The following describes how Password Manager can be configured to single sign on to SAP applications.
Background
SAP has a suite of business line applications and each application has its own database and user credentials. These systems/applications are also called R/3 systems. For example, an organization may decide to deploy three SAP systems, namely Human Resources, Accounting and Financials. These three systems are usually deployed on different sets of servers and have their own databases. Each system has its own user credentials. Hence, an end user has to remember three different sets of credentials for accessing different SAP applications/systems. Password Manager is a perfect solution for these organizations. Password Manager helps such organizations increase their network security and improve end user computing by eliminating the need for end users to remember all their secondary credentials, including all the credentials for SAP applications.
All SAP systems are accessed using the same user interface, called "SAP GUI." SAP GUI communicates with backend systems and servers and provides the user interface for the end users.
End users can logon to SAP systems and launch SAP GUI in two ways:
Using SAP Shortcut files (.SAP files)
SAP has a file type extension called SAP that can be created or edited using SAPGUI.EXE. Opening this file launches SAPSHCUT.EXE (SAP Shortcut), which processes all the settings in the .SAP files and launches SAP GUI with appropriate settings. End users get the logon screen as shown in Figure 1 below:
Figure 1: Logon Window using .SAP files
Using SAP Logon Pad
End users can also get a list of available SAP systems and log on to any system using SAP Logon Pad, as shown in Figure 2 below. In this example, there are 5 unique R/3 SAP systems configured on the workstation. Each SAP R/3 system may use unique set of credentials. By double clicking on one of the systems from SAP Logon, the end user is presented with a logon screen as shown in Figure 3 below. Once the users provide their credentials SAP GUI gets launched.
Figure 2: SAP Logon Pad 6.40
Figure 3: Logon Window using SAP Logon
The benefit of using SAP Logon Pad over .SAP files is that SAP Logon Pad performs better when multiple connections to different SAP R/3 systems are opened by the same end user concurrently. SAP Logon Pad only starts one process regardless of the number of connections made with R/3 systems, where as a new process is started for each SAP GUI launched using a .SAP shortcut file. For example, if an end user opens HR and Accounting system at the same time then SAP Logon Pad will only launch a single process and may use less resources. However, we expect the majority of the end users within our customer base to open a single R/3 system at a time.
Configuring Single Sign On for SAP
System III tests have shown that the logon window launched through SAP Logon Pad (Figure 3) does not have standard windows controls and cannot be detected by Password Manager. Logon windows launched using .SAP shortcut files, on the other hand, use standard window controls and Password Manager is capable of detecting the standard window controls. Hence, Citrix recommends using .SAP shortcut files to publish SAP GUI on XenApp or distributing .SAP files on end users' desktops. Citrix Program Neighborhood, Program Neighborhood Agent or Web Interface can perform the role of SAP Logon Pad, i.e. listing available SAP applications for end users. .SAP files can be created using SAPGUI.EXE, as shown in figure 4 below:
Figure 4: SAPGUI.EXE for creating .SAP file
Each .SAP file must be given a unique window title using the Title Settings in the .SAP file creation tool, shown in Figure 4. The configured title is displayed in the logon window, as shown in Figure 1. Configuring a unique title for each .SAP file (or R/3 system) allows Citrix Password Manager to be configured to distinguish different SAP applications using the title of the logon window. After preparing the .SAP files, administrators must publish them using SAPSHCUT.EXE. Published application will have to be configured to have command line in the form of "<path>/SAPSHCUT.EXE <path>/<name of .SAP file>".
Once the applications are published, 'New Application Definition* *Form' wizard in the Password Manager Console can be used to create application definitions for each SAP R/3 system. Administrators will have to launch each SAP shortcut one by one, and configure application definition and forms for each one.
Figure 5: Launching the Application Definition Wizard
Figure 6 shows how administrators can configure a Logon form by selecting the SAPGUI.EXE "module" with the "Window Title" that matches the Title setting defined in the SAP shortcut.
Figure 6: Form Definition Wizard in Citrix Password Manager Console
Figure 7 shows how Password Manager automatically detects the fields on the logon window and makes it easy for administrators to configure single sign on.
Figure 7: Automatic Detection of Controls on Logon Window for SAP
Once application definitions are created for each SAP shortcut, the change password form definition should be added to each Citrix Password Manager SAP application definition.
Configuring SAP Change Password
The SAP change password window will be automatically displayed when one of the following events occurs:
- The SAP administrator resets the end user's password
- The end user's password expires due to the SAP password expiration feature
The SAP Change Password window is shown in Figure 9 below.
Figure 9: Change Password Window for SAP R/3
The SAP Change Password window does not use standard windows controls, so Password Manager is not able to use field detection. Therefore, administrators will have to use Send Keys to configure Change Password for SAP R/3.
Figure 10 shows the Password Manager Form Wizard when detecting the Change Password form.
Figure 10: Form Definition Wizard with SAP Change Password Form Selected
Figure 11 shows the SAP form that contains controls that are recognizable by Citrix Password Manager. Figure 11 also shows that Send Keys must be enabled for this form.
Figure 11: Form Wizard with Send Keys Enabled
Figure 12 shows the Send Keys field definitions that work correctly with the SAP Change Password form.
Figure 12: Form Wizard with Send Keys Definitions
Once these Send Keys are enabled on Change Password form, Citrix Password Manager Agent will be able to detect the SAP Change Password dialog and automatically change passwords for end users.
Summary: Simple Five Step Process
- Create a .SAP file for each SAP application using SAPGUI.EXE, as shown in Figure 4, giving each .SAP file its unique title.
- Publish each .SAP file using SAPSHCUT.EXE, using command line "<path>/SAPSHCUT.EXE <path>/<name of .SAP file>".
- Launch each .SAP application on XenApp. Stop at the logon dialog.
- Launch 'New Form' wizard in Password Manager Console and create an application definition for each SAP R/3 system by selecting the SAPGUI.EXE "module" with the "Window Title" that matches the Title setting defined in the .SAP file, as shown in figure 5 and figure 6.
- Use Send Keys to configure Change Password form for each SAP application, as shown in figure 12.
