Describing the Cloud and Cross-Domain Support with SAP SSO

Objective

After completing this lesson, you will be able to describe the Cloud and cross-domain support feature of the SAP SSO.

Cloud and Cross-Domain Support with SAP SSO

If you want to extend your company’s Single Sign-On (SSO) solution into the cloud or cover cross-company scenarios, SSO and identity federation based on the Security Assertion Markup Language 2.0 (SAML 2.0) provides a sound solution.

Security Assertion Markup Language 2.0 (SAML 2.0) is an internet standard for exchanging authentication and authorization data between security domains. It is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider and a service provider. the assertion can include the means by which a subject was authenticated, the attributes associated with the subject, and an authorization decision for the given resource. SAML 2.0 enables web-based authentication and authorization scenarios, including SSO.

The main components of a SAML 2.0 landscape are as follows:

1. Service Provider (SP)

The service provider is a system entity that provides a set of web applications for common session management, identity management, and trust management. The service providers outsource the job of authenticating the user to the identity provider.

A service provider-initiated SSO workflow can be described as:

  1. The user attempts to access a resource protected by SAML 2.0.
  2. The SP redirects the user to a SAML IdP for authentication.
  3. The IdP queries the user for authentication credentials.
  4. The user supplies the requested credentials.
  5. The IdP returns the user to the SP with an authentication response.
  6. The SP presents the requested resource to the user.

Diagram illustrating SAML authentication process. Steps: 1) User to SAML Identity Provider. 2) Identity Provider to SAML Service Provider. 3) Back to Identity Provider. 4) Back to User. 5) Service Provider. 6) User.

2. Identity Provider (IdP)

The identity provider is a system entity that manages identity information for principals and provides authentication services to other trusted service providers. Setting up an IdP-initiated SSO with SAP Analytics Cloud is also possible. By default, IdP-initiated SSO is not enabled.

To enable IdP-initiated SSO on a tenant running in an SAP data center, you must request that the IdP administrator add a new assertion consumer service endpoint to your identity provider.

Possible reasons for doing this include:

  1. To reduce the number of round-trips in your landscape. Starting at the ISP always redirects the user agent to the IdP. By starting at the IdP, you can save at least one round trip.
  2. To make your IdP the single point of access.
  3. Perhaps your portal is the host of your SP. Since all users start here anyway, you do not have to send them to the SP; you can return to the portal before sending them to the SP.

Lesson Summary

You now understand how SSO technology allows users to access multiple applications using a single set of credentials, improving both security and user experience. It emphasizes the efficiency and convenience provided by SSO in managing authentication across various platforms.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn