Safeguard Authentication Services 6.0 LTS - SSO for SAP Integration Guide

Introducing Safeguard Authentication Services Single Sign-on for SAP

SAP Secure Network Communications Client requirements Functional description Summary

UNIX installation and join UNIX configuration Windows installation Windows SAP GUI configuration Configure an SAP account for SSO/SNC

SAP server configuration

Supported platforms Creating and using a service account for the SAP service Enabling SNC on the SAP server Configuring an SAP user to enable SNC authentication Installing Safeguard Authentication Services Single Sign-on for SAP Deploying Single Sign-on for SAP through Group Policy

Creating the license CAB file Silent install

Configuring the SAP GUI client on Windows XP Configuring the SAP GUI client on Windows Vista and above Prompting for user name and password

Enabling authentication prompts

Configuring SAPlpd on the front-end system Configuring SAPlpd on the SAP server Testing the printer connection

Prompting for user name and password

SAP server configuration > Prompting for user name and password

By default, Single Sign-on for SAP performs automatic authentication using the credentials of the currently logged-in Windows user. In some situations, you might want users to provide an Active Directory user name and password when logging in to SAP. You can configure Single Sign-on for SAP to display a login prompt whenever a new authentication request is generated.

When you enable authentication prompting, users see an authentication dialog where they must enter an Active Directory user name and password in order to gain access to SAP. The user name can be in any one of these formats:

SAM account name (if the computer is joined to the user's domain)
<DOMAIN>\<SAM account name>
<SAM account name>@<DOMAIN>

Enabling authentication prompts

SAP server configuration > Prompting for user name and password > Enabling authentication prompts

To enable Active Directory authentication prompting from the Single Sign-on for SAP module

Change the following registry values from 0 to 1:
- On 32-bit machines: HKEY_LOCAL_MACHINE\Software\Quest Software\SSO for SAP\Always Prompt.
- On 64-bit machines: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Quest Software\SSO for SAP\Always Prompt.

Configuring SAPlpd on the front-end system

SAP server configuration > Configuring SAPlpd on the front-end system

To use SAPlpd with SNC, you must provide the SAPlpd system on the front-end desktop with the local library path and identity information.

To configure SAPlpd on the front-end system

If it does not exist yet, create a SAPLPD.INI file in the Windows directory.
Add the following section to the SAPLPD.INI file:
```
[snc]
enable=1
identity/lpd=<SNC-Name_of_saplpd>
gssapi_lib=<drive>:\path\to\your\snclib.dll
```
NOTE: You can omit the gssapi_lib= entry when you have the environment variable (SNC_LIB) configured as a system environment variable.

The identity/lpd variable, <SNC-Name_of_saplpd>, is in the SNC form of the user logged in and running SAPlpd. You must use this format: u:samaccountname@realm (where sAMAccountName is the SAM-Account-Name of the currently logged in user and example.com is the Active Directory domain name).

NOTE: You can also add these settings to the WIN.INI file if you do not want to create the SAPLPD.INI file.
Run SAPlpd.

A window appears, listing the output from the SAPlpd startup:
From the SAPLOPD.LOG – SAPLPD window, select the Options > Secured Connections menu item.
On the Secured connection dialog, select the Use if possible and Privacy protection of data options, then click Add new connection to go to the Access Control List maintenance for SAPlpd.
On the Authorized connections dialog, in the Last authenticated connection initiator field, enter the SNC-name of the application servers that will be transferring print jobs to this SAPlpd using SNC.

This is the value of the snc/identity/as key from the instance profile on the Safeguard Authentication Services-enabled SAP Server. See Enabling SNC on the SAP server.
Click Authorize to add this name to the list of authorized connection initiators.
Close all open SAPlpd dialogs by clicking their respective OKbuttons.

Your front-end desktop is now configured to securely connect.

Configuring SAPlpd on the SAP server

SAP server configuration > Configuring SAPlpd on the SAP server

To configure SAPlpd on the SAP server

Create a new output device (Printer) by navigating to Configuration > Output devices from the Spool Administration screen.

You can apply these same settings to an existing device.
Click the Device Attributes tab.
Enter the appropriate information:
- Output Device
- Short name
- Device Type
- Spool Server
To populate the Spool Server field, press F4 or click , the folder icon next to the Spool Server field, to list all the application servers with a color-coded background. The application servers running a spool process are highlighted in green.
Click the Access Method tab.
Set the Host Spool Access Method to S: Print Using SAP Protocol.
Enter the host name of the printer.
Enter the host name of the front-end system as the Destination host.
Select the Do Not Query Host Spooler for Output Status option.
Select the Security tab and select a level of security:
- Only Authentication
- Integrity Protection
- Privacy Protection
To set SNC as required, change Security Mode to Only Use Secure Transfer.
In the Identity of the Remote SAPlpd for the Security System field, enter the SNC name in the following format:
```
u:samaccountname@realm
```
This is the Active Directory user who will be logged in when using this instance of SAPlpd.
Save the changes and exit the Spool Administration screens.