/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsAs enterprises become more complex and diverse with disparate systems, there has been a corresponding rise in the number of identities and passwords associated with an individual. The biggest challenge is to make the enterprise solutions interoperable with one another so that it appears as a single box to the actual user of the system. The solution which enables the integration is termed as Seamless Sign On or SSO.
It helps to log into the entire enterprise landscape once and gain access to all other systems, without being challenged again for identity credentials.
BUSINESS SCENARIO
One of our highlight projects has been design and development of a corporates service portal for a client. We helped him in making full use of SharePoint reporting by developing the MOSS BCS reporting solution interoperable with their existing BI and ECC landscape, and switching Seamless Sign On feature on top of Theobald. We enabled payroll, production charts, sales scorecards, and procurement workflow on employee ‘mysite' with profile based access scenarios. These highly personalized dashboards are to be used by executive management, shop floor employees and everyone in-between.
The requirements were to gain access to the enterprise landscape, dotted with multiple IT systems, based on the credentials entered during initial Windows login. For the Corporate Dashboard, user should get authenticated to access not only SharePoint but also SAP and other systems on client landscape and take advantage of seamless data interchange between both. Client management was also targeting to achieve the purpose with optimal cost and low maintenance outlay.
One way to achieve SSO was to hard code credentials for a group user, which in-turn would have been used by all the members within the group. Next step was to enable such groups throughout the organization. We did not recommend the solution as it was not feasible owing to glaring lapses in data security and authorization integrity. We devised a roadmap to implement the SSO functionality wherein each user will get authenticated based on only his/her user credentials and not a generic user, throughout the landscape. We took on the challenge of integrating multiple user directories and authentication mechanisms.
IMPLEMENTATION
Enterprise SSO solution can be implemented in four phases:
- Secure Login Server: Users were created in active directory and configurations were done in secure login server
- Secure Login Client: Configurations were performed in the secure login client including importing of registry files and appropriate root certificates
- Secure Login Library: Secure login libraries such as SAPCryptoLib.dll were installed and SSL certificates were generated
- User Mapping: User mapping for SAP GUI and other SAP applications and configuration of ticket mechanism in Netweaver Administrator
AUTHENTICATION MECHANISM
Â
Once the user log into the Windows system, he / she is authenticated against the parameters saved in the active directory. SSO client is activated and a background check is performed on the SSO client and these are authenticated against the authentication server. Once this is successful, a certificate token (X.509) is generated which allows the user to log into multiple systems.
After SSO has been activated whether the user log in through SAP Netweaver Administrator, Web GUI or Enterprise portal, since the credentials are already authenticated, the user does not have to enter login credentials multiple times.
THE SOLUTION
While implementing SSO, the most widely used solution is PKI certificate and LDAP for authentication purposes. This method is considered to be one of the easiets in use. However one drawback of using this combination is that with LDAP, user has to provide log in credentials first when logging into Windows and then again while accessing any other enterprise systems, through the Secure Login client. Once both the steps are successful, a secure token for SSO is generated. Moreover, we were able to bypass the second step and went in for a very unique combination which is rarely used since it's complicated to implement. A combination of out of box PKI certificate, SPNego, and X.509 certificate were preferred over traditional approach. Hence once the user logs into the Windows System, he/she is automatically authenticated on all the other platforms across the landscape and the required SSO (X.509) token is generated.
This also resulted in minimal downtime as implementation was done on a single system which acted as both the server and the client. The solution was also executed with minimal downtime thereby reducing the impact on business critical applications.
BENEFITS
- Lower Total Cost of Ownership (TCO) for the entire solution
- Seamless integration helped client avoid entering user credentials at multiple check points
- Reduced IT support helpdesk costs by decreasing the total number of calls made to recover passwords/user credentials
- Greater compliance to IT policies and best practices
- Avoid procurement of expensive middleware products to achieve the same business objective