How It Works

Single sign-on for SAP on UNIX and Linux is an add-on component for any version of the Centrify Suite, which provides a single, Active Directory-based, unified architecture for access control, authentication, authorization and auditing of UNIX or Linux.

The Centrify for SAP Single Sign-On solution consists of the following major components:

  • SAP Secure Network Communications (SNC): According to SAP's website, SNC is a software layer in the SAP system architecture that provides an interface to an external security product — in this case Centrify for SAP. The interface used for the integration is the GSS-API V2 (Generic Security Services Application Programming Interface Version 2).

    With SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide (for example, the use of Active Directory for user authentication, the assurance of the integrity of communication between SAP components and the privacy through encryption of network traffic).
  • Centrify for SAP module: An SAP-certified module needs to be installed on each SAP server. This module provides a robust communication path between the SAP SNC layer and the Kerberos environment provided by DirectControl.
  • Centrify DirectControl Agent: Installed on the SAP servers, DirectControl automatically provides and manages the Kerberos environment to support SSO from SAP to Active Directory. Some of the "hard" items that DirectControl manages include:
    • Automatic support for complex AD environments (examples include: multi-site, multi-forest, multi-domain, multi-DC, complex trusts and even disjoint DNS/AD namespaces).
    • Automated setup of Kerberos: When you join a UNIX, Linux or Mac computer to an Active Directory domain using DirectControl, the setup of all Kerberos-related system configuration files is automatically done for you. For example, the file /etc/krb5.conf is configured correctly to use the Active Directory domain controller as the Kerberos key distribution center. Having these configuration files automatically set up for you means that Kerberized UNIX applications will "just work" using Active Directory as the Kerberos authority.
    • Automatic time synchronization with AD: This is required for validation of Kerberos tokens and prevention of replay attacks.

Once the Centrify for SAP solution is deployed, the basic steps to the authentication are as follows:

  1. When a user first signs on to a Windows workstation, a Kerberos ticket granting ticket (tgt) is obtained from Active Directory.  Note that, because Centrify for SAP has Kerberized the SAP service, no agent software is needed on the end-user's workstation.
  2. When the user then opens SAPgui or a browser, Windows requests via SNC (for SAPgui) or SPNEGO (for browser), an SAP service ticket from Active Directory using the previously obtained tgt.
  3. SNC passes the service request to the DirectControl Agent.
  4. The DirectControl Agent validates the ticket with Active Directory.
  5. The user is granted access and a secure user session is provided back to the client.