SAP Single Sign-On Overview Presentation

8/11/2019 SAP Single Sign-On Overview Presentation

1/34

SAP Single Sign-On 2.0Overview PresentationJune 2014


2/34

2014 SAP AG or an SAP affiliate company. All rights reserved.

Legal disclaimer

This presentation is not subject to your license agreement or any other agreement with SAP. SAP h

no obligation to pursue any course of business outlined in this presentation or to develop or releasany functionality mentioned in this presentation. This presentation and SAP's strategy and possiblfuture developments are subject to change and may be changed by SAP at any time for any reasonwithout notice. This document is provided without a warranty of any kind, either express or impliincluding but not limited to, the implied warranties of merchantability, fitness for a particular purpnon-infringement. SAP assumes no responsibility for errors or omissions in this document, exceptsuch damages were caused by SAP intentionally or grossly negligent.


3/34


Agenda

SAP Portfolio

Overview SAP Single Sign-On

Single Sign-On Scenarios

Architecture

Whats New in Support Package 03

Recommendations

Summary


4/34


5/34 2014 SAP AG or an SAP affiliate company. All rights reserved.

SAP Identity and Access Management Solutions

Simplify and secureaccess

SAPSingle Sign-On

Manage identi ties andpermissions

SAPIdentity Management

Identi fy a

SAP Acc

Compliant Identity and Access Management


6/34

Overview SAP Single Sign-On



Authenticate once and subsequently access SAP annon-SAP applications in a secure and user-friend

Meet company and regulatory requirements.

Improve security measures and protect your comp

SAP Single Sign-On What is i t about?



SAP Single Sign-On Benefits

Security

Reduce Co

Simplicity



SAP Single Sign-On Benefits in Detail

Re-use of passwords Password patterns Trivial passwords Passwords on post-it notes Leaked passwords

Solve security and compliance

issues caused by

Solve productivity issuescaused by

Large number of manual loginsForgotten passwordsHelp desk calls

Only one secure (!) pto remember

Only one password tand protect

Automated login whwork


10/34

Single Sign-On Scenarios


11/34


Business User Expectations

SAP GUI

SAP NetWeaver Business Client

WebBrowser

SAP BusinessExplorer

Easy and secure access


12/34


SAP Single Sign-On 2.0Key Capabilities

Single sign-on for SAP and non-SAP applications

Support of proprietary SAP clients (e.g. SAP GUI)

Secure network communication (SNC)

SSO for cloud-based applications

Based on standards like X.509 certificates,SPNEGO, Kerberos, SAML

Password Manager C

cross

SAP and non-

SAP Bu

S A P S i n g l e S i g n - O n

SAP

SAP N

Passw


13/34


SAP Business SuiteSingle Sign-On Based on Kerberos / SPNEGO

SAP B

SecureSecureSPNE

MicroDirect

Token

SPNEavailaSAP Nreleas

SAP Business Suite

SAP NetWeaver

SAP client (native)Web client


14/34


SAP and Non-SAP ApplicationsSingle Sign-On Based on X.509 Certificates

SAP aSAP a

SecurSecurSecur

MicroDirecother

Token

certifi

This omost clientRecomheterointran

SAP Business Suite

SAP NetWeaver

Non-SAPLegacy systems

SAP client (native)Web client


15/34


Cloud and Cross-CompanySingle Sign-On and Identity Federation Based on SAML

SAP aapplic

SAMLprovid

MicroDirectother

Token

SAMLstandaapplicapplicto supstandaRecomextranpartne

SAP / non-SAPWeb applications

Cloud applications

Web client

Web client


16/34


Secure Storage of Remaining PasswordsPassword Manager

SAP aSAP a

Passw

Stand-

Basedand pa

Secureremainin a loProvidcapturcreden


17/34

Architecture


18/34


SAP Single Sign-On Components

Secure Login Client

Client applicationManages security tokens (Kerberos tokens, X.509 certificates)

Secure Login Server Central service on SAP NetWeaver AS JavaProvides X.509 certificates to users and application servers

Secure Login L ibraryCryptography and security library for SAP NetWeaver AS ABAP

Identity Provider Central service on SAP NetWeaver AS JavaProvides SAML 2.0 assertions for Web-based SSO


19/34


Start SAP GUI or Browser

1

2

3

User Desktop

NW AS JAVA

DIAG, RFC (SNC)

HTTPS (SPNEGO)

Single Sign-On andSecure Communication

HTTPS (SPNEGO)Windows Authentication

KerberosToken

In a Nutshel

Relies on I Authenticati

Kerberos Secreated by MDirectory (A

No additionlow TCO

SAP backen

the AD SPNEGO re

version 7.02

Kerberos/SPsupported b

AS Java, HA

Single Sign-On Based on Kerberos / SPNEGO

Microsoft Act ive

Directory (AD)

Microsoft Act ive

Directory (AD)

SAP GUI / NWBC /Browser


Secure Logi n ClientSecure Logi n Client

Client

Secure Login LibrarySecure Login Library

SAP NetWeaver AS ABAP

SAP NetWeaver AS Java


20/34


User Desktop

Sign into Secure Login Client profile

1

2

3

6

5

Authenticate

Provide X.509Certificate

Verify User Credentials

4

NW AS JAVA

DIAG, RFC (SNC)

HTTPS

Single Sign-On andSecure Communication

HTTPS

Secure Login Client

SAP GUI / Browser /NWBC

In a Nutshe

Relies on Xvery maturtoken

CertificateLogin Serv

SLS providcertificatesrevocation

Multiple wverification

ABAP, UM

Support foalso for legparty Web

Secure Log AS Java

Single Sign-On Based on X.509 Certif icates



Secure Login ClientSecure Login Client

Client

Secure L ogin Server (SLS)

Secure L ogin Server (SLS)


NW AS JAVA

Secure Login LibrarySecure Login Library

SAP NetWeaver AS AB AP


Authen ticati onServer


21/34


Single Sign-On Based on SAML

Authenticate

Return SAML Assertion

HTTPS

HTTPS ServiceProvider (SP)

ServiceProvider (SP)

In a Nutshe

Relies on SMarkup Laassertions

Industry stand cross-c

Assertions Provider, r

Authentica

IDP or SP Multiple w

credential v(SPNEGO

ABAP, UM

2

4

5 Single Sign-On andSecure Communication

User Desktop1

Browser Browser

Client

NW AS JAVA

Identity Provider (IDP)

Identity Provider (IDP)


Verify User Credentials

3

Aut hent icationServer

Service Provider (SP)





22/34

Whats New in SupportPackage 03


23/34


Two-Factor Authentication wi th SAP Authenticator

Two-Factor Authentication

Authentication with One-Time Passwords (OTP)Provide two means of identification

OTP required for login in addition to password or security tokenSecond factor for high security scenarios

Based on SAP Authenticator iOS Application

OTP (6-digit code) created on mobile device

Usage ScenariosIntegrated with Secure Login Server (X.509) and Identity Provider (SAML)

Administrator configures SAP NetWeaver AS Java system to require two-factor authentication

For Web and SAP GUI scenarios


24/34


SSO for SAP GUI for Java on Mac OS X

Secure Login Client fo r Mac Client Computers

Mac OS X 10.7 or higher

Usage Scenarios

Kerberos-based authenticationX.509 certificatesFor SAP GUI scenarios


25/34


RFID-Based User Identification

Identify Users wi th RFID Token (Radio Frequency

Identification)Only privileged persons have physical accessInstant user identification with RFID tokenBased on X.509 certificates

Usage Scenarios

Warehouse and production scenariosKiosk/terminal computers


26/34


Hardw are Security Module Support

Hardware Security Module Support for Digital Signatures

Store Private Keys in HardwareProtect Secure Login Server Certificate AuthorityProtect private keys for digital signatures (Secure Store and Forward, SSF)Performance acceleration

SafeNetThales


27/34

Recommendations


28/34


Recommendations

Identify the most critical systems. Which systems contain your most sensitive business information?How many people have access to them? Define your overall single sign-on strategy and start with

these critical business systems.

Understand the different modules of SAP Single Sign-On and analyze your system landscape todetermine which SSO standards can be used. If your organization does not have the appropriateresources and know-how, involve SAP Consulting or SAP partners.

Passwords are often the weakest link in enterprises. Prevent the usage of passwords by relying onstandards such as SAML, X.509 certificates, or Kerberos. SAP Single Sign-On offers solutions for all of these standards.

Once you have implemented single sign-on, start enforcing strong passwords in the related systems.Mid-term strategy: Consider disabling user name/password authentication in critical businesssystems.

Provide a tool to store remaining passwords (such as the Password Manager component of SAPSingle Sign-On).


29/34

Summary


30/34


31/34


Summary

SAP Single Sign-On is a Single Sign-On Suite thatsupports SAP as well as non-SAP applications.

It offers

Investment protection Flexibility Single sign-on for heterogeneous system landscapes

What are the main business d rivers? Protect business, reputation and trust Lower password related costs Simplicity and agility


32/34


Get More Information

Get more information, videos and updateshttp://scn.sap.com/community/sso

Community Network
http://scn.sap.com/community/ssohttp://scn.sap.com/docs/DOC-26724http://scn.sap.com/docs/DOC-26724http://scn.sap.com/community/ssohttp://scn.sap.com/community/sso


33/34


Thank you

Contact information:

Product ManagementSAP AG


34/34


2014 SAP AG or an SAP affiliate company. All rights reserve

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG (or an SAP affiliate

company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark i

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP AG oaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP AG or SAP affiliate company products and sare those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting anadditional warranty.

In particular, SAP AG or i ts affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to devel

release any functionality mentioned therein. This document, or any related presentation, and SAP AGs or its affiliated companies strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP AG or its affiliated companies at any time any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Documents

SAP Single Sign-On Overview Presentation