP-certified module needs to be installed on each SAP server. This module provides a robust communication path between the SAP SNC layer and the Kerberos environment provided by DirectControl.
  • Centrify DirectControl Agent: Installed on the SAP servers, DirectControl automatically provides and manages the Kerberos environment to support SSO from SAP to Active Directory. Some of the "hard" items that DirectControl manages include:

    • Automatic support for complex AD environments (examples include: multi-site, multi-forest, multi-domain, multi-DC, complex trusts and even disjoint DNS/AD namespaces).
    • Automated setup of Kerberos: When you join a UNIX, Linux or Mac computer to an Active Directory domain using DirectControl, the setup of all Kerberos-related system configuration files is automatically done for you. For example, the file /etc/krb5.conf is configured correctly to use the Active Directory domain controller as the Kerberos key distribution center. Having these configuration files automatically set up for you means that Kerberized UNIX applications will "just work" using Active Directory as the Kerberos authority.
    • Automatic time synchronization with AD: This is required for validation of Kerberos tokens and prevention of replay attacks.

Once the Centrify for SAP solution is deployed, the basic steps to the authentication are as follows: The basic steps of authentication

  1. When a user first signs on to a Windows workstation, a Kerberos ticket granting ticket (tgt) is obtained from Active Directory. Note that, because Centrify for SAP has Kerberized the SAP service, no agent software is needed on the end-user's workstation.
  2. When the user then opens SAPgui or a browser, Windows requests via SNC (for SAPgui) or SPNEGO (for browser), an SAP service ticket from Active Directory using the previously obtained tgt.
  3. SNC passes the service request to the DirectControl Agent.
  4. The DirectControl Agent validates the ticket with Active Directory.
  5. The user is granted access and a secure user session is provided back to the client.

Supported Platforms