Chat now with support
Chat with Support

Safeguard Authentication Services 5.1.3 - SSO for SAP Integration Guide

Privileged Access Suite for UNIX

UNIX security simplified

Privileged Access Suite for UNIX solves the intrinsic security and administration issues of UNIX-based systems (including Linux and macOS) while making satisfying compliance requirements easier. It unifies and consolidates identities, assigns individual accountability, and enables centralized reporting for user and administrator access to UNIX. The Privileged Access Suite for UNIX combines an Active Directory bridge and root delegation solutions under a unified console that grants organizations centralized visibility and streamlined administration of identities and access rights across their entire UNIX environment.

Active Directory bridge

Achieve unified access control, authentication, authorization, and identity administration for UNIX, Linux, and macOS systems by extending them into Active Directory (AD) and taking advantage of AD’s inherent benefits. Patented technology allows non-Windows resources to become part of the AD trusted realm, and extends AD’s security, compliance, and Kerberos-based authentication capabilities to UNIX, Linux, and macOS. See www.oneidentity.com/products/safeguard-authentication-services/ for more information about the Active Directory Bridge product.

Root delegation

The Privileged Access Suite for UNIX offers two different approaches to delegating the UNIX root account. The suite either enhances or replaces sudo, depending on your needs.

  • By choosing to enhance sudo, you will keep everything you know and love about sudo while enhancing it with features like a central sudo policy server, centralized keystroke logs, a sudo event log, and compliance reports for who can do what with sudo.

    See www.oneidentity.com/products/privilege-manager-for-sudo/ for more information about enhancing sudo.

  • By choosing to replace sudo, you will still be able to delegate the UNIX root privilege based on centralized policy reporting on access rights, but with a more granular permission and the ability to log keystrokes on all activities from the time a user logs in, not just the commands that are prefixed with "sudo." In addition, this option implements several additional security features like restricted shells, remote host command execution, and hardened binaries that remove the ability to escape out of commands and gain undetected elevated access.

    For more information about replacing sudo, see www.oneidentity.com/products/privilege-manager-for-unix/.

Privileged Access Suite for UNIX

Privileged Access Suite for UNIX offers two editions: Standard edition and Advanced edition. Both editions include the Safeguard Authentication Services patented technology that allows organizations to extend the security and compliance of Active Directory to UNIX, Linux, and macOS platforms and enterprise applications. In addition:

  • The Standard edition licenses you for Safeguard for Sudo.

  • The Advanced edition licenses you for Privilege Manager for Unix.

About this guide

The Single Sign-on for SAP Integration Guide is intended for system administrators, network administrators, consultants, analysts, and any other IT professionals who will be using Single Sign-on for SAP to provide seamless authentication to SAP using the Active Directory credentials of the logged-on user. This guide walks you through the installation and configuration process.

Note: The term "Unix" is used informally throughout the Safeguard Authentication Services documentation to denote any operating system that closely resembles the trademarked system, UNIX.

Introducing Safeguard Authentication Services Single Sign-on for SAP

SAP systems host critical enterprise applications. In today's regulatory environment, the ability to secure access to these applications, and to secure the transmission of their data, is an increasingly important compliance and security requirement.

The Safeguard Authentication Services Single Sign-on for SAP solution integrates SAP solutions with Active Directory. Using the identity and security infrastructure available with Active Directory, organizations can implement tight identity integration between SAP and Active Directory user accounts, allowing users to securely authenticate with SAP applications using their desktop login credentials. This eliminates the need to re-enter (or remember) a separate SAP username and password.

You can use these same credentials to implement secure data transmission among SAP modules and the SAP GUI client. Sensitive enterprise information that is exchanged between the user's desktop and the remote SAP Application Server is automatically encrypted, securing it from any network eavesdropping.

Safeguard Authentication Services provides a solution that complies with the functional requirements of the SAP SNC interface. The ability of Safeguard Authentication Services to directly join UNIX systems with the Active Directory domain is what makes the tight integration and single sign-on experience possible.

SAP SNC makes use of the GSSAPI provided by Safeguard Authentication Services on the SAP Application Server side. The SAP GUI client on the Windows desktop also uses GSSAPI through the Single Sign-on for SAP extensions.

To use SAP with multiple domains (where there is no trust between the domains), SAP needs service users with the same SPN for all domains, and keytab files for those domains. For more information, see Creating a keytab and Creating Keytab for Kerberos.

SAP Secure Network Communications

Secure Network Communications (SNC) is designed to allow external security mechanisms (such as Safeguard Authentication Services) to integrate with the SAP environment to provide additional security features. By integrating the SAP system through standard protocols such as GSSAPI, SNC allows you to isolate SAP applications from the specifics of the authentication and security implementation.

SNC provides three aspects of security:

  • Authentication

  • Data integrity

  • Data security

The authentication feature provides for secure authentication using an external security token (such as a Kerberos ticket, which allows single sign-on).

With the data integrity feature enabled, the system detects any changes or manipulation of the data that may have occurred between the two endpoints of a communication.

The data security or privacy protection feature encrypts message transmission, making them resistant to network eavesdropping. This feature also includes data integrity support.

The level of security to be applied to the environment is determined by the SNC configuration, as described in the SAP document, Secure Network Communications: SNC User's Guide.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating