sap single sign-on product overview -...
TRANSCRIPT
2PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP security products portfolio
SAP Single Sign-On product overview
Technologies and scenarios
▪ Kerberos
▪ X.509 certificates
▪ Security Assertion Markup Language (SAML)
Features and capabilities
Summary
Agenda
4PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The SAP security portfolio
Secure access
SAP Single Sign-On
SAP Cloud Platform Identity Authentication
Secure code
SAP NetWeaver AS, add-on
for code vulnerability analysis
Detect attacks
SAP Enterprise
Threat Detection
Manage users and permissions
SAP Identity Management
SAP Access Control
SAP Cloud Platform Identity Provisioning
SAP Cloud Identity Access Governance
5PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Secure access
Preventing unauthorized
access to your business
systems is crucial for
security. Single sign-on
solutions offer secure,
convenient single login
for all business
applications, on-premise
as well as in the cloud.
Secure access
SAP Single Sign-On
SAP Cloud Platform Identity Authentication
6PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Manage users and permissions
Secure access
SAP Single Sign-On
SAP Cloud Platform Identity Authentication
Handling users and
permissions can be a
challenge in
heterogeneous and
hybrid landscapes.
Centralized solutions
help you implement a
compliant identity
management approach.
Manage users and permissions
SAP Identity Management
SAP Access Control
SAP Cloud Platform Identity Provisioning
SAP Cloud Identity Access Governance
7PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Secure code
Secure code
SAP NetWeaver AS,
add-on for code
vulnerability analysis
Secure access
SAP Single Sign-On
SAP Cloud Platform Identity Authentication
How can you protect
custom ABAP code in
your on-premise
landscape? Code
vulnerability analysis
tools enable you to fix
security loopholes.
Manage users and permissions
SAP Identity Management
SAP Access Control
SAP Cloud Platform Identity Provisioning
SAP Cloud Identity Access Governance
8PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Detect attacks
Internal and external
cyber attacks are on
the rise. SAP
Enterprise Threat
Detection lets you
monitor your system
landscape in real time.
Secure code
SAP NetWeaver AS, add-on
for code vulnerability analysis
Detect attacks
SAP Enterprise
Threat Detection
Secure access
SAP Single Sign-On
SAP Cloud Platform Identity Authentication
Manage users and permissions
SAP Identity Management
SAP Access Control
SAP Cloud Platform Identity Provisioning
SAP Cloud Identity Access Governance
10PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Single Sign-On – authenticate just once
for secure and user-friendly access to
multiple SAP and non-SAP applications,
on-premise and in the cloud
From anywhere – including mobile
devices and different desktop systems
Security – introduce security measures to
meet corporate and regulatory
requirements
Low cost – leverage the benefits of quick
implementation and low cost of
ownership
Customer needs and value proposition
11PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security▪ Secure authentication with one strong password, optionally with additional factors
▪ Eliminates need for password reminders on post-it notes
▪ All passwords kept in one protected, central place
Cost efficiency ▪ Efficiency gains as users only need to remember one password
▪ Higher productivity due to reduced efforts for manual authentication, password reset,
helpdesk interaction,…
▪ Low TCO of running a secure landscape through management of server-side certificates
Simplicity▪ Lean product, fast implementation project, quick ROI
▪ No more need to provision, protect, and reset passwords across many systems
▪ No longer requires management of password policies across many systems
Benefits in detail
12PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Simple and secure access
▪ Single sign-on for SAP desktop clients and web applications
▪ Single sign-on for mobile devices
▪ Support for cloud and on-premise landscapes
Secure data communication
▪ Encryption of data communication for SAP GUI and other desktop
clients
▪ Digital signatures
▪ FIPS 140-2 certification of cryptographic functions
Advanced security capabilities
▪ Two-factor and risk-based authentication
▪ Authentication with smart cards or RFID tokens
▪ Simplified lifecycle management of server-side certificates
Support for on-premise and hybrid landscapes
14PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Single sign-on▪ Authenticate once to an authentication server (MS-Active Directory, AS ABAP,..)
▪ The returned security token confirms your identity for each subsequent login to business
applications
Multiple sign-on▪ Authenticate each time you access a business application
▪ Authentication against a central authentication server, not the business application itself
Multi-factor authentication▪ In addition to knowledge of information (password), authentication requires a physical
element (possession of mobile phone, RSA SecurID card, etc.)
▪ Implementation option for both single sign-on and multiple sign-on
Supported authentication modes
15PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security capabilities must be easy to implement and use. Customers should not have to weigh the implementation efforts
against the benefits of running a secure landscape. That’s why simplicity is key for SAP Single Sign-On.
Simple software roll-out
▪ The cryptographic library is shipped and updated as part of the
regular SAP Kernel
▪ The desktop client is installed using SAPSetup and can be easily
integrated into the SAP GUI roll-out
▪ No need to install add-ons, no need to modify ABAP sources
Simple configuration
▪ You can use standard ABAP transactions SPNEGO and
SNCWIZARD for the configuration
▪ It is no longer necessary to work on the server command line
Simple operations
▪ SAP Single Sign-On is tightly integrated into the SAP NetWeaver
stack, re-using its existing, proven infrastructure and security
framework
Focus on simplicity
16PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Single Sign-On is quick and easy to set up with straightforward implementation processes and automated guidance.
Take a look at the following video tutorials:
Single sign-on with Kerberos
Single sign-on with X.509 certificates
Certificate lifecycle management for
SAP NetWeaver Application Server ABAP
Suggested playlist:
All SAP Single Sign-On videos on YouTube
SSO made easy: Simplification tutorials
17PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
▪ Implementation option based on user authentication to Microsoft Windows
domain during desktop login
▪ Active Directory provides a Kerberos security token that SAP business
applications accept as proof of identity
▪ Supported on desktop systems (Windows, OS X) and mobile devices (iOS)
that are part of a Windows domain
▪ Requires access to the corporate network
▪ Users need to have an account in Active Directory
▪ Very fast implementation, very low TCO, no additional server required
▪ Single sign-on for SAP NetWeaver, covering web based and desktop clients such
as SAP GUI, Business Client, RFC client applications such as SAP Analysis for
Office, SAP HANA database, and many more
▪ Network encryption is available for SAP GUI and RFC clients
KerberosSecure access to SAP business applications – at a low TCO
18PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Authentication scenario
1. User authenticates to
Windows domain
2. Active Directory provides
Kerberos security token to
user
3. User opens a system
connection using a native
client or browser
4. Kerberos token is forwarded
to system using SNC (for
SAP GUI and RFC clients)
or SPNEGO (for browsers).
The Kerberos token is
validated offline on the
server, no connection to AD
required
Start desktop client, app or browser and open connection
1
3
Business user
NW AS JAVA
SAP GUI & RFC (SNC)
Browser (SPNEGO)
Browser (SPNEGO)Windows
login
Kerberos
security
token
Microsoft Active Directory
2
SAP NetWeaver
AS Java
SAP NetWeaver
AS ABAP
Kerberos authentication
4
Kerberos: Process flowSingle sign-on based on the corporate Windows domain
19PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
▪ Implementation option where users authenticate to Secure Login Server (SLS) to
retrieve a short-lived X.509 certificate, or reuse already available certificates
▪ User authentication to SLS can be manual or automated, based on an existing
Windows authentication or an authenticated web browser session
▪ SAP business applications accept the certificate as proof of identity
▪ Supported on desktop (Windows, OS X) and mobile devices (iOS, Android)
▪ Secure Login Server is not required if certificates are already available to users
▪ Secure Login Server is a lean alternative to introducing a full-blown PKI
▪ Secure Login Server supports two-factor and risk-based authentication, and
different user stores (LDAP, ABAP, ..)
▪ X.509 certificates are highly interoperable, supporting both SAP and 3rd party
web applications and clients, including many legacy systems
▪ Network encryption is available for SAP GUI and RFC clients
X.509 certificatesHighly interoperable single sign-on to SAP and non-SAP applications
20PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Authentication scenario
1. (*) User authenticates to
Secure Login Server.
Authentication can be
automatic (using e.g.
Kerberos) or manual, even
based on multiple factors
2. (*) Secure Login Server
returns an X.509 certificate,
valid for a set period of time
(e.g. a work day)
3. User opens a system
connection
4. X.509 certificate token is
forwarded to system and
allows authentication
(*) Steps 1 and 2 are not required if the user
is already in possession of a certificate
Start desktop client, app or browser and open connection
1
3
Business user
NW AS JAVA
SAP GUI & RFC (SNC)
Browser (TLS client
authentication)
Browser (TLS client
authentication)
X.509
certificate
Secure Login Server
(on AS Java)
2
Other web
servers
SAP NetWeaver
AS ABAP
Certificate-based
authentication
4
X.509 certificates: Process flowHighly interoperable single sign-on to SAP and non-SAP applications
Au
the
ntica
tio
n
21PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Existing certificate
▪ SAP Single Sign-On can use an existing certificate for authentication
▪ Certificate could come from a smart card or pre-deployed on the device
▪ Advantage: No new server component is required
▪ Disadvantage: Some added-value scenarios of Secure Login Server are not available
Secure Login Server (SLS)
▪ Part of the product SAP Single Sign-On
▪ Provides certificates to end user desktops, mobile devices and backend systems
▪ Advantage: Enables scenarios such as multi-factor authentication and certificate lifecycle management
▪ Disadvantage: SLS is an additional server component, running on AS Java
Secure Login Server (SLS) with Enterprise PKI integration
▪ SLS can be configured as a registration agent in front of an existing enterprise PKI
▪ Advantage: All SLS scenarios are available. At the same time, the certificate signing process of the existing
PKI remains in place
▪ Disadvantage: Depends on capabilities of enterprise PKI, such as supported number of profiles
Options for enabling SSO with X.509 certificates
22PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Business user
NW AS JAVA
Scenario
▪ Customers that already have an
enterprise PKI do not want to
establish a second one
▪ Secure Login Server (SLS)
integrates with existing
enterprise PKI for both user and
server certificates
▪ Benefits
Certificate signing based on established
PKI and security policy
Storage and revocation processes
unchanged
SAP system integration decoupled from
PKI, managed by SLS
Secure Login Server Enterprise PKI(ADCS* or CMC** compatible)
SAP NetWeaver
Application Server ABAP
Provision user
certificates
Renew server certificates
Forward request
Return certificate
*Active Directory Certificate Services
** Certificate management over CMS, RFC 5272
Secure Login Server as Registration Authority of an existing PKI
23PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Extension scenarios for X.509 certificates
Instant user identification based on RFID token
(Radio Frequency Identification)
▪ For warehouse and production scenarios where efficient
authentication is key
▪ Kiosk/terminal computers shared among teams
▪ Simple configuration using Microsoft Active Directory to validate
identities
▪ Supports PC/SC and WaveID RFID reader devices
Encryption Only Mode for data privacy
▪ Enables network encryption for SNC even if a user-specific
security token is not available, e.g. due to a forgotten smart card
▪ Allows customers to protect data communication from the start
of the implementation project, before user-specific configuration
is in place
24PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP NetWeaver uses server-side X.509 certificates for a number of security functions. Depending on the certificate validity,
certificates need to be renewed on a regular basis. Certificate lifecycle management manages the renewal of certificates,
reduces manual efforts, and prevents downtimes.
Process steps
▪ Establish and configure a trust relationship between
SAP NetWeaver and the Secure Login Server
▪ Schedule a job that identifies expiring certificates
and automatically renew them
Benefits
▪ Prevent downtimes caused by expired certificates
▪ Replace error-prone manual steps with a robust
automated process
Additional capabilities
▪ Automated central roll-out of trusted root certificates to the
landscape
▪ Option for integration with existing enterprise PKI
For a step-by-step guide, see our how-to
video at: https://youtu.be/wi2vBos1KwYi
X.509 server certificate lifecycle management
25PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The process steps of certificate lifecycle management are triggered from the business system. SAP provides applications for
SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java, and a generic command line client for the communication with
Secure Login Server
SAP NetWeaver AS for ABAP ▪ Report “SSF_CERT_ENROLL” establishes the trust relationship and exchange of metadata between the SAP NetWeaver AS ABAP and
the Secure Login Server
▪ Report “SSF_CERT_RENEW” can be executed both manually or scheduled to check and renew certificates that will expire during the
configured grace period
▪ Certificates and attributes are displayed in transaction STRUST
SAP NetWeaver AS for Java▪ Certificate lifecycle management is configured in the
Secure Login CLM Cockpit
▪ The cockpit allows customers to register the SAP
NetWeaver AS Java with Secure Login Server, define the
certificates to be managed as part of the enrollment and
schedule jobs to renew certificates on a regular basis
▪ Certificates and attributes are displayed in SAP
NetWeaver Administrator
Configuring X.509 certificate lifecycle management for SAP NetWeaver
26PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
▪ Implementation option where users authenticate to the SAP Identity Provider to
retrieve a SAML assertion
▪ SAP web applications accept the assertion as proof of identity
▪ The assertion definition is very flexible and enables the easy mapping of
attributes between systems, for loosely coupled integration across organizations
▪ Supported by browser-based applications on desktop and mobile devices
▪ SAP Identity Provider is based on SAP NetWeaver AS for Java
▪ SAP Identity Provider supports two-factor and risk-based authentication against
different user stores (LDAP, ABAP, ..)
▪ SAML assertions are accepted by a broad range of both SAP and 3rd party web
applications
▪ SAML assertions enable single sign-on during the lifetime of the browser session
Security Assertion Markup Language (SAML) Identity federation and single sign-on for cross-organizational scenarios
27PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Start browser and open connection
3
1
Business user
NW AS JAVA
Au
the
ntica
tio
n Create SAML assertion
and redirect back
to Service Provider
Authentication scenario
1. User opens a connection to
the business system, which
is configured as a SAML
Service Provider
2. Business system redirects
browser to the IdP
3. User authenticates to IdP,
either automatically (using
e.g. SPNEGO) or manually,
even based on multiple
factors
4. IdP establishes a security
session, returns a SAML
assertion, and redirects the
browser back to the SP
5. User is authenticatedSAP Identity Provider
(IdP) on AS Java
4
Service Provider (SP),
e.g. SAP NetWeaver
AS ABAP or Java
SAML-based
authentication
2Business application
server redirects browser
to the Identity Provider
5
Security Assertion Markup Language (SAML): Process flow Identity federation and single sign-on for cross-organizational scenarios
28PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
▪ Users authenticate once to the authentication server to store a shared secret on
their mobile device
▪ Time-based One-Time Passwords (TOTP) based on the shared secret are
passed from SAP Authenticator to the SAP Identity Provider, which enables
single sign-on for web-based business applications
▪ SAP Authenticator is available on mobile devices (iOS, Android)
▪ SAP Authenticator supports browser-based applications, the SAP Fiori client, and
customer-developed mobile apps
▪ SAP Authenticator-based authentication requires AS Java
▪ SAP Authenticator can be combined with two-factor and risk-based authentication
▪ Fast implementation due to automated roll-out of the configuration to mobile
devices
▪ Highly flexible approach with few infrastructure prerequisites
SAP Authenticator Lean solution for single sign-on on mobile devices
29PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Browser
accesses SP
and authenticates
with SAML
IdP returns SAML
assertion to mobile
device
Start SAP Authenticator app on mobile device,
open browser or Fiori client connection,
send one-time password (OTP)
1
3
Business user
NW AS JAVARe
gis
tra
tion
Store shared secret
on mobile device
Authentication scenario
1. User registers mobile device
once with the SAP
Authentication Library
2. Shared secret is stored on
mobile device once
3. User starts SAP Authenticator
on mobile device and opens a
link to a web or Fiori client
application
4. Access is redirected to the IdP
and user is authenticated with
OTP
5. IdP establishes a security
session, returns a SAML
assertion, and redirects the
browser to the SP
6. User is authenticatedSAP Authentication Library
and Identity Provider (IdP)
2
4 User authenticated
at IdP based on OTP
6
Service Provider (SP)
5
SAP Authenticator: Process flow Lean solution for single sign-on on mobile devices
31PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Authentication based on two means of identification▪ Knowledge of a password
▪ Possession of a physical device, such as a cell phone
Options for the second factor▪ SAP Authenticator, a Time-based One-Time Password (TOTP)
generator on iOS, Android, Windows 10 (Mobile and Desktop)
▪ Send one-time passwords via SMS or e-mail
▪ 3rd party OTP generators compliant with the standard
RFC 6238
▪ 3rd party applications supporting the RADIUS protocol,
such as RSA
Usage scenarios▪ Recommended for systems with high security requirements
▪ Configurable per system or even user
▪ Seamless integration into Secure Login Client for certificate-
based scenarios
SAP Authenticator
for iOS
Two-factor authentication
32PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Risk-based authentication
Risk-based authentication
▪ Dynamic adjustment of required authentication process during logon
▪ Based on contextual information and configurable rules
▪ Takes a risk-based approach to balance between security and usability
Available contextual information
▪ Client IP address
▪ User roles
▪ Available client certificate
▪ …
Sample scenarios
▪ Allow access only from certain IP ranges
▪ Request 2nd authentication factor if the first authentication step is based
on a password instead of an X.509 certificate
▪ Enforce two-factor authentication for administrators
33PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Secure Login Web Client (SLWC) enables customers to integrate an existing single sign-on solution for web and cloud
applications with desktop clients
Customer requirement
▪ Customers may have a compliance requirement to process the initial end-user authentication with a corporate-
or cloud-based- identity provider
▪ After authenticating to the identity provider, users experience single sign-on for web applications
▪ However, manual authentication is still necessary for desktop applications such as SAP GUI, as these require
either an X.509 certificate or a Kerberos token to authenticate
Solution
▪ SLWC allows an authenticated browser session to trigger and monitor the desktop enrollment of a certificate
▪ SLWC is based on the Secure Login Server and runs inside all common browsers, on Windows and macOS
Example
▪ Secure Login Server is configured as a SAML service provider, trusting the corporate identity provider
▪ When the user accesses the SLWC page of the Secure Login Server, the session is authenticated using the
standard SAML flow of the identity provider
▪ After authentication, SLWC creates and stores a certificate on the desktop for SAP GUI single sign-on
Integrating cloud and on-premise, browser and native clients
34PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use cases for digital signatures▪ Authenticity: Confirm that a document was created by a known sender
▪ Integrity: Confirm that a document was not tampered with during
transmission
▪ Non-repudiation: Provide the means for a binding signature that
cannot be denied afterwards
Enhanced client support▪ In the past, client-side digital signatures required SAP GUI for Windows
▪ SAP Single Sign-On 3.0 introduces a web signer interface that allows
an application to perform client-side digital signatures from a web page,
using plain JavaScript
Benefit▪ Client-side digital signatures can be triggered from web applications
▪ The JavaScript interface is supported by all modern web browsers
▪ Based on the Secure Login Client, available on Windows and macOS
Digital signatures on the desktop
35PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Secure Login Server (SLS) offers mobile single sign-on with proven X.509 digital
certificate technology, covering a broad range of customer scenarios
Simple Certificate Enrollment Protocol (SCEP) on iOS
▪ iOS has built-in support for SCEP
▪ SLS allows end users to import a SCEP configuration profile on their device,
triggering the enrollment of an end-user certificate to the iOS system key chain
▪ The certificate can be used to enable single sign-on for e.g. Safari
SAP Mobile Platform (SMP)
▪ Starting with version 3.0 SP11, SMP can act as a proxy for SLS
▪ Applications on SMP are assigned an SLS profile, which defines the certificate
enrollment flow for clients
▪ After enrollment the certificate can be used for app single sign-on
SAP Cloud Platform Mobile Services - mobile service for development and
operations
▪ An SLS destination and profile can be defined in the Mobile Service cockpit
▪ The SDK for iOS allows customers to easily integrate SLS with their own apps
Mobile SSO based on Secure Login Server
36PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Single Sign-On for SAP Fiori clients on iOSUsing the SAP Authenticator app
SAP Authenticator supported authentication scenarios
▪ Creation of time-based one time passwords (TOTP) for two-factor
authentication
▪ Enrollment of a certificate from Secure Login Server in the SAP key
chain on iOS
SAP Fiori Client
▪ SAP Fiori Client supports certificate based single sign-on to the Fiori
Launchpad
▪ A planned version of the SAP Fiori Client on the iTunes store has
access to the SAP key chain
▪ Certificates enrolled by SAP Authenticator can be used by the SAP
Fiori Client to enable single sign-on
Planned to be released with a support
package for SAP Mobile Platform SDK 3.0
This is the current state of planning and
may be changed by SAP at any time.
37PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Single Sign-On allows customers to use X.509 certificates for a number of
security scenarios. On the desktop, these scenarios rely on the Secure Login
Client, which is available for Windows and macOS. Secure Login Client (SLC) for
macOS now supports the same scenarios as the Windows version.
Secure Login Server Integration
▪ SLC now supports the enrollment of certificates from Secure Login Server to
macOS desktop systems
Multi-factor authentication
▪ Advanced authentication capabilities such as multi-factor authentication and risk-
based authentication are now available on macOS
Browser integration
▪ Customers can enroll certificates from Safari on macOS, using the Secure Login
Web Client
▪ Customers can perform digital signatures on the desktop, triggered from a UI5
web application running in Safari on macOS
Support for macOS
38PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The Federal Information Processing Standard (FIPS) 140-2 is defined by the National Institute of Standards
and Technology (NIST) and specifies quality requirements for cryptographic modules
The cryptographic capabilities of the SAP CommonCryptoLib were certified to comply with the standard on
January 6th, 2015 and re-certified on May 5th, 2017
Certification details (Cert# 2900)
http://csrc.nist.gov/groups/STM/cmvp/document
s/140-1/140val-all.htm
FIPS 140-2 validation certificate
http://csrc.nist.gov/groups/STM/cmvp/document
s/140-
1/140crt/FIPS140ConsolidatedCertMay2017.pdf
Cryptographic capabilities: SAP CommonCryptoLibFIPS 140-2 certification
39PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Situation
▪ Common compliance requirement: Only allow encrypted communication to SAP systems
▪ Unencrypted communication can be blocked (see SAP Note 1690662)
▪ Business continuity risk: If communication is blocked and SAP Single Sign-On was not yet configured
on all clients, some people may lose system access
Solution
▪ Record unencrypted access to the backend in the Security Audit Log (see SAP Note 2122578)
▪ Enable logging function to detect unencrypted connections from client machines, then configure them to
use SAP Single Sign-On
▪ Once there are no more clients with missing configuration, enforce encrypted communication
(see SAP Note 1690662)
Eliminate unencrypted SAP GUI / RFC access to SAP NetWeaver AS ABAP
40PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Store private keys in hardware
▪ Protect Secure Login Server Certificate Authority
▪ Protect private keys for digital signatures (Secure Store and Forward, SSF)
▪ Performance acceleration
SafeNetThales
Hardware security module support
42PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP comprehensive solutions for single sign-on enable efficient and
secure authentication and access to business applications
Security
▪ Secure authentication and FIPS-certified cryptographic functions
▪ Risk-based authentication and two-factor authentication
▪ Digital signatures
Productivity
▪ Single sign-on to SAP and non-SAP applications
▪ Fast return on investment
Ready for the future
▪ Based on industry standards and state-of-the-art security functions
▪ On-premise and in the cloud, for desktop and mobile devices
43PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Get more information
https://www.sap.com/community/topic/sso.html
Welcome to the SAP Community
Thank you.
Contact information:
Christian Cohrs
Product Manager
Regine Schimmer
Product Manager
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.