Single Sign on

I couldn’t find a thread on this, but I seem to recall seeing it somewhere. What are your thoughts on single sign on? That is, login to the network and then any applications on you computer do not require a separate login. Our SAP team doesn’t want the users to have to login to the application if they have authenticated through AD.

Hi Meyert,

Do mean once they have logged into their workstation that they do not have to login into SAP, how do they login, does SAP automatically open when you click on the icon.

There should be a login in to SAP after the initial PC login and if any there is any activity which is governed by a regulation there should also be a request for some kind of authentication (password, username, both)

Why do the SAP team want to use this approach.

Just because someone had access to logon to a PC doesn’t mean that they are trained to use SAP.

“authenticated through AD” what do you mean by this?

Regards

Thanks for the speedy response…shouldn’t you be home eating supper or something. :slight_smile: I replied inside your Quoted text in RED

[quote=gokeeffe]Hi Meyert,

Do mean once they have logged into their workstation that they do not have to login into SAP, how do they login, does SAP automatically open when you click on the icon. YES

There should be a login in to SAP after the initial PC login and if any there is any activity which is governed by a regulation there should also be a request for some kind of authentication (password, username, both) I agree, I just can’t find a regulation to reference.

Why do the SAP team want to use this approach.It is perceived to be easier for the users, also I believe they didn’t think they could authenticate/synchronize usernames and passwords with Active Directory (AD)

Just because someone had access to logon to a PC doesn’t mean that they are trained to use SAP.

“authenticated through AD” what do you mean by this? AD=Active Directory (Network Login)

Regards[/quote]

Another point is I assume everyone has the same p[FONT=‘Times New Roman’][FONT=Arial]rivileges so if there is no login, how can this work?[/font][/font]

[FONT=‘Times New Roman’]Its a strange scenario, certainly one I haven’t come across before.[/font]

[FONT=‘Times New Roman’]Surely this is in breach of Part 11 in terms of security?[/font]

Assuming that a central ACL - Access Control List - is maintained for every application that the user can access to control rights on an app-by-app basis, and assuming that the SSO implementation is fully validated then there should be no problem. In fact it can make it easier to be compliant since your average user when faced with having to remember fifteen different username/password combinations will invariably write them down.

Where the system falls down is where there are ‘defaults’ that let everyone access something that was envisaged as global access when the system was implemented, but that has changed use and later becomes more sensitive or restrictive. In that case there may be issues with ensuring that there are good procedures in place to withdraw access from those users that no longer require the application.

The only other real problem is where it is important that a user cannot simply ‘blunder’ in to a restricted area without making an informed choice. In these cases it is no longer simply an issue of whether the user is allowed access, but whether they are fully aware of the fact that they are accessing a sensitive area.

SSO is not inherently a problem, but individual implementations can be.