© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 2
Speakers
Las Vegas, Oct 19 - 23
Christian Cohrs, Area Product Owner
Barcelona, Nov 10 - 12
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 4
Agenda
Product overview SAP Single Sign-On
Main scenarios and recommendations
Capabilities
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 6
SAP Security products
In the IT application security product portfolio
SAP Business Suite SAP Cloud Applications SAP Mobile Applications 3rdParty
Systems SAP HANA Cloud Platform SAP NetWeaver Application Server
SAP Access Control SAP Identity
Management
Make it simple for users to do
what they are allowed to do. Know your users and what they can do.
SAP Single
Sign-On
Ensure corporate compliance to regulatory requirements. Platform SecurityMake sure that SAP solutions run securely
SAP Enterprise Threat Detection
Counter possible threats and identify attacks.
SAP Code Vulnerability
Analysis
Find and correct vulnerabilities in customer
code.
SAP Cloud Identity service
Security
Productivity
Simplicity
SAP Single Sign-On
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 8
SAP Single Sign-On
Benefits in detail
Security
With just one password to remember, a strong password policy is finally feasible
No more need for password reminders on post-it notes
All passwords stored in one protected, central place
Productivity
Increased efficiency for users who only need to remember one password
Higher productivity due to reduced efforts for manual authentication, password reset, helpdesk interaction,…
Simplicity
Lean product, fast implementation project, quick ROI
No more efforts to provision, protect and reset passwords across many systems
SAP Single Sign-On
Product description
SAP Single Sign-On provides simple, secure access to IT applications for business users. It offers advanced security capabilities to protect your company data and business applications.
Simple and secure access
Single sign-on for native SAP clients and web applications
Single sign-on for mobile devices
Support for cloud and on-premise landscapes
Secure data communication
Encryption of data communication for SAP GUI
Digital signatures
FIPS 140-2 certification of security functions
Advanced security capabilities
Two-factor authentication
Risk-based authentication using access policies
RFID-based authentication
Public
SAP Single Sign-On
SAP Business Suite
Single sign-on based on Kerberos / SPNEGO
SAP Business Suite Secure Login Client CommonCryptoLib SPNEGO for ABAP Microsoft Active Directory Token: Kerberos SPNEGO only available in newer SAP NetWeaver releases
SAP Business Suite
SAP NetWeaver
SAP GUI, SAP NetWeaver Business Client, Analysis for Office,
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 12
SAP and Non-SAP Applications
Single sign-on based on X.509 certificates
SAP and
non-SAP applications
Secure Login Client
Secure Login Server (or own PKI) CommonCryptoLib
Microsoft Active Directory, ABAP, LDAP, other login modules
Token: X.509 certificate
This option supports
most platforms and clients.
Recommended for heterogeneous and intranet scenarios SAP Business Suite
SAP NetWeaver
Non-SAP systems Legacy systems SAP GUI, SAP NetWeaver Business Client, Analysis for Office,
Cloud and Cross-Company
Single sign-on and Identity Federation based on SAML
SAP and non-SAP applications
SAP Identity Provider
Token: SAML
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 14
SAP Single Sign-On
SAP Single Sign-On
Public
SAP Single Sign-On
State of the art capabilities
• Encryption AES 256bit RSA • Digital Signatures ECDSA RSA • Key exchange Diffie-Hellman with elliptic curves
• Hash function
SHA-2 (up to SHA-512)
• Perfect Forward Secrecy for TLS with ECDHE
• Elliptic Curves P-224, P-256, P-384, P-521
• See SAP Note 2004653 for complete list of capabilities
FIPS 140-2 certification
• Received in January 2015 for the crypto kernel of CommonCryptoLib
• Mandatory for customers in some industries
SAP Single Sign-On
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 18
SAP Single Sign-On
Digital signatures
Benefits of digital signatures
Confirm that a document was created by a known sender
Confirm that a document was not tampered with during transmission
Provide the means for a binding signature that cannot be denied afterwards
Usage with SAP NetWeaver AS ABAP
Based on Secure Store & Forward (SSF) interface
Server-side digital signatures: supported by SAP CommonCryptoLib
SAP Single Sign-On includes support for Hardware Security Modules
Client-side digital signatures: supported by Secure Login Client for SAP GUI
More Information on SAP Help Portal and SAP Service Marketplace
Digital Signing with Secure Store and Forward (SSF) Digital Client Signature
Digital Signatures (SSF) with a Hardware Security Module
SAP Single Sign-On
Two-factor authentication
Authentication requires two means of identification
Knowledge of a password Possession of a physical device, such as a cell phone
Options for the second factor
SAP Authenticator mobile app– Generates one-time passwords (RFC 6238 compatible)
– Available for iOS and Android
One-time password sent using SMS
One-time password sent using e-mail
RSA / RADIUS
Usage scenarios
Recommended for scenarios with special security requirements
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 20
SAP Single Sign-On
Risk-based authentication based on context
Risk-based authentication
Risk-based enforcement of stronger authentication
Example: User access from outside the corporate network Two-factor authentication is required
INTRANET
CORPORATE LDAP
DMZ
SAP Identity Provider or Secure Login Server
2FA Token
• Evaluate context such as IP address, user roles, device,..
• Accept access, deny access or enforce 2FA
• Return SSO token (SAML or X.509)
SAP Single Sign-On
Limit business functionality based on context
Runtime
SAP Application Server
Check access policy and handle access
restrictions
Temporarily reduce user roles and authorizations for session on AS Java
Extend customer exits in applications on AS ABAP to allow risk-based authorization
checks, e.g. for admin tasks or data download
SAML assertion
Risk-based authorization handling
• Relies on SAP Identity Provider, using SAML 2.0
• Access policy information added to SAML assertion after authentication
• On AS Java, dynamic reduction of available roles based on access policy. See SAP note 2151025.
• On AS ABAP, access policy information available in security session. See SAP note 2057832.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 22
SAP Single Sign-On
Mobile single sign-on with SAP Authenticator
Details
Relies on time-based one-time passwords for authentication
SAP Authenticator apps available for iOS and Android
Self-registration for end users
Administrative user interfaces
Usage Scenarios
Single sign-on for web applications
Single sign-on for Fiori native client (see SCN
blog for details)
Alternative options
SAP Single Sign-On
RFID-based user identification
Identify users with RFID token (Radio Frequency
Identification)
Instant user identification with RFID token
Single sign-on based on X.509 certificates
Usage Scenarios
Warehouse and production scenarios
Kiosk/terminal computers
Technical integration
Identification data stored in Microsoft Active Directory
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 24
Scope
The security capabilities of the Application Server ABAP are often based on certificates
When customers have a security policy that defines a short certificate validity, certificates expire on a regular basis and need to be updated
Certificate Lifecycle Management helps manage the renewal of certificates, reduces the manual efforts and prevents downtimes
Registration of Application Server ABAP with Secure Login Server
Administrator establishes trust relationship between AS ABAP and Secure Login Server
Administrator configures for each relevant certificate the corresponding Secure Login Server profile
Automated renewal of certificates
Scheduled ABAP report checks the local Application Server ABAP for certificates that are about to expire
ABAP report retrieves renewed certificate from Secure Login Server and installs it
Benefit
No more manual steps required
SAP supported solution
Mitigate risk of unexpected downtime
Planned innovation, subject to change
Certificate Lifecycle Management
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 26
Summary
SAP Single Sign-On offers a suite of security and
productivity capabilities, for SAP as well as non-SAP
applications
It offers
•
Investment protection
•
Flexibility
•
Single sign-on for heterogeneous system landscapes
What are the main business drivers?
•
Protect business, reputation and trust
•
Lower password related costs
SAP TechEd Online
Continue your SAP TechEd education after the event!
http://sapteched.com/online
Access replays of keynotes, Demo Jam, SAP TechEd live interviews, select lecture sessions, and more!
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 28
Further Information
Related SAP TechEd sessions:
SEC806 - Roadmap Q&A SAP Single Sign-On
SEC162 - Single Sign-On and Authorizations for SAP Fiori Made Simple (Hands-On) SEC263 - Risk-Based Authentication for SAP Fiori and SAP Portal (Hands-On)
SEC700 - Risk-Based Authentication in Action (Code review) TEC102 - Security Strategy Overview
SEC106 - The Cloud Solution for Authentication, Single Sign-On and User Management
SAP Public Web
http://scn.sap.com/community/sso
http://www.sap.com/pc/tech/security/software/single-sign-on/index.html
SAP Education and Certification Opportunities
www.sap.com/education
Watch SAP TechEd Online
Thank you
Contact information:
Christian Cohrs
Regine Schimmer
Area Product Owner SAP Single Sign-On
Product Management SAP Single Sign-On
© 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 32
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epxfor additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
