How to configure your SAP applications for Single Sign-On
Evidian Enterprise SSO
Demonstration of how to configure your SAP applications for Single Sign-On
With Evidian Enterprise SSO, a user enters only one password or even none with a strong authentication method. After that, application passwords are automatically entered, on behalf of the user.
Evidian comes with a SSO studio which allows you to detect login prompts of new applications, either web based, desktop as well as legacy applications. The goal of the studio is to be easily configurable by anyone inside the organization.
This video shows how to use the SSO studio to enter passwords of SAP applications on behalf of the user.
The SSO studio integrates different forms of scripts that will help you configure easily your SAP solution for Single Sign-On. This video demonstrates a configuration of Single Sign-On for SAP logon in a few clicks. You do not need to modify any of your SAP applications or code a particular script.
Why over 5 million employees are using Evidian Enterprise SSO today?
Reinforce access to applications
A user enters only one password or even none with Evidian Authentication Manager and a strong authentication method. Evidian SSO can change transparently hardened passwords for each application. It allows the management of enterprise access policies (which user can access to which application) and centrally audit the user access.
Reduce up to 30% helpdesk calls
There are no more calls to the call desk to reset passwords because users no longer manage application passwords. Moreover, a Self-Service Password request (SSPR) function allows users who have forgotten their single password, or their access card, to unlock their accesses - even offline without the helpdesk.
Never reveal passwords
Users can share the same generic accounts securely, or delegate their access to each other while being away. Users don’t need to reveal their passwords and are audited by name. Thanks to a web portal, a user who is already on leave can remotely delegate all or part of his accounts, via a simple web page and fully comply with the security policy.
Satisfy regulatory constraints
By creating an obligatory passage point between a user and his applications, an organization can effectively control the accesses. Moreover, a log of these accesses and administration operations is kept centrally, which facilitates audit. Evidian SSO facilitates compliance with confidentiality, integrity and availability requirements.
Evidian Enterprise SSO provides single sign-on to all users, businesses and organizations.
Free your users from remembering and typing passwords and drive your security policy by automating password management.
Typical use of SSO by over 5 million employees
Employees use a passwordless strong authentication method. After that, application passwords are automatically entered, on behalf of the employee, during application login prompts. This works either with web based, desktop as well as legacy applications without modifying them. Evidian gives an access to the applications to which the employee is entitled. And it transparently modifies and manages strong passwords for each application. An access log is centralized to facilitate audits, to know which employee uses which application and to meet regulatory constraints.
One PC - used by several users
Branch employees, sales staff in outlets, workers in manufacturing industry and others share a same PC in their Enterprise. They use a shared account with autologon to access the Windows session without password to save time. However, knowing who authenticated to the PC and at what time cannot be audited. Evidian with its multi-user desktop solves this problem with a fast user switching in a few seconds and a strong authentication method like a RFID badge to unlock the shared session.
One user – using multiple PCs successively
The day-to-day tasks of some employees may require them to move around within a site, such as doctors in a hospital, production managers at an industrial site, store vendors, and others. On each PC, they must log in to access their session and log out. As it takes time, an alternative solution must be found. Evidian offers a simple solution with a roaming session avoiding multiple login.
One user – using multiple PCs at once
Some employees need multiple PCs and monitors in order to work. These may include trading room workers, control room operators in industry, in transport, in video surveillance and others. It is unrealistic to ask these employees a multiple login to all PCs. Evidian offers a solution with a single login to multiple computers at once.
Are you looking for another solution?
Evidian offers many other solutions that will certainly meet your needs. Do not hesitate to contact us.
Evidian SSO configuration guide for SAP
- SAP GUI Scripting (at least 6.20) must be activated on the SAP R/3 server, with the following parameter:
Sapgui/user_scripting = TRUE
- SAP GUI Scripting must be activated on the SAP R/3 client.
- The connection description in the SAP Logon must not use the slow connection parameter.
- SAP GUI Scripting works only with the new SAP R/3 visual design.
Configuring a SAP R/3 Application
An application should be configured with the Enterprise SSO configuration editor. For SAP R/3 applications, use the SAP application model in Enterprise SSO Studio.
Configuring an Application for SAP GUI Scripting
If you use SAP GUI Scripting window types, the OLE/automation option in the configuration is not required. It should, therefore, be left inactivated.
Configuring the Detection tab of the SAP GUI Scripting Window
The detection of SAP R/3 connections is based on their connection servers or server groups:
To specify an SAP R/3 server or group of servers, use the following options.
- Name (mandatory): server name (SAP R/3 hostname) or server group name for which SSO is to be performed.
- SAP system name: SAP R/3 name of the system in 3 characters (database ID).
- Direct server connection
- Detect the System Number: provide the SAP R/3 System Number if the target server is running more than one copies of SAP R/3.
- Group with load balancing
Message Server: enter the SAP R/3 message server name as it is configured in the SAPLogon module if there are a several SAP R/3 groups with the same name but with different messages servers.
Configuring the Actions Tab of the SAP GUI Scripting Window
Description of the SAP R/3 parameters
At authentication time, Enterprise SSO can fill the language and client name fields as defined in the SAP R/3 application model. These parameters must be declared in the Parameters tab of the application object.
- Automatic validation of the credentials: the user does not have to validate the credentials sent by E-SSO to start an SAP session. The Auto validate login page check box is selected by default.
- Changing the SAP R/3 user’s password: by default, Enterprise SSO manages the authentication process, and the user cannot change his or her SAP R/3 password at this stage but must use the password change transaction once connected. To avoid the complexity inherent in this procedure, activating this option will result in Enterprise SSO asking the user if a change of password should be made during connection to SAP R/3; Enterprise SSO will then manage all the password change processes as required.
- Automatic validation of the connection notification: the SAP GUI Scripting technology causes a message to appear, notifying the user that a script is connecting to SAPLogon. By activating this option, and by declaring the notification window title (by default this is saplogon), Enterprise SSO will automatically validate the notification as required. The notification will still appear in non-Enterprise SSO connections, and therefore for other scripts.
Configuring Errors in the Actions tab
- To define error messages, click the Errors button in the Actions tab
Error messages are detected by Enterprise SSO so that it can react when there is a password desynchronization problem, when there is a password change, or if the new password is refused by the SAP R/3 system. In addition to the pre-configured error messages, you can declare your own specific messages:
- By content: enter a message and assign a meaning to it. Enterprise SSO will look for the message in the status bar or error dialog box. In this case, it is the message string that is looked for. It is dependent, therefore, on the language of the SAP R/3 client.
- By reference: if you also specify the SAP R/3 ABAP reference of the message, Enterprise SSO will look for the reference of the message, and not its content. Thus, it becomes independent from the client language. In this case, the content of the message field is simply for informative purpose.
Note: The list of message references can be found using the transaction SE16, table T100.
- Connection refused: the SAP R/3 system has refused the connection. The user may be locked, or the server unavailable.
- Invalid password: the user password is incorrect. A new password is requested through Enterprise SSO’s data collection windows.
- New password refused: the user has just changed the password, but the SAP R/3 system does not accept it. A new password is requested through Enterprise SSO’s data collection windows.
For more information on SAP configuration on Enterprise SSO please refer to the "Enterprise SSO administrator Guide" in the SAP R/3 Plug-in section