Solutions
Centrify Your UsersSSO for SaaS & AppsSSO for Mobile AppsSSO for Mac & LinuxSmart Card Authentication
Centrify Your SecurityPrivileged User ManagementAccess ControlServer Isolation & EncryptionSecurity Policy EnforcementServer Auditing
SOXPCIFISMANERC
Centrify Your ITActive Directory BridgingNIS-to-Active-Directory MigrationMobile Security ManagementMac ManagementCross-Platform Group Policy
Federal Government
OverviewFISMA
Products
Centrify for ServersDirectControlDirectAuthorizeDirectAuthorize for WindowsDirectAuditDirectAudit for WindowsDirectSecureDirectManageCentrify Suite 2013Centrify Suite Editions
Centrify for Mac & MobileDirectControl for MacCentrify for MobileMobile Authentication Services
Centrify for SaaS & AppsCentrify for SaaSCentrify for Java & WebCentrify for SAPCentrify for Databases
5-Minute Demos
At-a-Glance Overviews
Want to Give It a Try?
Request a Trial or Ask for Question
Services
Services OverviewJumpStart PackagesOnsite TrainingOnline TrainingFree Online TrainingRequest More Info
Support
Customer Support PortalBenefits of Technical Support
Partners
Find a Centrify Reseller PartnerTechnology PartnersCentrify & MicrosoftCentrify & SamsungIndustry Alliances
How to Work with CentrifyPartner ProgramsPartner Application FormReferral ProgramReferral Registration FormOEM OpportunitiesPartner Network Login
Resources
Centrify Suite ResourcesRemote Access Tools for Linux & UNIXActive Directory Integration for Storage SystemsCentrify Suite Deployment & Migration ToolsCentrify Cloud ToolsCentrify Suite Integration with Provisioning SystemsCentrify Suite Reporting ToolsVideo Chalktalk LibraryCentrify WebinarsCustomer Success StoriesWhite Papers & Datasheets
Centrify BlogsCentrify BlogCentrify TechnovationsLeveraging MicrosoftThe Centrify Apple GuysCentrify Express CommunityCentrify RSS Feeds
About Us
Corporate OverviewExecutive ManagementInvestorsContact UsJobs at Centrify
News
News & Events OverviewPress ReleasesAwards & ReviewsCalendar of EventsWhat the Press SaysWhat the Analysts Say
Centrify for SAP

Active Directory-Based Single Sign-On for SAP NetWeaver on UNIX and Linux

Reduce help desk calls, improve end-user satisfaction, and strengthen security with single sign-on for SAP NetWeaver, centrally managed using Microsoft Active Directory

Centrify DirectControl for SAP NetWeaver AS and AS Java on UNIX and Linux delivers secure single sign-on to SAP and centralized identity management by seamlessly integrating SAP with Microsoft Active Directory. DirectControl for SAP on UNIX and Linux is non-intrusive, easy to deploy and manage, fully supported by Centrify and is certified by SAP. The benefit for end-users is that they can now silently authenticate to the heterogeneous systems, applications and databases they are allowed to access without being challenged to re-type a username or password. The benefit for IT managers is that administrators and helpdesk personnel can now use a single administrative tool — Microsoft Active Directory — to define consistent security policies for and to control access to a mix of different vendors' databases, heterogeneous operating systems, and web-based applications within their organization. Click one of the following topics to learn more:

Features and Benefits

  • Enhance User Productivity (and put smiles on their faces!): Users no longer have to remember their username and password specifically for SAP. In fact, users will no longer prompted for their username and password. Through the use of Kerberos users will log into their Windows or Mac desktop once, and leverage Active Directory provided Kerberos tickets to access SAP. Finally users are able to access their critical business information and tasks more reliably and quicker than without Centrify DirectControl for SAP Single Sign-On.
  • Reduce Helpdesk Burden: According the IDC and other respected industry analysts, as many as 40% of helpdesk calls are password or account resets. This results in lost productivity for users and frustration and unneeded expense for helpdesk personnel. Centrify DirectControl for SAP returns this value and quickly pays for itself in improved productivity and as much as a 95% reduction in SAP account reset calls.
  • Central Management for SSO: DirectControl for SAP talks directly to Active Directory; therefore, all native Active Directory features are supported. This includes support for a centrally managed password policy and flexible user-naming conventions of Active Directory. The resulting solution is easier to configure and maintain. Administrators have fully centralized control over user and group access rights with the Centrify Administrator's Console. Management costs can be reduced because less time is required to maintain SAP.
  • Zero Maintenance Solution: With an extremely short TTV (Time to Value), DirectControl can be quickly deployed and adopted by end users. Through 7 easy steps, the first user can be silently signing on to SAP using their Active Directory provided Kerberos credentials:
    1. Install Centrify DirectControl on the UNIX or Linux SAP server and join the server to Active Directory
    2. Configure SAP to use Secure Network Communications (SNC)
    3. Configure Centrify's gold standard MIT Kerberos for the SAP server
    4. Install the Centrify DirectControl for SAP server agent
    5. Map the SAP users to Active Directory users in the SAP SNC tab
    6. Install the Centrify DirectControl for SAP client agent
    7. Configure the SAPgui client to use SNC
    That's it, a quick one-time configuration and no ongoing maintenance. Because Centrify turns your UNIX/Linux-hosted SAP server into a Kerberized application, you don't need to install an agent on each individual client computer. Do more with your scarce IT resources and investments while improving both users and IT's productivity.
  • Best-in Class Support for Active Directory: Best in class support for complex, real-world Active Directory deployments including automatic discovery of the nearest domain controller, support for the global catalogue, one/two-way trusts, multi-site, DC failover, and disjoint AD-DNS namespaces. Other vendors including the UNIX and Linux distributions may claim support for Kerberos but only Centrify provides native support for all the complexity and nuance of Active Directory.
  • Secure the SAP Server Operating System: Much like a Windows desktop is a secured network resource by joining Active Directory, so too is the UNIX or Linux server that SAP runs on when DirectControl is used to join the machine to Active Directory. Administrators can use their Active Directory credentials to log in to UNIX or Linux, configure and manage the server through Group Policy, and even capture the shell sessions for later audit and reporting. All of the same benefits of using Centrify DirectControl for Systems are valid in the context of the Centrify DirectControl for SAP solution.
  • Certified by SAP: For SAPgui users, Centrify leverages SAP Secure Network Communication; BC-SNC is a mature SAP-provided and supported layer for security vendors to integrate with. In addition, Centrify passed the rigorous SAP-created test program that certifies the proper functioning of Centrify’s SNC libraries and the DirectControl Agent through the successful completion of hundreds of automated and manual tests.

    For browser users of NetWeaver AS Java applications, Centrify leverages Java Authentication and Authorization Services; BC_AUTH_JAAS is the SAP-certified interface for providing authentication plug-ins to NetWeaver AS Java.

How It Works

Single sign-on for SAP on UNIX and Linux is an add-on component for any version of the Centrify Suite, which provides a single, Active Directory-based, unified architecture for access control, authentication, authorization and auditing of UNIX or Linux.

The Centrify DirectControl for SAP Single Sign-On solution consists of the following major components:

  • SAP Secure Network Communications (SNC): According to SAP's website SNC is a software layer in the SAP system architecture that provides an interface to an external security product - in this case Centrify DirectControl. The interface used for the integration is the GSS-API V2 (Generic Security Services Application Programming Interface Version 2).

    With SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide (for example, the use of Active Directory for user authentication, the assurance of the integrity of communication between SAP components and the privacy through encryption of network traffic).
  • Centrify DirectControl for SAP module: An SAP-certified module needs to be installed on each SAP server. This module provides a robust communication path between the SAP SNC layer and the Kerberos environment provided by DirectControl for Systems.
  • Centrify DirectControl for Systems Agent: Installed on the SAP servers, DirectControl automatically provides and manages the Kerberos environment to support SSO from SAP to Active Directory. Some of the "hard" items that DirectControl manages include:

    • Automatic support for complex AD environments (examples include: multi-site, multi-forest, multi-domain, multi-DC, complex trusts and even disjoint DNS/AD namespaces).
    • Automated setup of Kerberos: When you join a UNIX, Linux or Mac computer to an Active Directory domain using DirectControl, the setup of all Kerberos-related system configuration files is automatically done for you. For example, the file /etc/krb5.conf is configured correctly to use the Active Directory domain controller as the Kerberos key distribution center. Having these configuration files automatically set up for you means that Kerberized UNIX applications will "just work" using Active Directory as the Kerberos authority.
    • Automatic time synchronization with AD: This is required for validation of Kerberos tokens and prevention of replay attacks.

Once the DirectControl for SAP solution is deployed, the basic steps to the authentication are as follows: The basic steps of authentication

  1. When a user first signs on to a Windows workstation, a Kerberos ticket granting ticket (tgt) is obtained from Active Directory. Note that, because the DirectControl for SAP has Kerberized the SAP service, no agent software is needed on the end-user's workstation.
  2. When the user then opens SAPgui or a browser, Windows requests via SNC (for SAPgui) or SPNEGO (for browser), an SAP service ticket from Active Directory using the previously obtained tgt.
  3. SNC passes the service request to the DirectControl Agent.
  4. The DirectControl Agent validates the ticket with Active Directory.
  5. The user is granted access and a secure user session is provided back to the client.

Supported Platforms

Centrify for SAP Supported Platforms

Show More DetailSupported Supported   Recent Addition Recent Addition   Early Access Early Access   
Operating System SAP NetWeaver AS ABAP SAP NetWeaver AS Java
CentOS Linux Supported Supported
Hewlett Packard HP-UX Supported Supported
IBM AIX Supported Supported
Microsoft Windows Supported
Novell SUSE Linux Supported Supported
OpenSolaris Supported Supported
OpenSUSE Linux Supported Supported
Oracle Enterprise Linux Supported Supported
Oracle Solaris Supported Supported
Red Hat Enterprise Linux Supported Supported
Red Hat Fedora Supported Supported
Free Trial

Centrify for SAP

Request a free, fully functioning version of our single sign-on solution for SAP.