What is Single Sign-On?
Single Sign-On or SSO is an authentication service that permits a user to use one set of login credentials to access multiple applications. The service authenticates use for all the applications the user has given rights to and eliminates further prompts when the user switches applications during the same session.
On the back end, SSO is helpful for logging user activities as well as monitoring user accounts.
Why Single Sign-On with SAP?
Convenience is a primary reason users are drawn to Single Sign-On. But why else should companies invest in SSO?
Solve security and compliance issues caused by:
- Re-use of passwords
- Easy password patterns
- Trivial passwords
- Passwords on post-it notes
- Leaked passwords
Secure your landscape from vulnerability and password hacking:
- HTTPS encryption
- Secure Network Communication (SNC)
- Encrypted passwords
Solve productivity issues caused by:
- Complex SAP landscape
- Large number of manual logins
- Forgotten passwords
- Number of helpdesk tickets opened (average tickets cost $50)
Save costs:
- Savings of $840,000/ year
You can configure SAP HANA applications to use SSO authentication to confirm the logon credentials of a user. You can integrate SAP HANA into single sign-on environments using Kerberos, SAML 2.0, JSON web tokens, and logon and assertion tickets.
Single Sign-On Using Kerberos
For integration into Kerberos SSO scenarios, SAP HANA supports Kerberos version 5 based on Active Directory (Microsoft Windows Server) or Kerberos authentication servers. For HTTP access using SAP HANA Extended Services (SAP HANA XS) classic, Kerberos authentication is enabled with Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO).
Kerberos is a network authentication protocol that provides authentication for client-server applications across an insecure network connection using secret-key cryptography.
Requirements:
- Network requirements
- Clocks of all hosts involved are synchronized
- Hostname reverse lookup must be configured consistently with the hostname lookup, since this will be used by the SAP HANA database server Kerberos implementation for determining the SPN
- Software requirements
- Kerberos client and libraries installed in your server and above 1.6.3-132
- Create SAP HANA Service user representing SAP HANA database in AD, being mapped by a Service Principal Name
- Construct external mapping of SAP HANA database user
- Create keytab for HANA db server
- SAP Single Sign-On 3 license
- SAP Netweaver 7.3 or higher
- HTTPS/cryptographic library
- SAP Secure login client 3
Guest blog authored by: Suvrangshu Ghosh, Sr. Netweaver Admin/Project Manager, Varian Medical Systems
For more information on SSO on HANA, you can attend Suvrangshu’s session at SAP TechEd in Las Vegas, NV.
Suvrangshu will be presenting Secure Your SAP HANA Landscape by SAP Single Sign-On the Varian Way at TechEd on Thursday, September 28th, 5:45 – 6:45 pm.