SAP and Active Directory® Identity Management
Abstract
Every company is looking for ways to lower administration costs and strengthen security. The challenges of single sign-on, data integrity, data accuracy, and data consistency across systems continue to be problematic for virtually every company. Implementing an identity management strategy to manage identities and identity data can enable a company to achieve these goals. This document discusses how a company can integrate its SAP or mySAP Portal Enterprise Resource Planning (ERP) applications with Active Directory to help accomplish these goals across these two important systems.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2002 Microsoft Corporation. All rights reserved.
Microsoft, Win32, Active Directory, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
INTRODUCTION 1
The Need for Identity Management 1
Identity Management Challenges 2
Integration between Active Directory and SAP 5
Simplified Management 6
Strengthened Network Security 6
Makes Use of Existing Systems through Interoperability 7
Using Active Directory for SAP R/3 Systems Management 9
Active Directory and the SAPGUI 11
Using Active Directory with Central User Administration 12
Active Directory and mySAP Enterprise Portal 13
Single sign-on with the windows Platform 14
SAPGUI for Windows 14
SAP .NET Connector (Windows Clients and Web Scenarios) 15
Conclusion 16
References 17
INTRODUCTION
Today’s companies are competing globally to provide access to information, to enhance productivity, and to deliver services quickly—all at the lowest possible cost. The ability to communicate and collaborate with partners, suppliers, customers, and employees anytime and anywhere is now a requirement. Gone are the days when only a selected group of people had network access to business applications and data.
The advent and acceptance of new computing technologies and the Internet have changed the way information is stored, accessed, and shared. Companies have implemented a more open and distributed information model resulting in benefits that include:
· Increased Employee Productivity: Enables employees to be flexible, make better decisions, and respond quickly to the changing demands of the marketplace by providing secure access to the information they need anywhere at anytime.
· Lower Cost: Decreases costs and increases efficiency by safely leveraging the power of collaboration and network connectivity.
· Integrated Business Processes: Increase sales by enabling closer relations with customers and partners through secure communications and collaboration.
The Need for Identity Management
Electronically accessible versions of nearly all key company data are kept within the corporate network. As a result, it is increasingly important for companies to make certain that only authorized users have access to this confidential information. At the same time, companies must ensure that authorized users can obtain the information they need with limited loss of productivity. Balancing these two key objectives is the challenge of identity management. When addressing identity management, administrators need to consider the following:
· Security: Employees, contractors, and business partners have varied needs for access to data and applications. It is crucial for corporations to ensure that only specifically authorized users have access to sensitive company information.
· Management complexity: Modern enterprises have many specialized systems on a variety of platforms. Developing consistent user access policies becomes increasingly complex as the number of users and systems multiply.
· Lowering cost: Even maintaining simple access policies can be expensive if there are multiple applications, systems, and platforms that have their own separate user access lists. For example, changing access rights for 10,000 users on 20 systems requires updating at least 200,000 fields.
By addressing these key secure connectivity challenges, organizations can achieve greater employee productivity, decrease costs, and improve business integration.
Identity Management Challenges
Security
Providing secure information access to authorized users has become increasingly complex due to the distributed nature of corporate networks. In most enterprises, individual applications and systems have their own user database or directory to track who is permitted to use that application and system. As responsibility for granting access control becomes more and more decentralized, the likelihood of security breaches increases dramatically. For example:
· Departing employees, contractors, customers, and business partners often retain access to systems for long periods until all systems are updated, and invalid user accounts proliferate.
· Inconsistent policies result in inadvertently granting users access to sensitive information (for example, human resources databases).
· Systems are more vulnerable due to weak credentials, poor or no password policies, and the large number of userids and passwords that must be remembered by users.
Management Complexity
As modern corporations use more specialized systems—such as network resource directories, mail servers, human resources databases, voice mail servers, and payroll applications—it has become increasingly complicated to manage user access rights. Individual divisions within an enterprise may have different processes for requesting and provisioning resources. Furthermore, in most companies, each system has its own tools for managing user accounts. Many require separate passwords and processes for authenticating users. All these issues contribute to increased IT management complexity. For example:
· Disparate and diverse authentication and authorization systems must each be managed, administered, and audited in different ways.
· The proliferation of directories and other repositories of identity information results in changes having to be made in multiple stores in multiple different ways.
· Users are frustrated because they must keep track of multiple IDs and passwords for different applications and systems.
· As companies scale their systems to service not only their employees but also their customers and business partners via the Internet, these challenges are further magnified.
Lowering Cost
In many organizations, each system acts as an island of special records and database entries that must be managed individually. These systems typically have their own definition of the user’s “identity” (name, title, ID numbers, roles, or membership in groups). The larger the organization, the greater the variety of these repositories and the higher the cost and effort required to keep them updated.
· Line managers, IT professionals, and human resources staff devote significant time and energy to complete forms, enter and update user data, set up accounts, and reset forgotten passwords.
· New employees and contractors often wait days to receive access to critical applications and information while each administrator creates and manages user credentials.
In order to overcome these challenges many customers are faced with building or buying additional components. The ideal customer solution is one where applications that are part of the overall corporate identity management process are integrated with each other. This type of integration not only allows a customer to benefit from improved security and simplified management but it further lowers cost as no additional software or services must be purchased to help achieve these goals.
Integration between Active Directory and SAP
Active Directory (AD) allows organizations to centrally manage and share information about network resources and users. Active Directory also acts as the integration point for bringing systems and applications - like SAP and AD - together.
SAP’s integration with Active Directory allows customers to take advantage of the key identity management benefits discussed in the previous section
· Simplified management tasks
· Strengthened network security
· Reduced administration costs
As part of Microsoft’s overall identity management strategy Active Directory has undergone SAP’s “SAP BC-LDAP-USR” certification process. This SAP certification indicates that Active Directory has been thoroughly tested and approved at SAP’s Integration and Certification Center (ICC) for use with the SAP and mySAP Enterprise Portal products. Through this testing and certification, Microsoft and SAP customers are assured to obtain:
· A product technically verified to work with SAP
· An interface that is ready to use and tested with a variety of product releases
· Proof of verification with full documentation and a corresponding certification test procedure
Information regarding Active Directory’s certification may be found at: http://www.sap.com/partner/software/directory/
Customers who integrate SAP with Active Directory as part of their overall identity management strategy achieve a number of specific benefits.
Simplified Management
The SAP system can use Active Directory’s “service publication” capability to detect SAP R/3 systems and their services, such as the application servers, message servers, database, gateway service, and SAP Internet Transaction Server (ITS) instances. This enables enterprise-wide information about installed systems to be viewed and accessed from a central location without having to manually configure files on each server or individual workstations.
The SAP R/3 version 46C Microsoft Management Console (MMC) snap-in is the first component to use information provided by Active Directory. In addition to providing a central view of all SAP systems in your landscape, the MMC snap-in provides interfaces to monitor, stop, and start the SAP systems.
SAPGUI for Windows also uses Active Directory to obtain a list of SAP systems. This eliminates the need for administrators and end-users to manually manage SAP-specific files like SAPLogon.ini on each individual workstation.
By using the Active Directory Group Policy feature, administrators can update and deploy the SAPGUI and other SAP applications to user desktops automatically. For organizations that want to use single sign-on with SAPGUI, SAP provides a special MSI package. This package can be automatically deployed to all relevant users through the use of Group Policy.
SAP Central User Administration (Web Application Server version 6.10) supports synchronization with Active Directory allowing the easy management of the identities in your organization.
The end result is lower management and administrative costs.
Strengthened Network Security
One of the most important architectural advantages of Windows 2000 is the integration of Active Directory and its advanced security features that enable a new level of data protection.
SAP supports various single sign-on options for the Microsoft platform including Kerberos, NTLM, and X.509 certificates. SAPGUI for Windows, mySAP Enterprise Portal, SAP Internet Transaction Server, and the new SAP .NET connector support all of these options.
Active Directory strengthens security in the SAP environment by:
· Improving security and data protection – SAP systems can take advantage of the built-in Kerberos integration in Active Directory and Windows 2000 for single sign-on. Not only is the need for a separate SAP password eliminated, the data channel between the SAP client and application server is automatically encrypted. Both SAP and Microsoft provide built-in support for secure Internet-standard protocols and authentication mechanisms such as Kerberos, public key infrastructure (PKI), and lightweight directory access protocol (LDAP) over secure sockets layer (SSL). This enables customers to choose the individual level of security they require for their environment.
· Reducing security risks – By integrating SAP with Active Directory, a company limits the number of repositories where trusted identities need to be managed. As a result, IT administrators have a single procedure for adding, removing, and managing trusted identities which reduces the risk of unauthorized access to secure applications and data.
The end result is increased security and reduced security risks.
Makes Use of Existing Systems through Interoperability
SAP ABAP/4 programs can easily read and write information to Active Directory using LDAP. For example, to retrieve address, user, or system data such as e-mail addresses, fax numbers, addresses, or printers. Many SAP applications ship with built-in Active Directory integration, including Central User Administration version 6.10 and mySAP Enterprise Portal version 5.0. mySAP Enterprise Portal version 5.0 also uses Active Directory to store user mapping information, role-to-user assignments, and other customization attributes. These features enable customers to immediately and easily take advantage of Active Directory as their single, multi-purpose directory for both SAP-related and NOS information.
With mySAP.com, applications that support LDAP can access Active Directory and use it for their storage needs. For example, various systems on different platforms can access information using Active Directory. Likely candidates include the following:
· Personnel information (name, department, organization)
· User and security information (user account, authorizations, public-key certificates)
· System resource and service information (system identifier, application configuration, printer configuration)
The SAP HR system can use Active Directory to make personnel data in the mySAP.com components available to other applications. Employee information that may be of interest can be stored in Active Directory and retrieved by other applications as necessary. For example, the HR application stores employee data (name and position) in Active Directory. A different application, such as project management, can access this information for its own purposes.
Each SAP system is an Active Directory-enabled client and can take advantage of Active Directory. Information that is shared between mySAP.com and other components can be stored in Active Directory and accessed by the various applications. As an Active Directory-enabled client, the SAP applications have both read and write access to the Active Directory. Therefore, information from other systems is available to the SAP system, and SAP system data is available to other systems.