Single Sign-On versus Password Synchronization solutions.
How do you know which one is right for you?
This blog co-authored with Benjamin GOURDON is based on several customers’ experiences.
The purpose of this blog is to perform a quick comparison and to provide an overview of pros/cons between Single Sign-On and Password Synchronization solutions. Both are designed to greatly reduce the number of calls to the support and improve the user’s comfort, and provides a ROI lower than 3 months, as proven by many customer implementations.
Single Sign-On: SAP NetWeaver Single Sign-On
SAP NetWeaver Single Sign On enables users to access all their applications through a single authentication event. From an end-user perspective, there is
no longer a need to provide credentials for connecting to each application.
The overall solution is subdivided into 3 sub solutions:
- Secure Login which enable SSO to SAP systems using SAP GUI and other web applications in the same domain. Based
on Kerberos tickets or X.509 certificates.
- Identity Provider which enable SSO to any web application or web services with identity federation. Based on SAML2.0.
- Password Manager which enable SSO to applications which are not supporting any standard protocol and requiring
login/password information (previously locally recorded).
Depending on the system landscape, 3 different implementation scenarios are suitable and will determine the identification protocol:
- Homogeneous landscape: Only SAPapplications in the same domain
- Heterogeneous landscape: SAP applications and non-SAP in the same domain
- Heterogeneous landscape and inter-domain (« On cloud » applications)
Password synchronization:SAP NetWeaver Identity Management
SAP NetWeaver IdentityManagement allows to synchronize the password throughout your IT landscape so the user can access any application with the same password. Each password change in SAP IDM or in Microsoft Active Directory will automatically be replicated to all other integrated or supported systems as a productive password (optional). To secure this solution, the provisioned password must be encrypted via secure Channels (using SNC for SAP ABAP systems, or SSL for web applications including SAP Java systems or directories).
From an end-user perspective, this means using the same password for every application where you want to log on.
For additional information about this solution, I strongly recommend you to read this blog written by Jérémy Baars:
Determine the solution which would balance cost, security, user comfort, adaptability according to your criteria.
The table below intends to compare the Password Synchronization and Single Sign-On by analyzing their respective strengths and
So let’s consider several criteria to choose the most appropriate solution:
As you can see above, SAP Netweaver Single Sign On offers a better end-user experience, as this solution reduces the number of times a user must type ID and password to access an application. This also contributes to raise user productivity.
SAP Identity Management allows to optimize the user lifecycle and to simplify user management. It is replacing SAP Central User Administration (CUA) that will not be further developed by SAP., As such, it could be interesting to choose password synchronization method if you plan to implement an Identity & Access Management solution in the near future.
If Security is an important criteria for your choice, implementing SAP Netweaver Single Sign On will guarantee a strong authentication by blocking traditional access on each application concerned.
From a financial point of view, there is not much difference regarding the implementation costs. The choice should more be oriented on the policy and the strategy of the enterprise.