SAP Single Sign-On 2.0 
Overview Presentation 
June 2014 Public
Legal disclaimer 
This presentation is not subject to your license agreement or any other agreement with SAP. SAP has 
no ...
Agenda 
SAP Portfolio 
Overview SAP Single Sign-On 
Single Sign-On Scenarios 
Architecture 
What’s New in Support Package ...
SAP Portfolio
SAP Identity and Access Management Solutions 
Compliant Identity and Access Management 
Simplify and secure 
access 
SAP 
...
Overview SAP Single Sign-On
SAP Single Sign-On – What is it about? 
Authenticate once and subsequently access SAP and 
non-SAP applications in a secur...
SAP Single Sign-On – Benefits 
Security 
Reduce Costs 
Simplicity 
© 2014 SAP AG or an SAP affiliate company. All rights r...
SAP Single Sign-On – Benefits in Detail 
Solve security and compliance 
issues caused by 
• Re-use of passwords 
• Passwor...
Single Sign-On Scenarios
Business User Expectations 
SAP GUI 
SAP NetWeaver 
Business Client 
SAP Business 
Explorer 
Web 
Browser 
… 
Easy and sec...
SAP Single Sign-On 2.0 
Key Capabilities 
• Single sign-on for SAP and non-SAP applications 
• Support of proprietary SAP ...
SAP Business Suite 
Single Sign-On Based on Kerberos / SPNEGO 
SAP Business Suite 
Secure Login Client 
Secure Login Libra...
SAP and Non-SAP Applications 
Single Sign-On Based on X.509 Certificates 
SAP and non- 
SAP applications 
Secure Login Cli...
Cloud and Cross-Company 
Single Sign-On and Identity Federation Based on SAML 
SAP and non-SAP 
applications 
SAML identit...
Secure Storage of Remaining Passwords 
Password Manager 
SAP and non- 
SAP applications 
Password Manager 
Stand-alone 
Ba...
Architecture
SAP Single Sign-On – Components 
Secure Login Client 
y Client application 
y Manages security tokens (Kerberos tokens, X....
Single Sign-On Based on Kerberos / SPNEGO 
Start SAP GUI or Browser 
1 
2 
Client 
SAP GUI / NWBC / 
Browser 
Secure Login...
Single Sign-On Based on X.509 Certificates 
Client 
SAP GUI / NWBC / 
Secure Login Client 
User Desktop 
Sign into Secure ...
Single Sign-On Based on SAML 
2 
Authenticate 
Return SAML 
Assertion 
4 
Authentication 
SAP NetWeaver 
AS Java 
Identity...
What’s New in Support 
Package 03
Two-Factor Authentication with SAP Authenticator 
Two-Factor Authentication 
Authentication with One-Time Passwords (OTP) ...
SSO for SAP GUI for Java on Mac OS X 
Secure Login Client for Mac Client Computers 
Mac OS X 10.7 or higher 
Usage Scenari...
RFID-Based User Identification 
Identify Users with RFID Token (Radio Frequency 
Identification) 
Only privileged persons ...
Hardware Security Module Support 
Hardware Security Module Support for Digital Signatures 
Store Private Keys in Hardware ...
Recommendations
Recommendations 
9 Identify the most critical systems. Which systems contain your most sensitive business information? 
Ho...
Summary
Extensible Technology – Ready for the Future 
SAP 
Business Suite 
SAP and non-SAP 
applications 
Cloud and 
cross-company...
Summary 
SAP Single Sign-On is a “Single Sign-On Suite” that 
supports SAP as well as non-SAP applications. 
It offers 
• ...
Get More Information 
Community Network 
Get more information, videos and updates 
http://scn.sap.com/community/sso 
© 201...
Thank you 
Contact information: 
Product Management 
SAP AG 
© 2014 SAP AG or an SAP affiliate company. All rights reserve...
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 
No part of this publication may be reproduced or transmit...
Nächste SlideShare
Wird geladen in …5
×

SAP Single Sign-On 2.0 Overview

11.103 Aufrufe

Veröffentlicht am

For more info: http://scn.sap.com/community/sso.
SAP Single Sign-On enables companies to eliminate the need for multiple passwords and user IDs. Centralize and simplify the way users log on to systems and applications. Lower the risks of unsecured login information, reduce help desk calls, and help ensure the confidentiality and security of personal and company data.

Veröffentlicht in: Technologie
  • Awesome document!
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

SAP Single Sign-On 2.0 Overview

  1. 1. SAP Single Sign-On 2.0 Overview Presentation June 2014 Public
  2. 2. Legal disclaimer This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 2
  3. 3. Agenda SAP Portfolio Overview SAP Single Sign-On Single Sign-On Scenarios Architecture What’s New in Support Package 03 Recommendations Summary © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 3
  4. 4. SAP Portfolio
  5. 5. SAP Identity and Access Management Solutions Compliant Identity and Access Management Simplify and secure access SAP Single Sign-On Manage identities and permissions SAP Identity Management Identify and mitigate risks SAP Access Control © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 5
  6. 6. Overview SAP Single Sign-On
  7. 7. SAP Single Sign-On – What is it about? Authenticate once and subsequently access SAP and non-SAP applications in a secure and user-friendly way. Meet company and regulatory requirements. Improve security measures and protect your company. © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 7
  8. 8. SAP Single Sign-On – Benefits Security Reduce Costs Simplicity © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 8
  9. 9. SAP Single Sign-On – Benefits in Detail Solve security and compliance issues caused by • Re-use of passwords • Password patterns • Trivial passwords • Passwords on post-it notes • Leaked passwords Solve productivity issues caused by y Large number of manual logins y Forgotten passwords y Help desk calls Only one secure (!) password to remember Only one password to store and protect Automated login while you work © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 9
  10. 10. Single Sign-On Scenarios
  11. 11. Business User Expectations SAP GUI SAP NetWeaver Business Client SAP Business Explorer Web Browser … Easy and secure access © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 11
  12. 12. SAP Single Sign-On 2.0 Key Capabilities • Single sign-on for SAP and non-SAP applications • Support of proprietary SAP clients (e.g. SAP GUI) • Secure network communication (SNC) • SSO for cloud-based applications • Based on standards like X.509 certificates, SPNEGO, Kerberos, SAML • Password Manager SAP HANA and SAP NetWeaver SAP Business Suite SAP and non-SAP applications Cloud and cross-company SAP Single Sign-On Password Manager © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 12
  13. 13. SAP Business Suite Single Sign-On Based on Kerberos / SPNEGO SAP Business Suite Secure Login Client Secure Login Library SPNEGO for ABAP Microsoft Active Directory Token: Kerberos SPNEGO only available in newer SAP NetWeaver releases SAP Business Suite SAP NetWeaver SAP client (native) Web client © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 13
  14. 14. SAP and Non-SAP Applications Single Sign-On Based on X.509 Certificates SAP and non- SAP applications Secure Login Client Secure Login Server Secure Login Library Microsoft Active Directory, LDAP, other login modules Token: X.509 certificate This option supports most platforms and clients. Recommended for heterogeneous and intranet scenarios SAP Business Suite SAP NetWeaver SAP client (native) Web client Non-SAP Legacy systems © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 14
  15. 15. Cloud and Cross-Company Single Sign-On and Identity Federation Based on SAML SAP and non-SAP applications SAML identity provider Microsoft Active Directory, LDAP, other login modules Token: SAML SAML is a public standard for Web applications. The application server has to support the standard. Recommended for extranet scenarios, partner integration SAP / non-SAP Web applications Cloud applications Web client Web client © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 15
  16. 16. Secure Storage of Remaining Passwords Password Manager SAP and non- SAP applications Password Manager Stand-alone Based on user name and password Secure storage of remaining passwords in a local client. Provides automatic capture of login credentials © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 16
  17. 17. Architecture
  18. 18. SAP Single Sign-On – Components Secure Login Client y Client application y Manages security tokens (Kerberos tokens, X.509 certificates) Secure Login Server y Central service on SAP NetWeaver AS Java y Provides X.509 certificates to users and application servers Secure Login Library y Cryptography and security library for SAP NetWeaver AS ABAP Identity Provider y Central service on SAP NetWeaver AS Java y Provides SAML 2.0 assertions for Web-based SSO © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 18
  19. 19. Single Sign-On Based on Kerberos / SPNEGO Start SAP GUI or Browser 1 2 Client SAP GUI / NWBC / Browser Secure Login Client Windows HTTPS (SPNEGO) Authentication 3 User Desktop SAP NetWeaver AS ABAP Secure Login Library NW AS JAVA DIAG, RFC (SNC) HTTPS (SPNEGO) Single Sign-On and Secure Communication Kerberos Token In a Nutshell • Relies on „Integrated Windows Authentication“ • Kerberos Security Token created by Microsoft Active Directory (AD) • No additional server required, low TCO • SAP backend needs to trust the AD • SPNEGO requires ABAP version 7.02 or higher • Kerberos/SPNEGO SSO supported by e.g. AS ABAP, AS Java, HANA DB, … Microsoft Active Directory (AD) SAP NetWeaver AS Java © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 19
  20. 20. Single Sign-On Based on X.509 Certificates Client SAP GUI / NWBC / Secure Login Client User Desktop Sign into Secure Login Client profile 1 2 3 SAP GUI / Browser / Browser NWBC Secure Login Client 6 Authenticate 5 Provide X.509 Certificate Authentication Server 4 Verify User Credentials NW AS JAVA DIAG, RFC (SNC) HTTPS HTTPS Single Sign-On and Secure Communication In a Nutshell • Relies on X.509 certificate, a very mature standard security token • Certificates created by Secure Login Server (or other PKI) • SLS provides short-lived certificates, no overhead for revocation management • Multiple ways of user credential verification (SPNEGO, LDAP, ABAP, UME,...) • Support for SAP backends, but also for legacy systems, 3rd party Web applications,… • Secure Login Server requires AS Java SAP NetWeaver AS Java Secure Login Server (SLS) SAP NetWeaver AS ABAP Secure Login Library NW AS JAVA SAP NetWeaver AS Java © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 20
  21. 21. Single Sign-On Based on SAML 2 Authenticate Return SAML Assertion 4 Authentication SAP NetWeaver AS Java Identity Provider (IDP) HTTPS Service HTTPS NW AS JAVA Service Provider (SP) Provider (SP) Service Provider (SP) In a Nutshell • Relies on Security Assertion Markup Language (SAML) assertions as security token • Industry standard for cloud and cross-company scenarios • Assertions created by Identity Provider, running on AS Java • Authentication initiated by IDP or SP • Multiple ways of user credential verification (SPNEGO, LDAP, ABAP, UME,..) Client Browser 5 Single Sign-On and Secure Communication 1 User Desktop Server 3 Verify User Credentials Service Provider (SP) © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 21
  22. 22. What’s New in Support Package 03
  23. 23. Two-Factor Authentication with SAP Authenticator Two-Factor Authentication Authentication with One-Time Passwords (OTP) Provide two means of identification y OTP required for login in addition to password or security token y Second factor for high security scenarios Based on SAP Authenticator iOS Application y OTP (6-digit code) created on mobile device Usage Scenarios Integrated with Secure Login Server (X.509) and Identity Provider (SAML) y Administrator configures SAP NetWeaver AS Java system to require two-factor authentication For Web and SAP GUI scenarios © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 23
  24. 24. SSO for SAP GUI for Java on Mac OS X Secure Login Client for Mac Client Computers Mac OS X 10.7 or higher Usage Scenarios Kerberos-based authentication X.509 certificates For SAP GUI scenarios © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 24
  25. 25. RFID-Based User Identification Identify Users with RFID Token (Radio Frequency Identification) Only privileged persons have physical access Instant user identification with RFID token Based on X.509 certificates Usage Scenarios Warehouse and production scenarios Kiosk/terminal computers © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 25
  26. 26. Hardware Security Module Support Hardware Security Module Support for Digital Signatures Store Private Keys in Hardware y Protect Secure Login Server Certificate Authority y Protect private keys for digital signatures (Secure Store and Forward, SSF) y Performance acceleration Thales SafeNet © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 26
  27. 27. Recommendations
  28. 28. Recommendations 9 Identify the most critical systems. Which systems contain your most sensitive business information? How many people have access to them? Define your overall single sign-on strategy and start with these critical business systems. Understand the different modules of SAP Single Sign-On and analyze your system landscape to determine which SSO standards can be used. If your organization does not have the appropriate resources and know-how, involve SAP Consulting or SAP partners. Passwords are often the weakest link in enterprises. Prevent the usage of passwords by relying on standards such as SAML, X.509 certificates, or Kerberos. SAP Single Sign-On offers solutions for all of these standards. Once you have implemented single sign-on, start enforcing strong passwords in the related systems. Mid-term strategy: Consider disabling user name/password authentication in critical business systems. Provide a tool to store remaining passwords (such as the Password Manager component of SAP Single Sign-On). 9 9 9 9 © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 28
  29. 29. Summary
  30. 30. Extensible Technology – Ready for the Future SAP Business Suite SAP and non-SAP applications Cloud and cross-company © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 30
  31. 31. Summary SAP Single Sign-On is a “Single Sign-On Suite” that supports SAP as well as non-SAP applications. It offers • Investment protection • Flexibility • Single sign-on for heterogeneous system landscapes What are the main business drivers? • Protect business, reputation and trust • Lower password related costs • Simplicity and agility © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 31
  32. 32. Get More Information Community Network Get more information, videos and updates http://scn.sap.com/community/sso © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 32
  33. 33. Thank you Contact information: Product Management SAP AG © 2014 SAP AG or an SAP affiliate company. All rights reserved.
  34. 34. © 2014 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP AG or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP AG or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP AG or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP AG’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP AG or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. © 2014 SAP AG or an SAP affiliate company. All rights reserved. Public 34

×