SSO between ERP 6 and BI Portal

former_member346857 · ‎04-01-2009

Hi,

I am looking to setup Single Sign On between our SAP systems, we have ECC 6 and BI Portal system on Netweaver 2004s, I am not looking to implement SSO to include Windows Active Directory at the time being, just between our SAP systems, this will include the Development systems and QAS systems for users who have access to these.

I would be greatful if anyone could point me in the right direction for this as I have found some documentation but it includes SSO integrated with Windows AD.

Thanks for your help

Jay

Former Member · ‎04-01-2009

It looks like enabling SAP Logon Tickets on all affected systems will do the trick for you. Please note, that SAP Logon Tickets are not very secure....

Former Member · ‎04-01-2009

Another way of doing it would be to use the ERP system as the "authentication" source for "signing on once", and configure the BI system (and the same user context) to trust it for "Trusted RFC" - in this case the user can authenticate against the BI system without a password if their own current user is authorized to be called by the ERP user.

Basically, you configure authentication via authorizations. You can also tweak the granularity of the checks. Take a look at the documentation and fields of object S_RFCACL in transaction SU21 - I think it also mentions a SAP note to help you further.

I would strongly recommend that you are certain to have achieved a mature security level in your systems and their administration (including roles, config, patching) before you go down this route as it is tricky and there is lots of room for error.

Normal auditing, in my experience, is not a sufficient assurance, but it might be easier to achieve on the ERP side than the BI side.

I do not recommend the opposite direction (BI => ERP) and the BI security needs to be tightened somewhat on the client side as it generally points to everywhere (see object S_ICF).

Having said that with hopefully sufficient warnings, what do you have against a workstation authentication? Are your users in different domains?

Cheers,

Julius

former_member346857 · ‎04-02-2009

Hi Julius,

Thanks for your help.

Yes we have users in different domains, and users on workstations and laptops who authenicate with Active Directory. The reason I am not quite sure with authentication with AD is because of security with laptop users, we have a large number who travel and if somehow a user loses there laptop logged in then anyone can log straight into SAP. Also within each domain there are different password policy's in place along with different username setup.

Can you give me any advantages to authenticating with SSO with Active Directory?

Thanks for your help much appreciated.

Jay

tim_alsop · ‎04-02-2009

Jay,

Some SAP certified products which implement SSO, also have features to address all of your concerns. e.g. when user is on laptop, they need to logon to workstation using AD account and password, and when they logon to SAP, they are prompted for an AD account and password again. It means that the same authentication technology is being used for office workers and laptop users, and the session between workstation and SAP ABAP system is encrypted, and passwords are not stored or transmitted. It also means that AD password policy is used for all authentication and therefore only one place to maintain password policy.

The products can also allow for multiple domains, so you should not see this as a show stopper for implementing domain user authentication to your SAP systems.

Thanks,

Tim