Single Sign-on for SAP Solution-based Environments

Microsoft Active Directory-based Authentication to SAP Applications.

TECHNICAL BRIEF

 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Quest Software, Inc. (Quest). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information.

Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. UpdatedNovember 2009

Technical Brief: Single Sign-on for SAP Solution-based Environments

Contents
Introduction ....................................................................................................................................................................3 The Problem: Multiple Passwords and Identities ........................................................................................................3 The Solution: Single Sign-on (SSO) ...........................................................................................................................3 Using Active Directory for Single Sign-on ........................................................................................................................4 Why Active Directory? ................................................................................................................................................4 How Does Quest One Provide SSO? .........................................................................................................................4 Quests SSO Solutions Certified for Integration with SAP Solutions ..............................................................................5 Quest Authentication Services for Use with SAP Solutions ........................................................................................5 Quest Single Sign-On for Use with SAP NetWeaver ..................................................................................................6 Benefits ......................................................................................................................................................................6 Summary ........................................................................................................................................................................8 About Quest One Identity Solution .................................................................................................................................9 About Quest Software, Inc. .......................................................................................................................................... 10

Technical Brief: Single Sign-on for SAP Solution-based Environments

Introduction
The Problem: Multiple Passwords and Identities
Each SAP solution-based system provides its own user and password repository: users of SAP applications have a password specific to each instance of the SAP solution in use (not to mention the myriad other applications and systems that must be accessed as well) and must use it in order to access the applications. But managing multiple passwords in any environment can lead to reduced productivity, increased help desk costs, and security concerns. It is time-consuming to type a password to access every application, and users often forget the password and lock their account after numerous attempts, requiring them to seek assistance from the help desk to continue working. Some users try to manually synchronize their passwords whenever one expires or must be changed. Other users write their passwords on notes next to their computers so they wont have to memorize them, creating additional security issues. Managing multiple identity repositories may impact IT productivity and security. IT staff must provision and deprovision multiple identities using different management tools on various platforms, as well as perform more password resets and audits. Different systems within a single organization may cause inconsistent authentication policies and practices.

The Solution: Single Sign-on (SSO)

Single sign-on (SSO) has long been considered the holy grail of identity and access management. SO increases user productivity because each user needs to remember only a single (and typically more secure) password and enter it fewer times each day. It improves IT efficiency by reducing the number of management points for each user. It also improves security by eliminating the temptation to write down passwords and creates a stronger, more consistent authentication process across systems. Unfortunately, most organizations find achieving SSO difficult, if not impossible. Imagine the benefits that could be realized if users could access the applications they need transparently with the same login credentials they use for their daily Microsoft Windows sessions.

Technical Brief: Single Sign-on for SAP Solution-based Environments

Using Active Directory for Single Sign-on

In order to resolve any incompatibility, Quest Software offers a suite of solutions called the Quest One Identity Solution. It includes technologies to extend Active Directory authentication to a variety of platforms and applications, including the SAP GUI, the ABAP programming language and the SAP NetWeaver technology platform.

Why Active Directory?

Active Directory is an ideal authentication mechanism. It is one of the best authentication directories on the market, and easily one of the most widely deployed. According to Microsoft, more than 75 percent of North American enterprises use Active Directory for Windows authentication and most users do the majority of their work from Windows workstations. Active Directory often holds the largest and possibly most authoritative collection of an organizations user accounts. As a central component of the Windows platform, Active Directory provides central authentication and authorization services for most Windows resources. By using a combination of Kerberos and LDAP, Active Directory can provide a one-log-on, scenario that actually achieves the holy grail of authentication and single sign-onbut only for Windows resources.

How Does Quest One Provide SSO?

To achieve SSO for SAP applications, Quest One extends Active Directory identities to apply beyond the traditional boundaries of the Windows trusted realm. This enables many non-Windows systems (including SAP solutions) to participate as full citizens in Active Directoryseamlessly making SSO a reality. Through this approach, an organization can achieve full access control from the Active Directory account. If access must be revoked for a user, disabling the account in Active Directory eliminates access to the SAP solution as well. Quest One also makes it possible to control access to specific instances of SAP solutions based on Active Directory group memberships. Strong Authentication While most authentication mechanisms rely on a username/password combination, many organizations choose to implement stronger authentication, such as smart cards, biometrics or one-time passwords to address security concerns or satisfy regulatory demands. Quest One can extend a password-less Windows environment to non-Windows systems using a smart card (such as the Gemalto Cyberflex smart card or the CoolKey common access card) or one-time-password two-factor authentication solutions (such as RSA SecureID or Quest Defender). By inserting a smart card or inputting the passcode generated by a token, another method of authentication can be achieved. Two-factor authentication provides a more secure login, generating the same Active Directory Kerberos credentials necessary to authenticate to Windows and acquire access privileges to any system that has effectively joined Active Directory, including SAP solutions, through Quest Ones SSO solutions for use with SAP solutions.

Technical Brief: Single Sign-on for SAP Solution-based Environments

Quests SSO Solutions Certified for Integration with SAP Solutions

Because SAP has diverse set-up applications and technologies, Quest One offers two solutions to provide Active Directory-based single sign-on for both the SAP GUI and SAP NetWeaver.

Quest Authentication Services for Use with SAP Solutions

Quest Authentication Services version 3.1 for use with SAP solutions uses patented technology to extend Quests proven Active Directory integration technology to SAP applications and ABAP, accessed using the SAP GUI. Not only does Quest Authentication Services provide transparent Active Directory SSO from the SAP GUI, it also provides full mutual authentication and the ability to secure subsequent data communications. Quest Authentication Services for use with SAP solutions consists of an easily installed client-side Quest Client SNC library and use of the Authentication Services GSS-API Unix/Linux server-side library. Quest Authentication Services version 3.1 received certification for integration with the SAP NetWeaver Application Server (SAP NetWeaver AS) component 6.20 in April 2007.

Technical Brief: Single Sign-on for SAP Solution-based Environments

Quest Single Sign-On for Use with SAP NetWeaver

Quest Single Sign-On for use with SAP NetWeaver provides Integrated Windows Authentication (IWA), SPNEGO/NTLM, and ADFS single sign-on to the SAP NetWeaver Portal and SAP NetWeaver AS components accessed via a web browser. In addition, it provides SSO for SAP NetWeaver AS and ABAP accessed by a web browser through a combination of single sign-on log-on tickets and authentication redirection to an SAP NetWeaver AS-based Java instance with Single Sign-on for Java. Single Sign-on for use with SAP NetWeaver is 100 percent Java-focused and inherently supports all platforms that SAP NetWeaver runs on. It is implemented as an SAP NetWeaver-based JAAS module.

Quest Single Sign-On version 3.3 received SAP certification for integration with SAP NetWeaver in August 2008.

Benefits
The Quest One SSO solutions for use with SAP solutions offer several significant benefits: Certification Both Quest Authentication Services 3.1 and Quest Single Sign-on 3.3 solutions have been tested and certified by SAP for integration with SAP NetWeaver. This means that the solutions have been tested and proven to successfully integrate with SAP NetWeaver. Encryption For SNC communications, Quests solutions can provide encryption of SAP data in transit. If someone did intercept mission-critical data, it could not be deciphered or altered. The solution supports the latest encryption standards including AES as well as DES/3DES.

Technical Brief: Single Sign-on for SAP Solution-based Environments

Standard Authentication Conduits Quests SSO solutions in support of SAP solutions conform to compliance standards required for managing both identity and access privileges. Quest relies on standard authentication conduits when accessing Windows and Unix, including the following: o o o o o o o Kerberos LDAP PAM NSS GSS-API SSPI SPNEGO

Other Benefits Other benefits of the Quest approach include the following: o o o o o o Passwords are not transmitted over the network. Data integrity checks are possible on session data to ensure no data is compromised. SAP information can be encrypted when transmitted over the network. Deployment is easy: no need for PKI or certificate infrastructure significantly reduces management complexity. An audit trail for SAP authentication with Active Directory is available. Fault tolerance ensures high availability.

Technical Brief: Single Sign-on for SAP Solution-based Environments

Summary
The Quest One SSO solutions in support of SAP solutionsQuest Single Sign-On and Quest Authentication Services are SAP certified and provide transparent SSO and centralized access management by extending tried-and-true Active Directory authentication, complete with its inherent security, to SAP solutions on non-Windows systems. This approach eliminates the productivity and security concerns associated with using multiple password repositories. With Quest, users will enjoy all the benefits of single sign-on for SAP GUI, ABAP and SAP NetWeaver, including an improved user experience and increased user productivity, improved administration efficiency and fewer calls to the help desk, enhanced security, and a path to compliance.

Technical Brief: Single Sign-on for SAP Solution-based Environments

About Quest One Identity Solution

Quest Software delivers the entire Get to One strategy, achieved through a set of enabling technologies, products, integration, and strategies called the Quest One Identity Solution. Quest One empowers organizations to leverage their existing investments in identity infrastructurein most cases Microsoft Active Directoryfor truly unified identity and access management that crosses platform boundaries. Quest One actually enables organizations to simplify identity and access management.

Technical Brief: Single Sign-on for SAP Solution-based Environments

WHITE PAPER

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management productshelping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

PHONE

800.306.9329 (United States and Canada) If you are located outside North America, you can find your local office information on our Web site.

E-MAIL MAIL

sales@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA

WEB SITE www.quest.com

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around-the-clock coverage with SupportLink, our Web self-service. Visit SupportLink at https://support.quest.com. SupportLink gives users of Quest Software products the ability to: Search Quests online Knowledgebase Download the latest releases, documentation, and patches for Quest products Log support cases Manage existing support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policies and procedures.

5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | E-MAIL sales@quest.com

If you are located outside North America, you can find local office information on our Web site.
2009 Quest Software, Inc. ALL RIGHTS RESERVED. Quest Software is a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. TBW-SAP-SSO-US-AG-20091201