The desired user experience is to log in to a system once and then have access to the applications and information required to do a job.
It frustrates a user, when they access resources and are required to authenticate each time. It takes time, and users must keep track of multiple passwords. This ultimately increases calls to the help desk for users who have forgotten their passwords, and it also reduces security because users keep their passwords on a note by the computer.
This solution simplifies a user’s experience. The user logs in to Active Directory* and launches a Web browser to access the SAP Portal. When users access the SAP Portal, they are automatically authenticated and can access any resources assigned to them.
This solution uses Kerberos* tickets from Active Directory and Access Manager. When a user logs into the Active Directory domain, he or she is issued a Kerberos ticket. The user launches a Web browser and accesses the SAP Portal, Access Manager is able to use the Kerberos ticket for authentication, and the user does not have to authenticate to the SAP Portal.
Figure 5-1 Kerberos Authentication
After this authentication method is configured, you can leverage the Kerberos desktop login for single sign-on into all of your other non-SAP Web applications. This simplifies the user experience.
The following sections must be completed in the order listed to enable single sign-on.
Section 5.2, Configuring Active Directory to Assign Kerberos Tickets
Section 5.3, Configuring the Access Manager Identity Server to Consume the Kerberos Tickets
Section 5.5, Adding the SAP Portal as a Protected Resource in Access Manager
Section 5.6, Configuring the SAP Portal for Kerberos Authentication