Single Sign On

Wolters Kluwer Polska implemented the SAP ERP system as early as 2002. Another major implementation project in 2004 included the launch of the SAP BW data warehouse. Then, SAP CRM (in 2008) and SAP NetWeaver Portal were implemented. Virtually all operations of the company are supported by SAP systems. The benefits of business process integration in coherent tools are invaluable. Also, the technical value of a coherent system landscape that is administered and hosted by one service provider – BCC (now All for One Poland) – is high.

Hundreds of forgotten SAP passwords

Wolters Kuwer Polska has an extensive SAP system landscape: two SAP Portal systems (production, and testing & development), two SAP BW systems, three SAP ERP systems (production, testing, and development), and three SAP CRM systems. In addition, each development system has several clients.

In total, all SAP tools in the company are used by several hundred users. SAP CRM has the largest number of users (370), then SAP ERP (180) and SAP BW (130). Often, these are the same people. Although the company uses multiple systems from one vendor, users who use more than one SAP solution have to log on to each of them with a separate password.

While administering the IT infrastructure, Wolters Kluwer implements the best management practices based on global best practices. One of them is the restrictive policy for changing passwords and a high degree of their complexity. To log on to the system, the user had to enter a password containing at least a certain number of characters, including uppercase and lowercase letters and special characters. Of course, it also has to be changed periodically. So a key-user employee who uses SAP ERP, SAP CRM and SAP BW, and – in addition to the production system – has access to the test system, they could find themselves needing to remember up to 10 challenging passwords.

Administrators who manage user accounts for each individual system had to spend a lot of time to ensure their integrity and compliance with security policies. For a large number of users, they make changes in the authorization system every day, or even several times a day. The reasons for this are changes to planned, periodic authorization, personnel changes, and even more typical reasons, such as forgotten passwords.

What is good for the security of data is often a nuisance for many users, including administrators.

Wolters Kluwer Polska uses the SAP administration service in the BCC Outsourcing Center, which means that the service provider has taken the responsibility for correct and efficient system operation.However, BCC consultants contact the WKP help desk team, rather than individual users. User notifications of forgotten passwords or blocked access to the system are sent (through the service application used by WKP) to the WKP help desk team. There, administrators decide whether an issue could be resolved internally or is the responsibility of BCC and needs to be escalated. After resolving the issue, external consultants inform WKP administrators, who in turn need to contact the unlucky user.

With such a large number of systems and users, forgotten password and locked account issues occur frequently. Administrators spend a lot of time solving these problems and it distracts them from other more important tasks. The result is the rising cost of system support and administration.

Manager BackOffice, Wolters Kluwer Polska

Many Systems – A single Sign-On

The Single Sign-On (SSO) mechanism available on the SAP NetWeaver platform enables the coordination and integration of various systems to which the user should have access using one password. SSO allows you to log on automatically not only to the SAP system, but also to third-party applications, databases, mail servers or file servers.

In order to streamline the work of end users and administrators, Wolters Kluwer Polska decided to implement Single Sign-On (SSO).

Before implementing this mechanism, it was necessary to determine the systems / clients in which SSO would be enabled, and the users who would use the single sign-on facility. Because WKP systems are hosted and administrated in the All for One Outsourcing Center, the determination of the system landscape did not cause any problems.

The actual implementation of SSO brought about the preparation of SAP systems, i.e. configuration of appropriate parameters in the profiles, and the preparation of SAP system accounts in the Active Directory domain.

Of course, any SSO user should have an account in ActiveDirectory, which can be mapped to relevant SAP accounts (and so the accounts do not need to have identical names in SAP and AD). In addition, from the perspective of the end user, it was necessary to install special libraries and modify SAP GUI profiles accordingly. For SAP NetWeaver Portal systems, it was necessary to configure web browsers.

The configuration of user mappings in SAP systems began when the above conditions were met. Because the Central User Administration (CUA) is enabled on the majority of clients and LSMW (Legacy System Migration Workbench) is used, this operation went relatively quickly and smoothly.

The Single Sign-On was first enabled on test and development systems. After testing, the solution was migrated to production systems.

In SAP systems, if end user passwords are changed due to the company policy, this is done on a user workstation. After the implementation, the SSO mechanism allowed us to disable traditional passwords and to logon via the SAP GUI.

Now, SSO is a foundation of a comfortable working environment in SAP systems.In the morning, having started the computer, the employee can log on to a workstation. With a user ID (login) and only one password, the user can automatically access all necessary applications without the need for separate re-authentication in each one.

It is Easier to Remember Only One Thing

The benefits of using SSO technology are quite clear:the user has only one password for all SAP systems they use. The logon process is easier and faster. It’s less of a burden to remember, which reduces the need to write passwords on post-it notes, or use other insecure services which could threaten the security of the system.

Also from the perspective of an administrator, the centralized and convenient management of password policies greatly improves the safety of transferring security certificates, and relieves the administrator who verifies access to systems. The user management in ActiveDirectory means that, currently, the vast majority of password problems can be resolved quickly by the internal WKP help desk without the need for escalation to BCC (now All for One Poland). The fewer elements involved in this process, the faster the user gets a solution.