Success Case: SAP Single Sign-On Implementation at Alpek.

One of the major success stories of our company has been the implementation of SAP Single Sign-On at Alpek. For this reason, we want to explain the process to you, and the most notable aspects of this case, starting from the beginning.

Alpek is a leading petrochemical company, operating in two business segments: “Polyester” (PTA, PET, rPET, and polyester fibers) and “Plastics and Chemicals” (polypropylene, expandable styrenics, and other special and industrial chemicals). Alpek is one of the main global producers of PTA, PET resin, and PET sheet, one of the largest producers of rPET in America, the third manufacturer of expandable polystyrene globally, and the only producer of polypropylene in Mexico. In 2021, Alpek reported revenues of 7.7 billion dollars and a comparable EBITDA of 962 million dollars. The company operates 35 plants in the United States, Mexico, Canada, Brazil, Argentina, Chile, Oman, Saudi Arabia, and the United Kingdom, employing over 7,000 people. Alpek is a company listed on the Mexican Stock Exchange.

THE CHALLENGE 

Alpek, after many years of using SAP ERP, decided to enable Single Sign-On to simplify users’ access to the SAP system, using a secure method that allows users to stop memorizing the access password.

If the user authentication process in a system fails, the organization may face losses of opportunity and efficiency when executing business processes operating in the system. One of the most frequent authentication problems has to do with forgetting the access password to the systems. The use of passwords by users can lead to the following problems:

• Storage of passwords in insecure media or reuse of insecure passwords. -> Possible unauthorized access.
• Inability to access the system in case of not remembering the password. -> Loss of efficiency.
• Need to have a support team in charge of resetting passwords in SAP systems -> Performing tasks with little value addition.

INPROSEC SOLUTION

Inprosec proposed to Alpek the implementation of SAP Single Sign-On based on Kerberos, to take advantage of the integration between SAP and Active Directory. In this way, the end user only needs to remember the Active Directory password to access their personal computer and access the SAP systems securely, without the need to use passwords. Additionally, the encryption of SAP system communications (Secure Network Communication) was also activated, as it is an indispensable requirement for the operation of SAP Single Sign-On based on Kerberos. The milestones reached throughout the project are summarized below:

• Single Sign-On (SSO) and Secure Network Communication (SNC) configuration: the installation of the SAP encryption library, integration with Active Directory, and the change of default profile parameters to activate SNC and SSO were carried out. For this last task, the SNCWIZARD transaction was used.
• Installation of the Secure Login Client program on user equipment: support was provided to Alpek’s internal team for the massive deployment of the Secure Login Client program. This program is responsible for identifying the user’s domain session so that they can access SAP without using passwords.
• Updating the SAP Logon of the users: support was provided to Alpek’s internal team to modify the .XML file that contains the SAP Logon configuration, to allow the use of SSO.
• Mapping of domain names (SNC Name) with SAP users: using the SNC1 transaction, automatic mapping of domain names to SAP users was registered. The user will access the SAP system with the user mapped to the domain user identified by the Secure Login Client program.
• Conducting validation tests (UAT-User Acceptance Testing).
• Definition of the tool’s administration manual.
• Training to Alpek’s internal team: Alpek’s internal team was trained to understand and maintain the new functionality over time.

RESULTS

The implementation of SAP Single Sign-On at Alpek allowed us to achieve the following benefits:

1. Improved user efficiency when accessing the SAP system: users no longer have to wait to access the system if they do not remember the access password.
2. Improved system security of SAP (use of passwords): having a smaller number of passwords, which have to be remembered by users, reduces the attack surface and allows efforts to focus on having a robust password at a centralized level in Active Directory. On the other hand, it is necessary to raise awareness among users to lock their computers when they leave their desks.
3. Improved system security of SAP (communication encryption): the use of secure communications reduces the possibility of suffering Man-in-the-Middle (MitM) type attacks and having information leaks.
4. Less support effort: the SAP systems support team no longer has to help users reset passwords in SAP systems, being able to dedicate their efforts to performing tasks that provide greater value.