Describing Landscape Security with SAP SSO

Objective

After completing this lesson, you will be able to describe how the SAP Single Sign-On service provides landscape security.

Landscape Security with SAP SSO

One key goal of SAP’s Secure Login solution is to establish secure communication between all required components. SSO enables secure communication with certificate lifecycle management and encryption.

Secure Login for SAP SSO provides support for many advanced security capabilities, such as:

  • Encryption of data communication for SAP GUI
  • Kerberos/SPNEGO, X.509 certificates, and SAML 2.0 support
  • Digital signatures
  • FIPS 140-2 certified cryptographic functions
  • Two-factor authentication
  • Risk-based authentication using access policies
  • RFID-based authentication
  • Hardware security module support

Establishing Secure Communication

FromToProtocol/Interface
SAP GUISAP NetWeaverDIAG/RFC (SNC)
Business ExplorerSAP NetWeaverDIAG/RFC (SNC)
Business ClientSAP NetWeaverDIAG/RFC (SNC)
Web GUISAP NetWeaverDIAG/RFC (SNC), HTTPS
Secure Login ClientSecure Login ServerHTTPS (SSL)
Secure Login ServerLDAP ServerHTTPS (SSL)
Secure Login ServerSAP NetWeaverRFC (SNC)
Secure Login ServerRADIUS ServerRADIUS (Shared Secret)

The preceding table displays the security protocol or interface used to secure communications between various components. The following examples are common SSO standard use cases and the associated process and communication flow.

If you want to take your SSO project a step further and cover SAP and non SAP applications, X.509 digital certificates could be your technology of choice. Most systems and applications support this proven internet standard. There are several options for enabling SSO with X.509 certificates:

Secure Login Service (SLS)

  • Part of the product SAP SSO.
  • Provides short-lived certificates to end-user desktops and backend systems.
  • Advantage: SLS enables scenarios such as multifactor authentication and certificate lifecycle management.
  • Disadvantage: SLS is an additional component.

A diagram showing the authentication process for SAP GUI using Secure Login Service, Identity Authentication Service, and X.509 certificates. Optional integration with Corporate IdP and Secure Network Communications to SAP NetWeaver.

The preceding figure illustrates the authentication process flow for using the Secure Login Service:

  1. The user opens an SAP GUI connection.
  2. The user authenticates to the Identity Authentication Service.
  3. Optionally, authentication can be delegated to a corporate IdP (such as Azure AD).
  4. After successful authentication, the Cloud Certification Authority (CA) issues an X.509 certificate.
  5. SAP SLS returns the X.509 certificate, valid for one day, to SLC.
  6. The X.509 certificate token authenticates the SAP GUI user to the ABAP system.

Existing Certificate

SSO using X.509 certificates can use existing Public Key Infrastructure (PKI) to authenticate users seamlessly across multiple systems and applications. This approach provides robust security by using digital certificates.

  • SAP SSO can use an existing certificate for authentication.
  • Certificates could, for example, come from a smart card or soft token.
  • Advantage: No additional component is required, as the SLC does not need to access the cloud services, and the identity provider cannot authenticate.
  • Disadvantage: Some value-added scenarios of SLS are not available and can be complex to configure and manage.

In this scenario, the SLS integrates with the existing enterprise PKI for user and server certificates. As a result, certificate signing remains based on established PKI and security policies. Storage and revocation processes remain unchanged.

Diagram showing Secure Network Communications using X.509 Certificate. SAP GUI with Secure Login Client and Business User connect to SAP NetWeaver Application Server ABAP using X.509 certificate.

Some customers already have an approach in place that provides their end users with an X.509 certificate. Options are for example:

  1. Smart Card: An X.509 certificate coming from a hardware device.
  2. Soft Token: An X.509 certificate that is automatically deployed on the user’s desktop, for example from a corporate CA.

Secure Login Client can use these certificates for Single Sign-On to the ABAP system as well if the backend configuration is in place. In that case, the Secure Login Client does not need to access the cloud services and there is no authentication by the identity provider.

Diagram of a certificate provisioning and refreshing flow. Business User and SAP Netweaver communicate with Secure Login Server, which forwards and returns requests to/from Enterprise PKI for user and server certificates.

For organizations that have set up their own public-key infrastructure (PKI), they can simply use it with SAP Single-Sign On. In this scenario, the SLS integrates with the existing enterprise KPI for both the user and server certificates. As a result, certificate signing remains based on established PKI and security policies. Storage and revocation processes remain unchanged.

More scenarios and tools extend the capabilities for using and maintaining X.509 certificates. For example, instant user identification based on radio frequency identification (RFID) is supported for PC/SC and WaveID RFID reader devices.

For more information about Certificate Lifecycle Management for SSO, see: Configuring Certificate Lifecycle Management in the AS ABAP Using Secure Login Server.

Lesson Summary

You can now describe how the SAP SSO solution provides landscape security.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn