SAP Single Sign-On 2.

0
Overview Presentation
July 2015 Public
Agenda

SAP Security Portfolio

Overview SAP Single Sign-On
Single Sign-On Main Scenarios
Capabilities
Summary

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 2

SAP Security Portfolio
Secure your digital assets
Your security and compliance solutions for on-premise, on-demand and on-device

SAP
Business Suite

SAP Cloud
Applications Authentication and Governance Risk Identity Enterprise Threat
Single Sign-On and Compliance Management Detection
SAP Mobile
Applications

3rd Party Make it simple for your users to Ensure corporate compliance to Making sure you know your Making sure to counter possible
do what theyre allowed to do. regulatory requirements. users and what they can do. threats and identify attacks.
Systems

70 70
Faster onboarding Reduction of password
of new hires related help desk calls

% %

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 4

Security Products
SAPs Portfolio of IT Application Security Products

IT application security SAP portfolio

Identity and access management (IAM) Platform

Security for
Code Threat security
mobile end
vulnerabilities management features &
Identity, governance and points
Authentication and single sign-on functions
administration

Manage identity lifecycle Single sign-on Apps Find Detect cyber User mgmt
Segregation of duties Secure network communication Devices vulnerabilities in crime attacks Connectivity
Emergency access Central access policies Content customer code based on user Authentication
Role management 2-factor authentication behavior Encryption
Risk mgmt
Digital Sigs
Reporting Ent. App
WS Security
Store

SAP SAP HANA

NetWeaver AS, SAP Enterprise SAP
SAP Identity SAP Access SAP Single SAP Cloud SAP Mobile
add-on for code Threat NetWeaver
Management Control Sign-On Identity Secure
vulnerability Detection Application
analysis Server

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 5

Overview SAP Single Sign-On
SAP Single Sign-On
Benefits

Single Sign-On authenticate From Anywhere from your

once and subsequently access mobile devices, from outside the
SAP and non-SAP applications in corporate network, etc.
a secure and user- friendly way

Low Cost leverage the benefits

Security Improve security of quick implementation and low
measures and meet company and cost of ownership
regulatory requirements

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 7

SAP Single Sign-On Benefits

Security

Reduce Costs

Simplicity
2015 SAP SE or an SAP affiliate company. All rights reserved. Public 8
SAP Single Sign-On Benefits in Detail

Security
With just one password to remember, a strong password policy is finally feasible
No more need for password reminders on post-its
All passwords kept in one protected, central place

Reduce Costs
Efficiency gains for users that only need to remember one password
Higher productivity due to reduced efforts for manual authentication, password reset,
helpdesk interaction,

Simplicity
Lean product, fast implementation project, quick ROI
No more efforts to provision, protect and reset passwords across many systems
No more efforts to manage password policies across many systems

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 9

SAP Single Sign-On Product Description

SAP Single Sign-On provides a simple and secure access to IT applications for business users, encrypts company
data and provides optionally advanced security to protect important business applications.
Simple and secure access
Single sign-on for native SAP clients and web applications
Single sign-on for mobile devices
Support for cloud and on-premise landscapes

Secure data communication

Encryption of data communication for SAP GUI
Digital signatures
FIPS 140-2 certification of security functions

Advanced security capabilities

Two-factor authentication
Risk-based authentication using access policies
RFID-based authentication
Hardware security module support

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 10

Single Sign-On Main Scenarios
SAP Business Suite
Single Sign-On Based on Kerberos / SPNEGO

SAP Business Suite

SAP clients: SAP GUI, Business Client,
RFC based clients, Secure Login Client
Web browser CommonCryptoLib
SPNEGO for ABAP

Microsoft Active
SAP Business Suite Directory

Token: Kerberos

SPNEGO only
available in newer
SAP NetWeaver
releases

SAP NetWeaver

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 12

 SAP Business Suite
Single Sign-On Based on Kerberos / SPNEGO
2 Start SAP GUI or Browser
In a Nutshell
Client
Relies on Integrated Windows
SAP GUI, NWBC, RFC Authentication
Clients, Browser
Kerberos Security Token
Secure Login Client created by Microsoft Active
Directory (AD)
No additional server required,
1 User Desktop low TCO
DIAG, RFC (SNC) SAP NetWeaver
AS ABAP SAP backend needs to trust
Windows Kerberos HTTPS (SPNEGO) the AD (but not be in Windows
CommonCryptoLib domain)
Authentication Token
NW AS JAVA SPNEGO requires ABAP
HTTPS (SPNEGO) SAP NetWeaver version 7.02 or higher
AS Java
Microsoft Kerberos/SPNEGO SSO
3 Single Sign-On and supported by e.g. AS ABAP,
Active Secure Communication
Directory (AD) AS Java, HANA DB,

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 13

SAP and Non-SAP Applications
Single Sign-On Based on X.509 Certificates

SAP and non-

SAP applications
SAP clients: SAP GUI, Business Client,
RFC based clients, Secure Login Client
Web browser Secure Login Server
CommonCryptoLib

Microsoft Active
SAP Business Suite
Directory, LDAP,
other login modules

Token: X.509
certificate

This option supports

SAP NetWeaver most platforms and
clients.
Recommended for
heterogeneous and
Legacy systems intranet scenarios
Non-SAP

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 14

SAP and Non-SAP Applications
Single Sign-On Based on X.509 Certificates
2 Sign into Secure Login Client profile Authentication In a Nutshell
Server
Relies on X.509 certificate, a
very mature standard security
Client Authenticate 3 NW AS JAVA
SAP NetWeaver token
SAP GUI, NWBC, RFC AS Java Certificates created by Secure
SAP GUIBrowser
Clients, / Browser /
NWBC Secure Login Server
4 Login Server or other PKI, e.g.
Secure Login Client 5 Provide X.509 (SLS) Verify User using Smart Cards
Secure Login Client Certificate Credentials Support for SAP backends, but
also for legacy systems, 3rd
party Web applications,
DIAG, RFC (SNC) SAP NetWeaver
AS ABAP SLS provides short-lived
HTTPS certificates, no overhead for
CommonCryptoLib revocation management

NW AS JAVA
Multiple ways of user credential
1 User Desktop verification (SPNEGO, LDAP,
HTTPS SAP NetWeaver
AS Java ABAP, UME,...)
6 Single Sign-On and Secure Login Server requires
Secure Communication AS Java

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 15

Cloud and Cross-Company
Single Sign-On and Identity Federation Based on SAML

SAP and non-SAP

applications
Web client
SAML identity
provider

Microsoft Active
Directory, LDAP,
other login modules
Cloud applications
Token: SAML

SAML is a public
standard for Web
Web client applications. The
SAP / non-SAP application server has
Web applications to support the
standard.
Recommended for
extranet scenarios,
partner integration

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 16

Single Sign-On Based on SAML NW AS JAVA

Authentication
Server In a Nutshell
2
Relies on Security Assertion
Client Authenticate SAP NetWeaver Markup Language (SAML)
AS Java assertions as security token
Identity Provider 3 Industry standard for cloud
Browser
4 Return SAML (IdP)
Verify User and cross-company scenarios
Assertion
Credentials Assertions created by Identity
Provider, running on AS Java
Authentication initiated by
HTTPS Service Provider
Service
IdP or SP
(SP) (SP)
Provider Multiple ways of user
credential verification
(SPNEGO, LDAP,
HTTPS ABAP, UME,..)
1 User Desktop Service
Service Provider
Provider
(SP) (SP)
5 Single Sign-On and
Secure Communication

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 17

SAP Single Sign-On Components

Secure Login Client

Client application
Manages security tokens (Kerberos tokens, X.509 certificates)

Secure Login Server

Central service on SAP NetWeaver AS Java
Provides X.509 certificates to users and application servers

SAP Common Cryptographic Library (f.k.a. Secure

Login Library)
Cryptography and security library for SAP applications

Identity Provider
Central service on SAP NetWeaver AS Java
Provides SAML 2.0 assertions for Web-based SSO

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 18

Capabilities
SAP CommonCryptoLib
FIPS 140-2 Certification

Component SAP NW SSO 2.0 Secure Login Library Crypto Kernel was certified on January 6th, 2015

List Entry (Cert# 2308):

http://csrc.nist.gov/groups/STM/cmvp/document
s/140-1/140val-all.htm

Certificate:
http://csrc.nist.gov/groups/STM/cmvp/document
s/140-
1/140crt/FIPS140ConsolidatedCertList0049.pdf

Blog on SAP Community Network:

http://scn.sap.com/community/security/blog/201
5/01/21/sap-s-crypto-kernel-receives-fips-140-2-
certificate

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 20

SAP CommonCryptoLib
Capabilities
Latest enhancements in version 8.4.38*
Significant performance increase on all major platforms
RSA, AES, SHA-2
Perfect Forward Secrecy for TLS
Ephemeral key agreement
Elliptic curve Diffie-Hellman key exchange
Elliptic Curves P-224, P-256, P-384, P-521
TLS 1.2 cipher suites in Galois Counter Mode (GCM)
New command sapgenpse tlsinfo to help configure
cipher suite profile parameters for TLS
Previous Support**
Hash Algorithms: SHA-2, ..
Signature Algorithms: DSA, PKCS #1 v 2.1 RSA
PSS, ..
Key Exchange Algorithms: Diffie-Hellman, ElGamal,
PKCS #1 v 2.1 RSA OAEP, .. * See SAP Note 2181733 for details
Block Cipher Algorithms: AES 256bit, .. ** See SAP Note 2004653 for complete list

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 21

Digital Signatures with SAP Single Sign-On 2.0

Benefits of Digital Signatures

Confirm that a document was created by a known sender
Confirm that a document was not tampered with during transmission
Provide the means for a binding signature that cannot be denied afterwards

Usage with AS ABAP

Based on Secure Store & Forward (SSF) Interface
Server-side digital signatures: Supported by the SAP CommonCryptoLib.
SAP Single Sign-On includes support for Hardware Security Modules.
Client-side digital signatures: Supported by Secure Login Client for SAP GUI

More Information on SAP Help Portal and SAP Service Marketplace

Digital Signing with Secure Store and Forward (SSF)
Digital Client Signature
Digital Signatures (SSF) with a Hardware Security Module
SAP Note 1973271 - Secure Login Library 2.0 HSM Configuration for SSF

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 22

Single Sign-On for new SAP Clients

SAP User Interface Integration

Combines beautiful user interfaces with great usability
Support new SAP clients out of the box
SAP Fiori
SAP NetWeaver Business Client
SAP Screen Personas

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 23

Two-Factor Authentication with SAP Single Sign-On

Authentication requires two means of identification

Knowledge of a regular password
Possession of a physical device, e.g. a cell phone

Options for the 2nd Factor (out-of-band)

SAP Authenticator mobile app
Generates one-time passwords (RFC 6238 compatible)
Available for iOS and Android
One-time password sent using SMS
One-time password sent using E-Mail
RSA / RADIUS

Usage Scenarios
Recommended for scenarios with particular security
requirements
Web and SAP GUI applications

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 24

Risk-Based Authentication 1/2
Strengthen the Authentication Process Based on Context

Risk-Based Authentication
Risk-based enforcement of stronger authentication
Example: User accesses from outside the corporate network 2FA (two-factor authentication) is required

SAP Identity Provider or

Secure Login Server
INTERNET INTRANET
2FA Token

Evaluate context, e.g. IP address,

user roles, device,..
Accept access, deny access or
enforce 2FA CORPORATE LDAP
Return SSO token (SAML or X.509) DMZ

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 25

Risk-Based Authentication 2/2
Limit Business Functionality Based on Context

Risk-Based Authorization Handling

Relies on SAP Identity Provider, using SAML 2.0
Access policy information added to SAML
SAP Application Server
assertion after authentication
Runtime
On AS Java, dynamic reduction of available roles
based on access policy. See SAP Note 2151025. Check access policy
and handle access
On AS ABAP, access policy information available in restrictions
security session. See SAP Note 2057832.

Temporarily reduce user roles and

authorizations for session on AS Java
Extend customer exits in applications on AS
SAML Assertion
ABAP to allow risk-based authorization
checks, e.g. for admin tasks or data
download
Including access policy
information from SAP IdP

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 26

Mobile Single Sign-On with SAP Authenticator

Details
Relies on time-based One-Time Passwords for
authentication
SAP Authenticator apps available for iOS and Android
End user self registration user interface
Administrative user interfaces

Usage Scenarios
Single sign-on for web applications
Single sign-on for customized Fiori native client (see
SCN blog for details)

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 27

RFID-Based User Identification

Identify Users with RFID Token (Radio Frequency

Identification)
Instant user identification with RFID token
Single Sign-On based on X.509 certificates

Usage Scenarios
Warehouse and production scenarios
Kiosk/terminal computers

Recent Enhancements
Simplified configuration based on Microsoft Active Directory
Support for additional RFID reader devices

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 28

Single Sign-On for ABAP: SNC Made Easy
Guided SNC configuration using the SNC Wizard

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 29

Platform Security
Support for Eliminating Unencrypted SAP GUI / RFC Access to AS ABAP

Situation
It is often a compliance requirement to only allow encrypted communication to SAP systems
As documented in SAP Note 1690662, unencrypted communication can be blocked
Enabling this setting may be a risk for business continuity if SAP Single Sign-On was not yet configured
on all clients, as some people may lose access to the system

Solution
Unencrypted access to the backend can be recorded in the Security Audit Log, as documented in SAP
Note 2122578
Customers can enable the logging function and keep an eye on whether there are still unencrypted
connections from certain client machines, which can then be configured to use SAP Single Sign-On
Once the administrator is reassured that there are no more clients with missing configuration out there,
she can enforce encrypted communication as described in SAP Note 1690662

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 30

Hardware Security Module Support

Store Private Keys in Hardware

Protect Secure Login Server Certificate Authority
Protect private keys for digital signatures (Secure Store and Forward, SSF)
Performance acceleration

Thales SafeNet

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 31

Summary
Extensible Technology Ready for the Future

Cloud and
cross-company

SAP and non-SAP

applications

SAP
Business Suite

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 33

Recommendations

Identify the most critical systems. Which systems contain your most sensitive business information?
How many people have access to them? Define your overall single sign-on strategy and start with
these critical business systems.

Understand the different modules of SAP Single Sign-On and analyze your system landscape to
determine which SSO standards can be used. If your organization does not have the appropriate
resources and know-how, involve SAP Consulting or SAP partners.

Passwords are often the weakest link in enterprises. Prevent the usage of passwords by relying on
standards such as SAML, X.509 certificates, or Kerberos. SAP Single Sign-On offers solutions for
all of these standards.

Once you have implemented single sign-on, start enforcing strong passwords in the related systems.
Mid-term strategy: Consider disabling user name/password authentication in critical business
systems.

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 34

Summary

SAP Single Sign-On offers a suite of security

capabilities, for SAP as well as non-SAP applications

It offers
Investment protection
Flexibility
Single sign-on for heterogeneous system landscapes

What are the main business drivers?

Protect business, reputation and trust
Lower password related costs
Simplicity and agility

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 35

Get More Information

Community Network

http://scn.sap.com/community/sso

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 36

 2015 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2015 SAP SE or an SAP affiliate company. All rights reserved. Public 37