Active Directory-Based Single Sign-On for SAP on UNIX and Linux

Enhance SAP security with centralized, Active Directory-based single sign-on, administration and password policy enforcement.

Centrify DirectControl for SAP on UNIX and Linux secures SAP through centralized, Active Directory-based single sign-on, access control, account administration and password policy enforcement. With DirectControl, IT managers can control access and apply security policies to their SAP server using the same Active Directory tools and processes currently in place to manage their Windows, UNIX, Linux and Mac environment. End-users benefit by having a single Active Directory user name and password to access all key systems and applications, including SAP. Click one of the following topics to learn more:

Features and Benefits

Enhance User Productivity (and put smiles on their faces!): Users no longer have to remember their username and password specifically for SAP. In fact, users will no longer prompted for their username and password. Through the use of Kerberos users will log into their Windows or Mac desktop once, and leverage Active Directory provided Kerberos tickets to access SAP. Finally users are able to access their critical business information and tasks more reliably and quicker than without Centrify DirectControl for SAP Single Sign-On.

Reduce Helpdesk Burden: According the IDC and other respected industry analysts, as many as 40% of helpdesk calls are password or account resets. This results in lost productivity for users and frustration and unneeded expense for helpdesk personnel. Centrify DirectControl for SAP returns this value and quickly pays for itself in improved productivity and as much as a 95% reduction in SAP account reset calls.

Central Management for SSO: DirectControl for SAP talks directly to Active Directory; therefore, all native Active Directory features are supported. This includes support for a centrally managed password policy and flexible user-naming conventions of Active Directory. The resulting solution is easier to configure and maintain. Administrators have fully centralized control over user and group access rights with the Centrify Administrator's Console. Management costs can be reduced because less time is required to maintain SAP.

Zero Maintenance Solution: With an extremely short TTV (Time to Value), DirectControl can be quickly deployed and adopted by end users. Through 7 easy steps, the first user can be silently signing on to SAP using their Active Directory provided Kerberos credentials:

1. Install Centrify DirectControl on the UNIX or Linux SAP server and join the server to Active Directory
2. Configure SAP to use Secure Network Communications (SNC)
3. Configure Centrify's gold standard MIT Kerberos for the SAP server
4. Install the Centrify DirectControl for SAP server agent
5. Map the SAP users to Active Directory users in the SAP SNC tab
6. Install the Centrify DirectControl for SAP client agent
7. Configure the SAPgui client to use SNC

That's it, a quick one-time configuration and no ongoing maintenance. Do more with your scarce IT resources and investments while improving both users and IT's productivity.

Best-in Class Support for Active Directory: Best in class support for complex, real-world Active Directory deployments including automatic discovery of the nearest domain controller, support for the global catalogue, one/two-way trusts, multi-site, DC failover, and disjoint AD-DNS namespaces. Other vendors including the UNIX and Linux distributions may claim support for Kerberos but only Centrify provides native support for all the complexity and nuance of Active Directory.

Secure the SAP Server Operating System: Much like an XP desktop is a secured network resource by joining Active Directory, so too is the Unix or Linux server that SAP runs on by using DirectControl to join the machine to Active Directory. Administrators can use their Active Directory credentials to login into UNIX or Linux, configure and mange the server through group policy and even capture the shell sessions for later audit and reporting. All of the same benefits of using Centrify DirectControl for Systems is valid in the context the Centrify DirectControl for SAP solution.

Certified by SAP: Centrify leverages the Secure Network Communication (BC-SNC is a mature SAP provided and supported layer for security vendors to integrate with.) In addition, Centrify passed the rigorous SAP-created test program that certifies the proper function of Centrify's SNC libraries and the DirectControl Agent through the successful completion of hundreds of automated and manual tests.

How It Works

The core feature for Centrify DirectControl for Systems is the ability to enable UNIX, Linux and Mac servers and workstations to participate in an Active Directory domain. The Centrify DirectControl for Systems agent effectively turns the host operating system into an Active Directory client. Centrify's solution for SAP leverages Centrify DirectControl for Systems and adds the DirectControl for SAP server agent which implements the Secure Network Communication interface and adds extensive documentation and support.

The Centrify DirectControl for SAP Single Sign-On solution offering consists of the following major components:

SAP Secure Network Communications (SNC): According to SAP's website SNC is a software layer in the SAP system architecture that provides an interface to an external security product - in this case Centrify DirectControl. The interface used for the integration is the GSS-API V2 (Generic Security Services Application Programming Interface Version 2).

With SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide (for example, the use of Active Directory for user authentication, the assurance of the integrity of communication between SAP components and the privacy through encryption of network traffic).

Centrify DirectControl for SAP agent: An SAP-certified agent needs to be installed on each SAP server. This agent provides a robust communication path between the SAP SNC layer and the Kerberos environment provided by DirectControl for Systems.

Centrify DirectControl for Systems agent: Installed on the SAP servers, DirectControl automatically provides and manages the Kerberos environment to support SSO from SAP to Active Directory. Some of the "hard" items that DirectControl manages include:

• Automatic support for complex AD environments (examples include: multi-site, multi-forest, multi-domain, multi-DC, complex trusts and even disjoint DNS/AD namespaces).
• Automated setup of Kerberos: When you join a UNIX, Linux or Mac computer to an Active Directory domain using DirectControl, the setup of all Kerberos-related system configuration files is automatically done for you. For example, the file /etc/krb5.conf is configured correctly to use the Active Directory domain controller as the Kerberos key distribution center. Having these configuration files automatically set up for you means that Kerberized UNIX applications will "just work" using Active Directory as the Kerberos authority.
• Automatic time synchronization with AD: This is required for validation of Kerberos tokens and prevention of replay attacks.

Once the DirectControl for SAP solution is deployed, the basic steps to the authentication are as follows:

1. When a user first signs on to a Windows XP workstation, a Kerberos ticket granting ticket (tgt) is obtained from Active Directory.
2. When the user then opens SAPgui, XP requests, via SNC, an SAP service ticket from Active Directory using the previously obtained tgt.
3. SNC passes the service request to the DirectControl Agent.
4. The DirectControl Agent validates the ticket with Active Directory.
5. The user is granted access and a secure user session is provided back to the client.

Centrify DirectControl for SAP on UNIX and Linux

The benefit for end-users is that they can now silently authenticate to the heterogeneous systems, applications and databases they are allowed to access without being challenged to re-type a user name or password. The benefit for IT managers is that administrators and help desk personnel can now use a single administrative tool - Microsoft Active Directory - to define consistent security policies for and to control access to a mix of different vendors' databases, heterogeneous operating systems, and web-based applications within their organization. For example, once an administrator disables a user's Active Directory account, that user immediately loses their ability to access SAP running on non-Microsoft platforms. Centrify DirectControl for SAP on Unix or Linux delivers secure single sign-on to SAP and centralized identity management by seamlessly integrating SAP on UNIX with Microsoft Active Directory. DirectControl for SAP on Unix or Linux is non-intrusive, easy to deploy and manage, fully supported by Centrify and is certified by SAP.

^ back to top