SAP Single Sign-On Product Overview 2019 - Akamai.net
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SAP Single Sign-On Product Overview 2019 PUBLIC
Agenda SAP security products portfolio SAP Single Sign-On product overview Technologies and capabilities Hybrid landscapes Summary © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2
SAP security products portfolio
The SAP security portfolio
Digital Core People
Manufacturing
& Supply Chain Engagement
Network & Spend
Customer Management
Experience
Secure access Intelligent
Preventing unauthorized access to your business Enterprise
Suite
systems is crucial for security. Single sign-on
solutions offer secure, convenient single login for all Secure code
business applications, on-premise as well as in the
cloud. Intelligent Systems How can you protect custom ABAP
code in your on-premise
landscape? Code vulnerability
analysis tools enable you to fix
Manage users and permissions security loopholes.
AI/ML | IoT | Analytics
Handling users and permissions can be a
challenge in heterogeneous and hybrid
landscapes. Centralized solutions help you Detect attacks
implement a compliant identity management
Internal and external cyber
approach.
Digital attacks are on the rise. SAP
Platform Enterprise Threat Detection lets
you monitor your system
landscape in real time.
Data Cloud
Management Platform
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4
The SAP security portfolio
Digital Core People
Manufacturing
& Supply Chain Engagement
Network & Spend
Customer Management
Experience
Secure access Intelligent
Enterprise
SAP Single Sign-On Suite
SAP Cloud Platform Identity Authentication Secure code
Intelligent Systems SAP NetWeaver AS, add-on
for code vulnerability analysis
Manage users and permissions
AI/ML | IoT | Analytics
SAP Identity Management
SAP Cloud Platform Identity Provisioning Detect attacks
SAP Access Control SAP Enterprise
Digital Threat Detection
SAP Cloud Identity Access Governance Platform
Data Cloud
Management Platform
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5
SAP Single Sign-On product overview
Beautiful logon screens ... © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7
Simplified. © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8
Benefits in detail
Simplicity
▪ Lean product, fast implementation project, quick ROI
▪ No more need to provision, protect, and reset passwords across many systems
▪ No longer requires management of password policies across many systems
Security
▪ Secure authentication with one strong password, optionally with additional factors
▪ Eliminates need for password reminders on post-it notes
▪ All passwords kept in one protected, central place
Cost efficiency
▪ Efficiency gains as users only need to remember one password
▪ Higher productivity due to reduced efforts for manual authentication, password reset,
helpdesk interaction,…
▪ Low TCO of running a secure landscape through management of server-side certificates
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9
Support for on-premise and hybrid landscapes Simple and secure access ▪ Single sign-on for SAP desktop clients and web applications ▪ Support for cloud and on-premise landscapes ▪ Integration with existing directories and single sign-on solutions Secure data communication ▪ Encrypted data communication for SAP GUI and other desktop clients ▪ Digital signatures ▪ FIPS 140-2 certified cryptographic functions Advanced security capabilities ▪ Two-factor and risk-based authentication ▪ Authentication with smart cards or RFID tokens ▪ Simplified lifecycle management of server-side certificates © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10
Technologies and capabilities
Supported authentication modes
Single sign-on
▪ Authenticate once to an authentication server (MS-Active Directory, AS ABAP,..)
▪ The returned security token confirms your identity for each subsequent login to business
applications
Multiple sign-on
▪ Authenticate each time you access a business application
▪ Authentication against a central authentication server, not the business application itself
▪ Common scenario to require the Windows credentials for each system logon
Multi-factor authentication
▪ In addition to knowledge of information (password), authentication requires a physical
element (possession of mobile phone, RSA SecurID card, etc.)
▪ Implementation option for both single sign-on and multiple sign-on
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12Simplicity is key for SAP Single Sign-On
Security capabilities must be easy to implement and use. Customers should not have to weigh the implementation efforts
against the benefits of running a secure landscape.
Simple software roll-out
▪ Cryptographic library is shipped and updated with the SAP Kernel
▪ The desktop client is installed using SAPSetup and can be rolled-out
with SAP GUI
▪ No need to install add-ons or modify ABAP sources
Simple configuration
▪ Configuration with standard ABAP transactions SPNEGO and
SNCWIZARD
▪ No need to work on the server command line
Simple operations
▪ Tightly integrated into the SAP NetWeaver stack, re-using its existing,
proven infrastructure and security framework
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13Simplification tutorials SAP Single Sign-On is quick and easy to set up with straightforward implementation processes and automated guidance. Take a look at the following video tutorials: Single sign-on with Kerberos Single sign-on with X.509 certificates Certificate lifecycle management for SAP NetWeaver Application Server ABAP Suggested playlist: All SAP Single Sign-On videos on YouTube © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14
Single sign-on based on Kerberos
Secure access to SAP business applications – at a low TCO
▪ Based on user authentication to Microsoft Windows domain during desktop login
▪ Active Directory provides a Kerberos security token that SAP business
applications accept as proof of identity
▪ Supported on desktop systems (Windows, OS X) and mobile devices (iOS)
that are part of a Windows domain
▪ Requires access to the corporate network
▪ Users need to have an account in Active Directory
▪ Very fast implementation, very low TCO, no additional server required
▪ Single sign-on for SAP NetWeaver, covering web based and desktop clients such
as SAP GUI, Business Client, RFC client applications such as SAP Analysis for
Office, SAP HANA database, and many more
▪ Network encryption is available for SAP GUI and RFC clients
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15Kerberos: Process flow
Single sign-on based on the corporate Windows domain
3 Start desktop client, app or browser and open connection
Authentication scenario
1. User authenticates to
Windows domain
2. Active Directory provides
Kerberos security token to
Business user 4 user
Kerberos authentication 3. User opens a system
connection using a native
1 SAP GUI & RFC (SNC) client or browser
2
Kerberos Browser (SPNEGO)
SAP NetWeaver 4. Kerberos token is forwarded
Windows security AS ABAP to system using SNC (for
login token SAP GUI and RFC clients)
NW AS JAVA or SPNEGO (for browsers).
Browser (SPNEGO) The Kerberos token is
validated offline on the
server, no connection to AD
required
SAP NetWeaver
Microsoft Active Directory
AS Java
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16Single sign-on based on X.509 certificates
Highly interoperable single sign-on to SAP and non-SAP applications
▪ Users authenticate to Secure Login Server (SLS) to retrieve a short-lived X.509
certificate, or reuse an already available certificate
▪ User authentication to SLS can be automated, for example based on an existing
Windows authentication or an authenticated web browser session
▪ SAP business applications accept the certificate as proof of identity
▪ Desktop integration is based on Secure Login Client, on Windows and OS X
▪ Secure Login Server is not required if certificates are already available to users
▪ Secure Login Server is a lean alternative to introducing a full-blown PKI
▪ Secure Login Server supports two-factor and risk-based authentication, and
different user stores (LDAP, ABAP, ..)
▪ X.509 certificates are highly interoperable, supporting both SAP and 3rd party
web applications and clients, including many legacy systems
▪ Network encryption is available for SAP GUI and RFC clients
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 17X.509 certificates: Process flow
Highly interoperable single sign-on to SAP and non-SAP applications
3 Start desktop client, app or browser and open connection
Authentication scenario
1. (*) User authenticates to
Secure Login Server.
Authentication can be
automatic (using e.g.
4 Kerberos) or manual, even
Business user
based on multiple factors
Certificate-based
1 2 authentication 2. (*) Secure Login Server
SAP GUI & RFC (SNC) returns an X.509 certificate,
Authentication
X.509 valid for a given period of
SAP NetWeaver
certificate Browser (TLS client
AS ABAP time (e.g. a work day)
authentication)
3. User opens a system
NW AS JAVA connection
Browser (TLS client
authentication) 4. X.509 certificate token is
forwarded to the system and
allows authentication
Secure Login Server Other web (*) Steps 1 and 2 are not required if the user
(on AS Java) servers is already in possession of a certificate
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18Options for enabling single sign-on with X.509 certificates Secure Login Server (SLS) ▪ Part of the product SAP Single Sign-On ▪ Provides short-lived certificates to end user desktops and backend systems ▪ Advantage: Enables scenarios such as multi-factor authentication and certificate lifecycle management ▪ Disadvantage: SLS is an additional server component, running on AS Java Existing certificate ▪ SAP Single Sign-On can use an existing certificate for authentication ▪ Certificate could for example come from a smart card ▪ Advantage: No additional server component required ▪ Disadvantage: Some added-value scenarios of Secure Login Server are not available Secure Login Server (SLS) with Enterprise PKI integration ▪ SLS can be configured as a registration agent in front of an existing enterprise PKI ▪ Advantage: All SLS scenarios are available. At the same time, the certificate signing process of the existing PKI remains in place © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 19
Secure Login Server as Registration Authority of an existing PKI
Scenario
▪ Customers that already have an
Provision user enterprise PKI do not want to
certificates establish a second one
Business user ▪ Secure Login Server (SLS)
integrates with existing
Forward request enterprise PKI for both user and
server certificates
▪ Benefits
Return certificate Certificate signing based on
established PKI and security
Secure Login Server Enterprise PKI
(ADCS* or CMC** compatible) policy
NW AS JAVA Storage and revocation processes
Renew server certificates
unchanged
SAP system integration decoupled
from PKI, managed by SLS
SAP NetWeaver *Active Directory Certificate Services
** Certificate management over CMS, RFC 5272
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20Extension scenarios for X.509 certificates
Instant user identification based on RFID* token
▪ For warehouse and production scenarios where efficient
authentication is key
▪ Used on shared e.g. kiosk computers
▪ Simple configuration using Microsoft Active Directory to
validate identities
▪ Supports PC/SC and WaveID® RFID reader devices
* Radio Frequency Identification
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21X.509 server certificate lifecycle management
SAP NetWeaver uses server-side X.509 certificates for a number of security functions. Depending on the certificate validity,
certificates need to be renewed on a regular basis. Certificate lifecycle management manages the renewal of certificates,
reduces manual efforts, and prevents downtimes.
Process steps
▪ Establish and configure a trust relationship between
SAP NetWeaver and the Secure Login Server
▪ Schedule a job that identifies expiring certificates
and automatically renews them
Benefits
▪ Prevent downtimes caused by expired certificates
▪ Replace error-prone manual steps with a robust
automated process
Additional capabilities
▪ Automated central roll-out of trusted root certificates to the
landscape
▪ Option for integration with existing enterprise PKI
i For a step-by-step guide, see our how-to
video at: https://youtu.be/wi2vBos1KwY
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 22Configuring X.509 certificate lifecycle management for SAP NetWeaver
The process steps of certificate lifecycle management are triggered from the business system.
SAP NetWeaver AS for ABAP
▪ Report “SSF_CERT_ENROLL” establishes the trust relationship and exchange of metadata between the SAP NetWeaver AS ABAP and
the Secure Login Server
▪ Report “SSF_CERT_RENEW” can be executed both manually or scheduled to check and renew certificates that will expire during the
configured grace period
▪ Certificates and attributes are displayed in transaction STRUST
SAP NetWeaver AS for Java
▪ Certificate lifecycle management is configured in the
Secure Login CLM Cockpit
▪ The cockpit allows customers to register the SAP
NetWeaver AS Java with Secure Login Server, define the
certificates to be managed as part of the enrollment and
schedule jobs to renew certificates on a regular basis
▪ Certificates and attributes are displayed in SAP
NetWeaver Administrator
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23Single sign-on based on Security Assertion Markup Language (SAML)
Identity federation and single sign-on for cross-organizational scenarios
▪ Users authenticate to the SAP Identity Provider to retrieve a SAML assertion
▪ SAP web applications accept the assertion as proof of identity
▪ The assertion definition is very flexible and enables the easy mapping of
attributes between systems, for loosely coupled integration across organizations
▪ Supported by browser-based applications on desktop and mobile devices
▪ SAP Identity Provider is based on SAP NetWeaver AS for Java
▪ SAP Identity Provider supports two-factor and risk-based authentication against
different user stores (LDAP, ABAP, ..)
▪ SAML assertions are accepted by a broad range of both SAP and 3rd party web
applications
▪ SAML assertions enable single sign-on during the lifetime of the browser session
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 24Security Assertion Markup Language (SAML): Process flow
Identity federation and single sign-on for cross-organizational scenarios
1 Start browser and open connection
Authentication scenario
1. User opens a connection to
the business system, which
is configured as a SAML
Service Provider
2. Business system redirects
Business application browser to the IdP
Business user 2 server redirects browser 3. User authenticates to IdP,
to the Identity Provider either automatically (using
3 4
Create SAML assertion e.g. SPNEGO) or manually,
Authentication
5 SAML-based
and redirect back authentication Service Provider (SP),
even based on multiple
to Service Provider e.g. SAP NetWeaver factors
ASNW AS or
ABAP JAVA
Java 4. IdP establishes a security
session, returns a SAML
assertion, and redirects the
browser back to the SP
SAP Identity Provider
(IdP) on AS Java 5. User is authenticated
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25Two-factor authentication for X.509 and SAML scenarios
Authentication based on two means of identification
▪ Knowledge of a password
▪ Possession of a physical device, such as a smart phone
Options for the second factor
▪ Time-Based One-Time Password (TOTP) generators
– SAP Authenticator app
– Third-party generators compliant with RFC 6238
▪ Third-party applications supporting the RADIUS protocol,
such as RSA SecurID®
▪ One-time passwords via SMS or e-mail
Usage scenarios
▪ Recommended for systems with high security requirements
▪ Configurable per system or even user
▪ Seamless integration into Secure Login Client for certificate-
based scenarios
Microsoft Authenticator SAP Authenticator
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 26Risk-based authentication Risk-based authentication ▪ Dynamic adjustment of required authentication process during logon ▪ Based on contextual information and configurable rules ▪ Takes a risk-based approach to balance between security and usability Available contextual information ▪ Client IP address ▪ User roles ▪ Available client certificate ▪ … Sample scenarios ▪ Allow access only from certain IP ranges ▪ Request 2nd authentication factor if the first authentication step is based on a password instead of an X.509 certificate ▪ Enforce two-factor authentication for administrators © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27
Digital signatures on the desktop Use cases for digital signatures ▪ Authenticity: Confirm that a document was created by a known sender ▪ Integrity: Confirm that a document was not tampered with during transmission ▪ Non-repudiation: Provide the means for a binding signature that cannot be denied afterwards Enhanced client support ▪ In the past, client-side digital signatures required SAP GUI for Windows ▪ SAP Single Sign-On 3.0 introduces a web signer interface that allows an application to perform client-side digital signatures from a web page, using plain JavaScript Benefit ▪ Client-side digital signatures can be triggered from web applications ▪ The JavaScript interface is supported by all modern web browsers ▪ Based on the Secure Login Client, available on Windows and macOS © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28
Support for macOS Secure Login Client (SLC) for macOS brings single sign-on based on X.509 certificates to the macOS platform. Secure Login Server integration ▪ SLC supports the enrollment of certificates from Secure Login Server to macOS desktop systems Multi-factor authentication ▪ Advanced authentication capabilities such as multi-factor authentication and risk- based authentication are available on macOS Browser integration ▪ Customers can enroll certificates from Safari on macOS, using the Secure Login Web Client ▪ Customers can perform digital signatures on the desktop, triggered from a UI5 web application running in Safari on macOS © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 29
Cryptographic capabilities: SAP CommonCryptoLib FIPS 140-2 certification The Federal Information Processing Standard (FIPS) 140-2 is defined by the National Institute of Standards and Technology (NIST) and specifies quality requirements for cryptographic modules. Certification details (Cert# 2900) https://csrc.nist.gov/projects/cryptographic- module-validation-program/Certificate/2900 FIPS 140-2 validation certificate http://csrc.nist.gov/groups/STM/cmvp/document s/140- 1/140crt/FIPS140ConsolidatedCertMay2017.pdf © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 30
Hybrid landscapes
SAP products for secure authentication and single sign-on
How to decide on the right solution
SAP offers two products
• SAP Single Sign-On
• SAP Cloud Platform Identity Authentication
Product Consumption model SSO Supported Specific capabilities
technologies Clients
SAP Single Sign-On • On-premise • Kerberos • SAP • Digital Signatures
• Some capabilities • X.509 desktop • Certificate lifecycle management
require dedicated on- • SAML clients • Hardware Security Module support
premise server and • Browser
desktop client
SAP Cloud Platform • Cloud subscription • SAML • Browser • User management
Identity Authentication • Run by SAP • OpenID • Self-services
• Zero footprint Connect • Branding
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 32Single sign-on technologies in a hybrid system landscape
Technical implications
SAML X.509 Certificates Kerberos/SPNEGO
Cloud • Support for browser • Requires steps on end-user • Requires the end-user
applications desktop for certificate enrollment device to be inside a
• No device or network • Requires custom domain for TLS Windows domain
requirements client authentication to public • Requires configuration
• Requires initial user cloud services on cloud service and
authentication to the Active Directory
identity provider
On-Premise • Support for browser • Support for web and desktop • Support for web and
applications applications desktop applications
• No device or network • Very flexible • Very easy setup
requirements • Supporting fully automated • Supporting fully
• Requires initial user authentication automated authentication
authentication to the
identity provider
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 33Combining single sign-on solutions in a hybrid system landscape
The best of both worlds can be achieved by combining technologies.
• Use SAP Cloud Platform Identity Authentication for
browser applications, on-premise and cloud
• Use SAP Single Sign-On with X.509 certificates or
Kerberos for desktop clients on-premise
• For access from on-premise desktop to cloud services,
automate authentication to SAP Cloud Platform
Identity Authentication by using Kerberos or
X.509 certificates*
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC *SAP Cloud Platform Identity Authentication supports Kerberos/SPNEGO. X.509 support is a roadmap topic. 34Summary
SAP’s comprehensive solutions for single sign-on enable efficient and secure authentication and access to business applications Security ▪ Secure authentication and FIPS-certified cryptographic functions ▪ Risk-based authentication and two-factor authentication ▪ Digital signatures Productivity ▪ Single sign-on to SAP and non-SAP applications ▪ Fast return on investment Ready for the future ▪ Based on industry standards and state-of-the-art security functions ▪ Supporting hybrid and multi-vendor landscapes ▪ On-premise and in the cloud © 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 36
Get more information
Welcome to the SAP Community
https://www.sap.com/community/topics/single-sign-on.html
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 37Thank you. Contact information: Christian Cohrs Product Manager christian.cohrs@sap.com Martina Kirschenmann Product Manager martina.kirschenmann@sap.com
Follow us www.sap.com/contactsap © 2019 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/copyright for additional trademark information and notices.
You can also read
