Solved: SAP User Authentication via Windows Active Directo...

Former Member · ‎04-27-2010

The non-profit company I work for as an SAP Security Admin has been using SAP since 1999. We are currently running ECC 6.0, BI 7.0, and CRM 7.0. With fewer than 300 SAP users, we have not implemented CUA, so each of our multiple clients in these systems is managed independently.

The company recently licensed and implemented some non-SAP software to be used by all of our employees (~1200) in keeping track of & catagorizing their work time; a very handy feature of this software is that it depends upon Windows Active Directory for user authentication. Therefore, each employee logs into this time-keeping package by entering his/her standard PC userID & password. If you can log onto your PC, you can log into the time-keeping software.

That got me thinking & researching, because our SAP users - especially those who have access to three or more SAP clients - must maintain their passwords independently in each SAP client that they hope to access in the future. I'm certainly not the first person who has thought of how nice it would be to permit SAP users to log into all SAP clients across the landscape in which they have defined userIDs, using the same password that they are using to log into their PCs (i.e., the password that is stored & maintained in Windows Active Directory). My quest has led me to find presentations on this topic that typically involve modules we aren't using & very complicated configurations that we really lack the time & resources to employ; or, to third-party solution providers who claim to be certified SAP partners who would love to sell us more software to provide this convenience, usually irelated to single sign-on, LDAP, etc. The lowest pricing tier for such software usually would cover many times the number of SAP users we have to serve here - and it feels like trying to push in a tack using a sledgehammer. It is true that we have not used the same userID for our PCs that we have defined in SAP, so there would need to be some way to translate from one to the other, but our PC password rules are consistent with those we have configured in SAP clients, so it seems to me it should be very simple. Can anyone lead me to a more straightforward solution? If not, can you articulate why this has to be so complicated using SAP software when it seems so simple using relatively inexpensive timekeeping sotware?

tim_alsop · ‎04-27-2010

Ronald,

What makes you think this is not simple ? I work with customers who have exact same requriements as you, on daily basis. Often we are able to get them working within the same day as they download the software with minimal disruption to users and/or downtime. I think you might have been reading too much info on forums and internet and got confused and hence this is why you think it is not simple.

Also, you made a comment about cost - have you asked any of the partners for a cost ? I don't beleive you have asked the company I represent, otherwise I would have record of your name in our system. Perhaps you will be pleasantly surprised by the costs involved ?

Can you confirm if your SAP systems are running on UNIX/Linux or Windows ? This makes a difference to the options available.

Thanks,

Tim

tim_alsop · ‎04-27-2010

Ronald,

What makes you think this is not simple ? I work with customers who have exact same requriements as you, on daily basis. Often we are able to get them working within the same day as they download the software with minimal disruption to users and/or downtime. I think you might have been reading too much info on forums and internet and got confused and hence this is why you think it is not simple.

Also, you made a comment about cost - have you asked any of the partners for a cost ? I don't beleive you have asked the company I represent, otherwise I would have record of your name in our system. Perhaps you will be pleasantly surprised by the costs involved ?

Can you confirm if your SAP systems are running on UNIX/Linux or Windows ? This makes a difference to the options available.

Thanks,

Tim

Former Member · ‎04-27-2010

UNIX/Linux

tim_alsop · ‎04-27-2010

Ronald,

ok, for UNIX/Linux, the use of a third party product is required, not optional. Perhaps you can take a look at http://cybersafe.com/d2/prod-and-soln/howto/sapguissoin10min which shows how this can be setup in less than 10 minutes. if this is not simple, what is ?

Thanks,

Tim

Former Member · ‎04-27-2010

Hi Tim,

Its nice to see video.

Is that mean using different username on OS and SAP level still we can achieve SSO.

Correct if if am wrong.

The only thing we need to maintain SNC name.

So for user test1 i can manage name as p:test2..... ??

I think that is what Ronald is also looking, user name need not to be same.

Regards,

Gagan Deep Kaushal

tim_alsop · ‎04-27-2010

>


> Hi Tim,
> 
> Its nice to see video.
> 
> Is that mean using different username on OS and SAP level still we can achieve SSO.
> 
> Correct if if am wrong.
> The only thing we need to maintain SNC name.
Once installed, yes. This is all you need to maintain when users are added. You can even use LDAP if you like to sync all user info between SAP and MS AD domain, but this cannot sync the password, so using SNC authentication instead of using SAP passwords is ideal.
> 
> So for user test1 i can manage name as p:test2.....  ??
Yes, that is correct. The mapping is maintained using standard SAP user management, such as su01. The user in AD domain might have long account name, e.g. "firstname.verylonglastname" which is too big for use as a SAP username so you can map this long AD account name onto a SAP user called FIRSTLAST in one or more SAP clients.
> 
> I think that is what Ronald is also looking, user name need not to be same.
> 
> Regards,
> Gagan Deep Kaushal

Former Member · ‎05-06-2010

UNIX/Linux

Hi Ronald,

There are several companies that provide Active Directory authentication for SAP running on Unix/Linux. It is possible to configure SNC SSO using the Unix/Linux OS provided libraries or even open source but I understand there is an issue with SAP officially supporting the environment.

You can find a list of third party vendors on the EcoHub.

SAP GUI SSO / SNC [on the EcoHub|http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=activedirectorysnc].

Web browser SSO / Integrated Windows Authentication [on the EcoHub|http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=%22integratedwindowsauthentication%22] (SAP also provides some SPNEGO functionality natively).

Thanks!

Kyle

Former Member · ‎04-07-2011

In January, SAP announced that it had acquired software from Secude that would provide SAP applications with secure login and enterprise single sign-on (SSO) capabilities. According to the press release, SAP said it would soon start rolling into its product portfolio at no additional cost so sers would no longer have to look to third-party applications for that level of security. Any idea when we can expect to see that roll-out (e.g., the enhancement package or patch level that will include it) ???

tim_alsop · ‎04-07-2011

Ronald,

Hello again !!

I haven't seen any more news since the press release which was issued in January 2011, so I suspect SAP are not yet ready to make any detailed announcements.

I would however like to point out that the Secude products use x.509 user certificates, not Kerberos, so if you want to use Active Directory credentials to authenticate the user to SAP, you should not wait for the Secude product to appear as a SAP branded product. The Secude Secure Login product will require a Public Key Infrastructure to issue user certificates, which means a lot of extra costs are involved to setup and manage this additional infrastructure, unless of course you already have a PKI in your company and are already issuing certificates to all end users.

Thanks,

Tim

SAP User Authentication via Windows Active Directory