sap insider - simple and secure user authentication with...
TRANSCRIPT
Subscribe today. Visit SAPinsiderOnline.com.
CO
LUM
N
Security Strategies
A modern business’s typical system landscape
comprises a variety of solutions hosted on differ-
ent types of platforms — each element tightly
protected against the reality of mounting security
challenges. A byproduct of this environment that
is familiar to even the most casual non-business
user is the need for multiple sets of credentials
to access all of these systems, which can lead to
passwords that are weak, reused, or written down
somewhere so they are easy to remember. In busi-
ness environments, this can lead to not only secu-
rity and compliance issues, but also productivity
issues caused by repeated manual logins and help
desk calls, for instance.
The SAP Single Sign-On solution solves this
problem for SAP customers by enabling users to
log in just once and gain secure access to both
SAP and non-SAP business applications across
the entire system landscape while protecting
sensitive company and personal data. It supports
both cloud and on-premise scenarios, providing
simple and secure single sign-on access through
the web, via mobile devices, and using native
SAP clients. It also uses state-of-the-art standards
such as the SPNEGO security mechanism for
Kerberos-based HTTP authentication, X.509 digi-
tal certificates, and Security Assertion Markup
Language (SAML) to meet company and regula-
tory security requirements.
The latest support packages for SAP Single
Sign-On 2.0 — support package 4 (released
in November 2014) and support package 5
(released in May 2015) — deliver a number of
innovative enhancements to address the secu-
rity needs of SAP customers, including advanced
Simple and Secure User Authentication with SAP Single Sign-On 2.0How the Latest Features Enhance the User Experience, Strengthen Security, and Streamline Administration
by Christian Cohrs and Martina Kirschenmann, SAP SE
authentication functionality and simplified con-
figuration features, to help security administra-
tors further improve the user experience while
strengthening the security of critical business
data.1 This article provides an overview of these
key authentication and administration enhance-
ments, and how they help organizations central-
ize and simplify the way users log on to systems
and applications.
Authentication and Identification EnhancementsAuthentication and identification functionality
lay the groundwork for SAP Single Sign-On. The
latest support packages for the solution build
on this foundation with advanced features that
augment these capabilities, including support for
two-factor authentication, fast user identification
via radio-frequency identification (RFID), and
risk-based authentication using access policies.
Additional Protection with Two-Factor AuthenticationMany organizations rely on user IDs and pass-
words for authentication. However, for increased
security scenarios — such as protecting especially
critical systems or securing access from outside the
company — a stronger form of authentication for
access to corporate resources may be required.
1 For more background information on SAP Single Sign-On 2.0, see the SAPinsider articles “A Safe Harbor in a Rising Tide of Threats” by Gerlinde Zibulski and Gert Schroeter (October-December 2014) and “An Inside Look at the New Features and Functionality in SAP NetWeaver Single Sign-On 2.0” by Regine Schimmer, Jens Koster, and Frane Milicevic (April-June 2013) at SAPinsiderOnline.com.
Christian Cohrs ([email protected]) is the Area Product Owner for SAP Single Sign-On. He has a background in computer science and has worked in various positions at SAP for the last 15 years, most recently on the development of identity management and security products.
Martina Kirschenmann ([email protected]) is a Product Manager for SAP Single Sign-On at SAP SE in Walldorf. She has more than 10 years of experience with SAP security solutions and is currently part of the rollout team for SAP’s security portfolio.
This article appeared in the Jul n Aug n Sep 2015 issue of SAPinsider (www.SAPinsiderOnline.com) and appears here with permission from the publisher, WIS Publishing.
Subscribe today. Visit SAPinsiderOnline.com.
To meet this need, support package 4 for SAP
Single Sign-On 2.0 includes support for two-factor
authentication via a time-based one-time password
(TOTP) — a six-digit or eight-digit code that is
based on a shared secret key and the current time,
and is valid for one login attempt only — gener-
ated by the SAP Authenticator mobile app.2 This
approach requires not only knowledge of a regular
password (the first factor), but also possession of a
particular mobile device (the second factor) that is
registered to generate TOTPs for specific business
applications, making it much harder for a remote
attacker to succeed, as access to the second authen-
tication factor requires physical proximity.3
Enabling two-factor authentication with SAP
Single Sign-On is simple (see Figure 1). Users
download and install the SAP Authenticator
mobile app on their mobile devices,4 and then
activate the app for their specific corporate user
ID and one or more backends using self-service
functionality. This backend could be an SAP
Enterprise Portal with local applications, or an
Identity Provider or Secure Login Server that
provides security tokens for single sign-on to
other systems. On the backend, the administrator
2 See Ivelina Kiryakova’s blog “Strong Two-Factor Authentication with One-Time Password Solution” (http://scn.sap.com/community/sso/blog/2014/05/12/stronger-authentication-with-one-time-password-solution).
3 To support end users who do not have access to a supported smartphone, SAP Single Sign-On also supports out-of-band (OOB) transport of tokens, including one-time passwords sent via SMS or email.
4 The SAP Authenticator mobile app is available for both iOS (via iTunes) and Android (via Google Play), and sup-ports the Internet Engineering Task Force (IETF) standard RFC 6238 (see https://tools.ietf.org/html/rfc6238).
uses a login module to configure SAP NetWeaver
Application Server (SAP NetWeaver AS) Java to
enable two-factor authentication and generate a
secret key, which is stored on the mobile device,
when the mobile app is activated for a user ID
and the respective backend.
Once the app is activated and the configuration
is complete, users can securely log into the system
associated with their corporate user IDs using
two-factor authentication. Figure 2 illustrates this
authentication process at runtime. On their desktop
client, users first enter their regular password, and
then enter a TOTP generated by the mobile app
based on the current time and the device’s secret
key. Once the password and TOTP are validated by
SAP NetWeaver AS Java, the user is authenticated
and has access to applications on the portal, or the
Identity Provider security token is made available
to enable single sign-on for the user.
Two-factor authentication is available as an
additional protection level for web-based and
SAP GUI-based single sign-on scenarios, and
in addition to a standalone Java application
server, such as SAP Enterprise Portal, it can be
integrated with the Secure Login Server (provid-
ing X.509 digital certificates) and the Identity
Provider (providing SAML assertions) of SAP
Single Sign-On on SAP NetWeaver AS Java. For
additional security, users can also protect the
SAP Authenticator mobile app with a password.
Fast User Identification via RFIDIn traditional single sign-on scenarios, organi-
zations can increase productivity by allowing
users to authenticate just once to gain access to
a large number of systems for a period of time. In
some cases, however, a user needs to very quickly
access only one system to perform short tasks —
maybe the user works on an assembly line and
needs to urgently fix a supply problem before it
causes any damage, or perhaps the user works in
a warehouse and quickly needs to check or enter
data on a shared computer while packing boxes.
In these types of scenarios, users don’t want to
spend extra time taking off their gloves and enter-
ing a secure password.
To enable quick logons for users in these sce-
narios, support package 4 for SAP Single Sign-
On 2.0 includes user identification based on an
RFID token, such as a company batch card. With
the Secure Login Server of SAP Single Sign-On
SAP Authenticator Installation andDevice Registration Self-Service
MobileDevice
SAPAuthenticator
app
SAP NetWeaverAS Java
TOTP LoginModule
Transfer key tomobile device
Store key on mobile device(encrypted by password)
Generation of shared secret key
537810
FIGURE 1 Installation and setup
of two-factor authentication
Subscribe today. Visit SAPinsiderOnline.com.
in place, an end user can authenticate to an SAP
system with a temporary X.509 digital certificate,
which the Secure Login Server issues when the
user places the RFID card on a reader. This instant
authentication is much faster than entering a pass-
word and is easy to perform even in a shop floor
environment. After the user’s work is finished, the
user simply picks up the RFID card and logs out, at
which time the X.509 certificate is deleted.
RFID authentication is ideally suited to ware-
house and production scenarios with dedicated
kiosk PCs for authentication, which protects
against compromised RFID readers or cards — the
Secure Login Server first validates the identity of
the kiosk system before accepting the RFID infor-
mation to authenticate the user. RFID authentica-
tion is available for SAP NetWeaver AS ABAP and
SAP NetWeaver AS Java backends via the Secure
Login Server of SAP Single Sign-On, and uses
X.509 digital certificates. Currently, SAP Single
Sign-On supports RFID readers based on the stan-
dard PC/SC interface for personal computers and
smart cards, and also WaveID readers by RF IDeas.
Risk-Based Authentication Using Access PoliciesIn the past, users usually accessed SAP systems
from desktop computers inside the corporate
network, meaning all authentication requests
came from the same kind of environment. As a
result, the security level required for a specific
authentication request depended only on the crit-
icality of the accessed system — for example, the
value of the data managed inside of the system.
As organizations use increasing numbers of cloud
and mobile applications, however, authentication
requests are coming from a diverse assortment of
environments, and the one-size-fits-all authenti-
cation approach of the past can have unintended
— and unwanted — consequences.
When you assume that all authentication
requests are coming from a secure environment,
this can result in an authentication process that is
fast and lean, but leaves you at risk if a potentially
illegitimate request is received and your process
cannot adapt to handle it. On the other hand, if you
assume that all authentication requests are poten-
tially illegitimate and harden the authentication
process against potential attacks, corporate users
who were sufficiently screened when entering the
office can become frustrated by excessive steps in
the login process and productivity can suffer.
Support package 5 for SAP Single Sign-On
2.0 addresses this challenge with an authentica-
tion process that can dynamically adapt to the
context of an individual authentication attempt.
Password
Two-Factor Authentication and Single Sign-On
MobileDevice
SAPAuthenticator
app
SAP NetWeaverAS Java
TOTP LoginModuleDesktop Client
Secure LoginClient or Browser
Provide securitytoken for SSO
Authenticate withtwo factors
Enter password and TOTP
Computes TOTP based on • Secret key • Current time
Verify user credentials(password + TOTP)
537810
SecondFactor
TOTP
FirstFactor
FIGURE 2 t Two-factor authentica-
tion requires both knowledge of a
password and physical access to a
particular mobile device
Subscribe today. Visit SAPinsiderOnline.com.
Figure 3 outlines how this works. The user attempts
to authenticate from the client. The authentication
request goes to the Access Policies Engine running
on SAP NetWeaver AS Java, where a custom-
defined access policy will check the context infor-
mation of the request and determine the next
steps. For example, you can specify that the access
policy check the IP address of the client and, based
on this, dynamically enforce two-factor authenti-
cation before granting access via a SAML assertion
or an X.509 digital certificate. You can even for-
ward a perceived risk level to the ABAP backend
system as part of the SAML assertion, and imple-
ment custom code to disable critical functionality.5
This capability gives you the flexibility to imple-
ment security checks in a very precise way.
Authentication based on access policy is avail-
able as part of a standalone Java application
server, such as SAP Enterprise Portal, as well as
the Identity Provider and Secure Login Server of
SAP Single Sign-On on SAP NetWeaver AS Java,
and uses SAML 2.0 or X.509 digital certificates.
Implementation and Administration EnhancementsIn addition to strengthened authentica-
tion options, the latest support packages for
SAP Single Sign-On include implementation
5 See Donka Dimitrova’s blog “Risk-Based Authentication for Your Critical Business Processes” (http://scn.sap.com/community/sso/blog/2014/11/03/risk-based-authentication-for-your-critical-business-processes).
enhancements for security administrators. These
features — including out-of-the-box support for
modern SAP clients, simplified ABAP adminis-
tration, and enhanced cryptographic support
— enable an even easier setup that allows the
solution to be up and running with the highest
levels of security in no time.
Support for a Modern User ExperienceThe user experience is central. From personaliza-
tion to consistency across devices, users expect
a seamless and responsive experience when
using their business applications. SAP Single
Sign-On 2.0 combines modern user interfaces
and enhanced usability with out-of-the-box
support for new SAP clients such as SAP Fiori,
SAP NetWeaver Business Client, and SAP Screen
Personas, allowing you to combine sophisticated
user interfaces with enhanced usability while
keeping sensitive data secure at all times.
SAP Fiori enables a personalized, responsive,
and simple user experience across devices and
deployment options for customers using SAP
Business Suite powered by SAP HANA. By imple-
menting SAP Single Sign-On, users can access
their SAP Fiori apps after just one initial authen-
tication.6 A detailed explanation on how to enable
single sign-on for SAP Fiori-based applications
using Kerberos/SPNEGO, X.509 certificates, or
6 See Regine Schimmer’s blog “Take the SAP Fiori Experience to a New Level with SAP Single Sign-On” (http://scn.sap.com/docs/DOC-50394).
SAP NetWeaver AS Java
Access Policies Engine
ClientCollect and Assess
Context Information
Authentication Request
Authentication Token(X.509 Certi�cateor SAML Token)
• User attributes• Location• Date/Time• IP• Device...
Apply Rule to StrengthenAuthentication
Authenticate based on context:• Accept, or• Deny, or• Enforce Two-Factor Authentication
FIGURE 3 Risk-based authentica-
tion adapts dynamically to
requests based on custom-
defined access policies
Subscribe today. Visit SAPinsiderOnline.com.
SAML assertions is available as part of the SAP
Fiori Infrastructure rapid-deployment solution.7
SAP NetWeaver Business Client enables users
to access data from ABAP backend systems using
multiple user interface technologies, such as tra-
ditional SAP GUI transactions and applications
based on Web Dynpro ABAP. Figure 4 shows
vendor data displayed in an SAP NetWeaver
Business Client user interface. To make data
access both simple and secure, you can combine
SAP NetWeaver Business Client with SAP Single
Sign-On and, by leveraging its Kerberos/SPNEGO
technology, simply reuse the user’s Windows
domain authentication for single sign-on.8
SAP Screen Personas is a browser-based
add-on that allows authorized users to person-
alize and modify organization-specific Dynpro
and Web Dynpro screens to suit their unique
business needs and to optimize usability.
SAP Single Sign-On supports authentication with
7 See SAP Fiori Infrastructure rapid-deployment solution on SAP Service Marketplace (https://service.sap.com/ ~sapidp/012002523100013862112014E).
8 See Sandra Thimme’s blog “NWBC (4.0) Meets Single Sign-On: Simplify Secure Data Access (Part 1)” (http://scn.sap.com/community/netweaver-business-client/blog/2014/02/24/simplify-secure-data-access-nwbc-meets-single-sign-on).
user interfaces based on SAP Screen Personas
using Kerberos/SPNEGO, X.509 certificates, and
SAML assertions.
Simplified ABAP AdministrationSAP Single Sign-On 2.0 includes various features
that help streamline administration tasks required
for enabling access to the ABAP backend. In par-
ticular, it provides enhancements for setting up
Secure Network Communication (SNC) and con-
figuring Kerberos/SPNEGO on the ABAP backend.
SNC is the interface used to enable single
sign-on and network encryption from SAP GUI
and numerous Remote Function Call (RFC)
clients to the ABAP backend server. While set-
ting up SNC has always been a straightforward
task, support package 4 for SAP Single Sign-On
2.0 makes it even easier with support for the
SNCWizard transaction, a new transaction
included with the ABAP support packages for SAP
NetWeaver that enables the easy configuration of
SAP NetWeaver AS ABAP for SAP Single Sign-On.
This wizard guides administrators through the con-
figuration of SNC for SAP Single Sign-On 2.0 (see
Figure 5 on the next page) and automates tasks,
such as creating the required Personal Security
Environment (PSE) files and setting the server
FIGURE 4 t Vendor data displayed in
an SAP NetWeaver Business Client
user interface
Subscribe today. Visit SAPinsiderOnline.com.
profile parameters, that previously required
access on the operating system level. The wizard
enables ABAP administrators to configure SNC
on their own, without time-consuming and
resource-intensive interaction with the operating
system administration team. As manual steps are
reduced, administrators no longer need to worry
about a typo in the configuration preventing the
server from restarting.
In addition, support package 4 for SAP Single
Sign-On 2.0 includes an update of the Kerberos
transaction to simplify the configuration required
on the ABAP system for single sign-on based
on Kerberos/SPNEGO — a popular approach
among SAP customers for authentication with
SAP GUI and web clients because it avoids the
need for additional servers by relying on existing
Microsoft Active Directory functionality. As
part of the Kerberos transaction, SAP pro-
vides a number of online checks that detect
inconsistencies between the configuration
of Microsoft Active Directory and the ABAP
system, enabling the ABAP administrator to
validate the Kerberos configuration without
requiring support from the Microsoft Active
Directory team, which streamlines the process
significantly.9 Figure 6 demonstrates part of the
validation process.
Enhanced Cryptographic Support As consumers and businesses become increasingly
concerned about data security, cryptography is no
longer a topic reserved for cryptographic experts.
To take security to the next level for its custom-
ers, SAP delivers the Common Cryptographic
Library (CommonCryptoLib) — available via the
9 See SAP Note 2015966 (http://service.sap.com/sap/ support/notes/2015966) and SAP Note 2079851 (http://service.sap.com/sap/support/notes/2079851) for details on the required ABAP versions.
FIGURE 5 The SNCWizard transaction guides administrators through the configuration of SNC for SAP Single Sign-On
FIGURE 6 SAP provides checks for validating the Kerberos configuration against Microsoft Active Directory
Subscribe today. Visit SAPinsiderOnline.com.
ABAP kernel or via download from SAP Service
Marketplace — for enabling digital signatures and
performing encryption in SAP systems.10 While in
the past SAP Single Sign-On required two sepa-
rate security libraries, SAP Single Sign-On 2.0
now uses the Common Cryptographic Library
as its default library for SNC and Kerberos/
SPNEGO for ABAP, and to enable the use of
optional hardware security modules to store
and protect private keys, making installation
much simpler.
Starting with support package 5, the library
provides support for elliptic curve cryptog-
raphy, and initially focuses on the curves
most relevant from a market perspective,
such as the prime field curves P-192 to P-521,
as documented in the Federal Information
Processing Standards (FIPS) publication on
the Digital Signature Standard (DSS).11 For a
given key size, this form of encryption provides
significantly higher data security than previous
encryption algorithms, which is why elliptic
curve cryptography is being implemented by
many of the latest smart card solutions. With
support for version 1.2 of the Transport Layer
Security (TLS) protocol also included in the
latest version of the library, these smart card
solutions can now authenticate to an SAP
system using SSL client authentication, with the
additional security of elliptic curve cryptogra-
phy as well as perfect forward secrecy to protect
customers from future attacks on recorded
communication data.
In addition, in January 2015, SAP received the
FIPS 140-2, security level 1 certificate12 for SAP’s
cryptographic kernel, ensuring that it works
securely and as designed to guarantee protection
of your sensitive business data. This certification
further demonstrates SAP’s commitment to pro-
vide customers with solutions of the highest qual-
ity and reliability, along with security they can
10 See Martina Kirschenmann’s blog “SAP’s New Cryptographic Library ‘CommonCryptoLib’” at http://scn.sap.com/community/sso/blog/2014/ 07/16/sap-s-new-cryptographic-library- commoncryptolib.
11 See FIPS PUB 186-4 at http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.
12 The validation certificate is available on the National Institute of Standards and Technology’s website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/FIPS140ConsolidatedCertList0049.pdf.
count on, based on independent, internationally
applied standards.13
SummaryThe extensions included in the latest support
packages for SAP Single Sign-On 2.0 not only
enhance productivity with a simplified user expe-
rience, but also lower administrative costs and
strengthen the security and confidentiality of
login information and sensitive business data.
SAP Single Sign-On is based on a mature set of
core components that enable SAP customers to
implement secure single sign-on with confidence
across enterprise scenarios that range from SAP
Business Suite implementations to heterogeneous
environments that integrate non-SAP systems,
and even cloud-based and cross-company scenar-
ios. While SAP continuously innovates to fulfill
customer requests and to meet evolving security
demands — such as single sign-on from mobile
devices and more efficient management of the cer-
tificate life cycle — the overall vision is to keep the
product solid and simple to implement and use.
Learn more about SAP Single Sign-On and its
features at http://scn.sap.com/community/sso. n
13 See Annette Fuchs’s article “Is Your Data Properly Protected?” in the January-March 2013 issue of SAPinsider (SAPinsiderOnline.com) and blog “SAP’s Crypto Kernel Receives FIPS 140-2 Certificate” (http://scn.sap.com/community/ security/blog/2015/01/21/sap-s-crypto-kernel- receives-fips-140-2-certificate).
SAP Single Sign-On is based
on a mature set of core
components that enable SAP
customers to implement secure
single sign-on with confidence
across enterprise scenarios
that range from SAP Business
Suite implementations to
heterogeneous environments
that integrate non-SAP systems,
and even cloud-based and
cross-company scenarios.