Professional Documents
Culture Documents
TECHNICAL BRIEF
2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Quest Software, Inc. (Quest). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information.
Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. UpdatedNovember 2009
Contents
Introduction ....................................................................................................................................................................3 The Problem: Multiple Passwords and Identities ........................................................................................................3 The Solution: Single Sign-on (SSO) ...........................................................................................................................3 Using Active Directory for Single Sign-on ........................................................................................................................4 Why Active Directory? ................................................................................................................................................4 How Does Quest One Provide SSO? .........................................................................................................................4 Quests SSO Solutions Certified for Integration with SAP Solutions ..............................................................................5 Quest Authentication Services for Use with SAP Solutions ........................................................................................5 Quest Single Sign-On for Use with SAP NetWeaver ..................................................................................................6 Benefits ......................................................................................................................................................................6 Summary ........................................................................................................................................................................8 About Quest One Identity Solution .................................................................................................................................9 About Quest Software, Inc. .......................................................................................................................................... 10
Introduction
The Problem: Multiple Passwords and Identities
Each SAP solution-based system provides its own user and password repository: users of SAP applications have a password specific to each instance of the SAP solution in use (not to mention the myriad other applications and systems that must be accessed as well) and must use it in order to access the applications. But managing multiple passwords in any environment can lead to reduced productivity, increased help desk costs, and security concerns. It is time-consuming to type a password to access every application, and users often forget the password and lock their account after numerous attempts, requiring them to seek assistance from the help desk to continue working. Some users try to manually synchronize their passwords whenever one expires or must be changed. Other users write their passwords on notes next to their computers so they wont have to memorize them, creating additional security issues. Managing multiple identity repositories may impact IT productivity and security. IT staff must provision and deprovision multiple identities using different management tools on various platforms, as well as perform more password resets and audits. Different systems within a single organization may cause inconsistent authentication policies and practices.
Quest Single Sign-On version 3.3 received SAP certification for integration with SAP NetWeaver in August 2008.
Benefits
The Quest One SSO solutions for use with SAP solutions offer several significant benefits: Certification Both Quest Authentication Services 3.1 and Quest Single Sign-on 3.3 solutions have been tested and certified by SAP for integration with SAP NetWeaver. This means that the solutions have been tested and proven to successfully integrate with SAP NetWeaver. Encryption For SNC communications, Quests solutions can provide encryption of SAP data in transit. If someone did intercept mission-critical data, it could not be deciphered or altered. The solution supports the latest encryption standards including AES as well as DES/3DES.
Standard Authentication Conduits Quests SSO solutions in support of SAP solutions conform to compliance standards required for managing both identity and access privileges. Quest relies on standard authentication conduits when accessing Windows and Unix, including the following: o o o o o o o Kerberos LDAP PAM NSS GSS-API SSPI SPNEGO
Other Benefits Other benefits of the Quest approach include the following: o o o o o o Passwords are not transmitted over the network. Data integrity checks are possible on session data to ensure no data is compromised. SAP information can be encrypted when transmitted over the network. Deployment is easy: no need for PKI or certificate infrastructure significantly reduces management complexity. An audit trail for SAP authentication with Active Directory is available. Fault tolerance ensures high availability.
Summary
The Quest One SSO solutions in support of SAP solutionsQuest Single Sign-On and Quest Authentication Services are SAP certified and provide transparent SSO and centralized access management by extending tried-and-true Active Directory authentication, complete with its inherent security, to SAP solutions on non-Windows systems. This approach eliminates the productivity and security concerns associated with using multiple password repositories. With Quest, users will enjoy all the benefits of single sign-on for SAP GUI, ABAP and SAP NetWeaver, including an improved user experience and increased user productivity, improved administration efficiency and fewer calls to the help desk, enhanced security, and a path to compliance.
WHITE PAPER
800.306.9329 (United States and Canada) If you are located outside North America, you can find your local office information on our Web site.
E-MAIL MAIL
sales@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA
5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | E-MAIL sales@quest.com
If you are located outside North America, you can find local office information on our Web site.
2009 Quest Software, Inc. ALL RIGHTS RESERVED. Quest Software is a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. TBW-SAP-SSO-US-AG-20091201