Upload
sap-database-technology
View
418
Download
2
Embed Size (px)
DESCRIPTION
For more info: http://scn.sap.com/community/sso. SAP Single Sign-On enables companies to eliminate the need for multiple passwords and user IDs. Centralize and simplify the way users log on to systems and applications. Lower the risks of unsecured login information, reduce help desk calls, and help ensure the confidentiality and security of personal and company data.
Citation preview
SAP Single Sign-On 2.0Overview PresentationJune 2014 Public
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2Public
Legal disclaimer
This presentation is not subject to your license agreement or any other agreement with SAP. SAP hasno obligation to pursue any course of business outlined in this presentation or to develop or releaseany functionality mentioned in this presentation. This presentation and SAP's strategy and possiblefuture developments are subject to change and may be changed by SAP at any time for any reasonwithout notice. This document is provided without a warranty of any kind, either express or implied,including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, ornon-infringement. SAP assumes no responsibility for errors or omissions in this document, except ifsuch damages were caused by SAP intentionally or grossly negligent.
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 3Public
Agenda
SAP Portfolio
Overview SAP Single Sign-On
Single Sign-On Scenarios
Architecture
What’s New in Support Package 03
Recommendations
Summary
SAP Portfolio
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 5Public
SAP Identity and Access Management Solutions
Simplify and secureaccess
SAPSingle Sign-On
Manage identities andpermissions
SAPIdentity Management
Identify and mitigaterisks
SAP Access Control
Compliant Identity and Access Management
Overview SAP Single Sign-On
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 7Public
Authenticate once and subsequently access SAP andnon-SAP applications in a secure and user-friendly way.
Meet company and regulatory requirements.
Improve security measures and protect your company.
SAP Single Sign-On – What is it about?
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 8Public
SAP Single Sign-On – Benefits
Security
Reduce Costs
Simplicity
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 9Public
SAP Single Sign-On – Benefits in Detail
• Re-use of passwords• Password patterns• Trivial passwords• Passwords on post-it notes• Leaked passwords
Solve security and complianceissues caused by
Solve productivity issuescaused by
Large number ofmanual loginsForgotten passwordsHelp desk calls
Only one secure (!) passwordto remember
Only one password to storeand protect
Automated login while youwork
Single Sign-On Scenarios
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 11Public
Business User Expectations
SAP GUI
SAP NetWeaverBusiness Client
WebBrowser
SAP BusinessExplorer
…Easy and secure access
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 12Public
SAP Single Sign-On 2.0Key Capabilities
• Single sign-on for SAP and non-SAP applications
• Support of proprietary SAP clients (e.g. SAP GUI)
• Secure network communication (SNC)
• SSO for cloud-based applications
• Based on standards like X.509 certificates,SPNEGO, Kerberos, SAML
• Password ManagerCloud and
cross-company
SAP and non-SAP applications
SAP Business Suite
SA
PS
ingl
eS
ign-
On
SAP HANA andSAP NetWeaver
Password Manager
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 13Public
SAP Business SuiteSingle Sign-On Based on Kerberos / SPNEGO
SAP Business Suite
Secure Login ClientSecure Login LibrarySPNEGO for ABAP
Microsoft ActiveDirectory
Token: Kerberos
SPNEGO onlyavailable in newerSAP NetWeaverreleases
SAP Business Suite
SAP NetWeaver
SAP client (native)Web client
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 14Public
SAP and Non-SAP ApplicationsSingle Sign-On Based on X.509 Certificates
SAP and non-SAP applications
Secure Login ClientSecure Login ServerSecure Login Library
Microsoft ActiveDirectory, LDAP,other login modules
Token: X.509certificate
This option supportsmost platforms andclients.Recommended forheterogeneous andintranet scenarios
SAP Business Suite
SAP NetWeaver
Non-SAPLegacy systems
SAP client (native)Web client
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 15Public
Cloud and Cross-CompanySingle Sign-On and Identity Federation Based on SAML
SAP and non-SAPapplications
SAML identityprovider
Microsoft ActiveDirectory, LDAP,other login modules
Token: SAML
SAML is a publicstandard for Webapplications. Theapplication server hasto support thestandard.Recommended forextranet scenarios,partner integration
SAP / non-SAPWeb applications
Cloud applications
Web client
Web client
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 16Public
Secure Storage of Remaining PasswordsPassword Manager
SAP and non-SAP applications
Password Manager
Stand-alone
Based on user nameand password
Secure storage ofremaining passwordsin a local client.Provides automaticcapture of logincredentials
Architecture
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 18Public
SAP Single Sign-On – Components
Secure Login ClientClient applicationManages security tokens (Kerberos tokens, X.509 certificates)
Secure Login ServerCentral service on SAP NetWeaver AS JavaProvides X.509 certificates to users and application servers
Secure Login LibraryCryptography and security library for SAP NetWeaver AS ABAP
Identity ProviderCentral service on SAP NetWeaver AS JavaProvides SAML 2.0 assertions for Web-based SSO
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 19Public
Start SAP GUI or Browser
1
2
3
User Desktop
NW AS JAVA
DIAG, RFC (SNC)
HTTPS (SPNEGO)
Single Sign-On andSecure Communication
HTTPS (SPNEGO)WindowsAuthentication
KerberosToken
In a Nutshell• Relies on „Integrated Windows
Authentication“• Kerberos Security Token
created by Microsoft ActiveDirectory (AD)
• No additional server required,low TCO
• SAP backend needs to trustthe AD
• SPNEGO requires ABAPversion 7.02 or higher
• Kerberos/SPNEGO SSOsupported by e.g. AS ABAP,AS Java, HANA DB, …
Single Sign-On Based on Kerberos / SPNEGO
MicrosoftActive
Directory (AD)
MicrosoftActive
Directory (AD)
SAP GUI / NWBC /Browser
SAP GUI / NWBC /Browser
Secure Login ClientSecure Login Client
Client
Secure Login LibrarySecure Login Library
SAP NetWeaverAS ABAP
SAP NetWeaverAS Java
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 20Public
User Desktop
Sign into Secure Login Client profile
1
2
3
6
5
Authenticate
Provide X.509Certificate
Verify UserCredentials
4
NW AS JAVA
DIAG, RFC (SNC)
HTTPS
Single Sign-On andSecure Communication
HTTPS
Secure Login Client
SAP GUI / Browser /NWBC
In a Nutshell• Relies on X.509 certificate, a
very mature standard securitytoken
• Certificates created by SecureLogin Server (or other PKI)
• SLS provides short-livedcertificates, no overhead forrevocation management
• Multiple ways of user credentialverification (SPNEGO, LDAP,ABAP, UME,...)
• Support for SAP backends, butalso for legacy systems, 3rdparty Web applications,…
• Secure Login Server requiresAS Java
Single Sign-On Based on X.509 Certificates
SAP GUI / NWBC /Browser
SAP GUI / NWBC /Browser
Secure Login ClientSecure Login Client
Client
Secure Login Server(SLS)
Secure Login Server(SLS)
SAP NetWeaverAS Java
NW AS JAVA
Secure Login LibrarySecure Login Library
SAP NetWeaverAS ABAP
SAP NetWeaverAS Java
AuthenticationServer
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 21Public
Single Sign-On Based on SAML
Authenticate
Return SAMLAssertion
HTTPS
HTTPS ServiceProvider (SP)
ServiceProvider (SP)
In a Nutshell• Relies on Security Assertion
Markup Language (SAML)assertions as security token
• Industry standard for cloudand cross-company scenarios
• Assertions created by IdentityProvider, running on AS Java
• Authentication initiated byIDP or SP
• Multiple ways of usercredential verification(SPNEGO, LDAP,ABAP, UME,..)
2
4
5 Single Sign-On andSecure Communication
User Desktop1
BrowserBrowser
Client
NW AS JAVA
Identity Provider(IDP)
Identity Provider(IDP)
SAP NetWeaverAS Java
Verify UserCredentials
3
AuthenticationServer
Service Provider(SP)
Service Provider(SP)
Service Provider(SP)
Service Provider(SP)
What’s New in SupportPackage 03
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 23Public
Two-Factor Authentication with SAP Authenticator
Two-Factor AuthenticationAuthentication with One-Time Passwords (OTP)Provide two means of identification
OTP required for login in addition to password or security tokenSecond factor for high security scenarios
Based on SAP Authenticator iOS ApplicationOTP (6-digit code) created on mobile device
Usage ScenariosIntegrated with Secure Login Server (X.509) and Identity Provider (SAML)
Administrator configures SAP NetWeaver AS Java system to require two-factor authenticationFor Web and SAP GUI scenarios
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 24Public
SSO for SAP GUI for Java on Mac OS X
Secure Login Client for Mac Client ComputersMac OS X 10.7 or higher
Usage ScenariosKerberos-based authenticationX.509 certificatesFor SAP GUI scenarios
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 25Public
RFID-Based User Identification
Identify Users with RFID Token (Radio FrequencyIdentification)Only privileged persons have physical accessInstant user identification with RFID tokenBased on X.509 certificates
Usage ScenariosWarehouse and production scenariosKiosk/terminal computers
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 26Public
Hardware Security Module Support
Hardware Security Module Support for Digital Signatures
Store Private Keys in HardwareProtect Secure Login Server Certificate AuthorityProtect private keys for digital signatures (Secure Store and Forward, SSF)Performance acceleration
SafeNetThales
Recommendations
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 28Public
Recommendations
Identify the most critical systems. Which systems contain your most sensitive business information?How many people have access to them? Define your overall single sign-on strategy and start withthese critical business systems.
Understand the different modules of SAP Single Sign-On and analyze your system landscape todetermine which SSO standards can be used. If your organization does not have the appropriateresources and know-how, involve SAP Consulting or SAP partners.
Passwords are often the weakest link in enterprises. Prevent the usage of passwords by relying onstandards such as SAML, X.509 certificates, or Kerberos. SAP Single Sign-On offers solutions forall of these standards.
Once you have implemented single sign-on, start enforcing strong passwords in the related systems.Mid-term strategy: Consider disabling user name/password authentication in critical businesssystems.
Provide a tool to store remaining passwords (such as the Password Manager component of SAPSingle Sign-On).
Summary
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 30Public
Extensible Technology – Ready for the Future
SAPBusiness Suite
SAP and non-SAPapplications
Cloud andcross-company
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 31Public
Summary
SAP Single Sign-On is a “Single Sign-On Suite” thatsupports SAP as well as non-SAP applications.
It offers• Investment protection• Flexibility• Single sign-on for heterogeneous system landscapes
What are the main business drivers?• Protect business, reputation and trust• Lower password related costs• Simplicity and agility
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 32Public
Get More Information
Get more information, videos and updateshttp://scn.sap.com/community/sso
Community Network
© 2014 SAP AG or an SAP affiliate company. All rights reserved.
Thank you
Contact information:
Product ManagementSAP AG
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 34Public
© 2014 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG (or an SAP affiliatecompany) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP AG or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP AG or SAP affiliate company products and servicesare those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting anadditional warranty.
In particular, SAP AG or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop orrelease any functionality mentioned therein. This document, or any related presentation, and SAP AG’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP AG or its affiliated companies at any time forany reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placeundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.