SAP Single Sign-On

Product Overview
August 2020

PUBLIC
Agenda

Introduction

SAP Single Sign-On product overview

Technologies and capabilities

Hybrid landscapes

Summary

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Introduction
SAP Identity Management and Access Governance Solutions
Overview

Identity Governance, Risk Authentication

Management & Compliance & Single Sign-on

Identity Provisioning SAP Cloud Identity Access Governance Identity Authentication

SAP Identity Management SAP Access Control SAP Single Sign-On

Setting the stage Accessing the applications

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

SAP Single Sign-On product overview
Beautiful logon screens ...

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

Simplified.

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7

Benefits in detail

Simplicity
▪ Lean product, fast implementation project, quick ROI
▪ No more need to provision, protect, and reset passwords across many systems
▪ No longer requires management of password policies across many systems

Security
▪ Secure authentication with one strong password, optionally with additional factors
▪ Eliminates need for password reminders on post-it notes
▪ All passwords kept in one protected, central place

Cost efficiency
▪ Efficiency gains as users only need to remember one password
▪ Higher productivity due to reduced efforts for manual authentication, password reset, and
helpdesk interaction
▪ Low TCO of running a secure landscape through management of server-side certificates

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8

Support for on-premise and hybrid landscapes

Simple and secure access

▪ Single sign-on for SAP desktop clients and web applications
▪ Support for cloud and on-premise landscapes
▪ Integration with existing directories and single sign-on solutions

Secure data communication

▪ Encrypted data communication for SAP GUI and other desktop clients
▪ Digital signatures
▪ FIPS 140-2 certified cryptographic functions

Advanced security capabilities

▪ Two-factor and risk-based authentication
▪ Authentication with smart cards or RFID tokens
▪ Simplified lifecycle management of server-side certificates

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

Technologies and capabilities
Supported authentication modes

Single sign-on
▪ Authenticate once to an authentication server (Microsoft Active Directory, AS ABAP,..)
▪ The returned security token confirms your identity for each subsequent login to business
applications

Multiple sign-on
▪ Authenticate each time you access a business application
▪ Authentication against a central authentication server, not the business application itself
▪ Common scenario to require the Windows credentials for each system logon

Multi-factor authentication
▪ In addition to knowledge of information (password), authentication requires a physical
element (possession of mobile phone, RSA SecurID card, etc.)
▪ Implementation option for both single sign-on and multiple sign-on

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11

Simplicity is key for SAP Single Sign-On

Security capabilities must be easy to implement and use. Customers should not have to weigh the
implementation efforts against the benefits of running a secure landscape.

Simple software roll-out

▪ Cryptographic library is shipped and updated with the SAP Kernel
▪ The desktop client is installed using SAPSetup and can be rolled-out
with SAP GUI
▪ No need to install add-ons or modify ABAP sources

Simple configuration
▪ Configuration with standard ABAP transactions SPNEGO and
SNCWIZARD
▪ No need to work on the server command line

Simple operations
▪ Tightly integrated into the SAP NetWeaver stack, re-using its existing,
proven infrastructure and security framework

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

Simplification tutorials

SAP Single Sign-On is quick and easy to set up with straightforward

implementation processes and automated guidance.

Take a look at the following video tutorials:

Single sign-on with Kerberos

Single sign-on with X.509 certificates
Certificate lifecycle management for
SAP NetWeaver Application Server ABAP

Suggested playlist:
All SAP Single Sign-On videos on YouTube

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

Single sign-on based on Kerberos
Secure access to SAP business applications – at a low TCO

▪ Based on user authentication to Microsoft Windows domain during desktop login

▪ Active Directory provides a Kerberos security token that SAP business
applications accept as proof of identity

▪ Supported on desktop systems (Windows, OS X) and mobile devices (iOS)

that are part of a Windows domain
▪ Requires access to the corporate network
▪ Users need to have an account in Active Directory

▪ Very fast implementation, very low TCO, no additional server required

▪ Single sign-on for SAP NetWeaver, covering web-based and desktop clients such
as SAP GUI, Business Client, RFC client applications such as SAP Analysis for
Office, SAP HANA database, and many more
▪ Network encryption is available for SAP GUI and RFC clients

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

 Kerberos: Process flow
Single sign-on based on the corporate Windows domain

3 Start desktop client, app or browser and open connection

Authentication scenario
1. User authenticates to
Windows domain
2. Active Directory provides
Kerberos security token to
Business user 4 user
Kerberos authentication 3. User opens a system
connection using a native
1 SAP GUI & RFC (SNC) client or browser
2
Kerberos Browser (SPNEGO)
SAP NetWeaver 4. Kerberos token is forwarded
Windows security AS ABAP to system using SNC (for
login token SAP GUI and RFC clients)
NW AS JAVA or SPNEGO (for browsers).
Browser (SPNEGO) The Kerberos token is
validated offline on the
server, no connection to AD
required
SAP NetWeaver
Microsoft Active Directory
AS Java
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15
Single sign-on based on X.509 certificates
Highly interoperable single sign-on to SAP and non-SAP applications

▪ Users authenticate to Secure Login Server (SLS) to retrieve a short-lived X.509

certificate, or reuse an already available certificate
▪ User authentication to SLS can be automated, for example based on an existing
Windows authentication or an authenticated web browser session
▪ SAP business applications accept the certificate as proof of identity

▪ Desktop integration is based on Secure Login Client, on Windows and OS X

▪ Secure Login Server is not required if certificates are already available to users

▪ Secure Login Server is a lean alternative to introducing a full-blown PKI

▪ Secure Login Server supports two-factor and risk-based authentication, and
different user stores (LDAP, ABAP, ..)
▪ X.509 certificates are highly interoperable, supporting both SAP and 3rd party
web applications and clients, including many legacy systems
▪ Network encryption is available for SAP GUI and RFC clients
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16
X.509 certificates: Process flow
Highly interoperable single sign-on to SAP and non-SAP applications

3 Start desktop client, app or browser and open connection

Authentication scenario
1. (*) User authenticates to
Secure Login Server.
Authentication can be
automatic (using e.g.
4 Kerberos) or manual, even
Business user
based on multiple factors
Certificate-based
1 2 authentication 2. (*) Secure Login Server
SAP GUI & RFC (SNC) returns an X.509 certificate,
Authentication

X.509 valid for a given period of

SAP NetWeaver
certificate Browser (TLS client
AS ABAP time (e.g. a work day)
authentication)
3. User opens a system
NW AS JAVA connection
Browser (TLS client
authentication) 4. X.509 certificate token is
forwarded to the system and
allows authentication
Secure Login Server Other web (*) Steps 1 and 2 are not required if the user
(on AS Java) servers is already in possession of a certificate

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 17

Options for enabling single sign-on with X.509 certificates

Secure Login Server (SLS)

▪ Part of the product SAP Single Sign-On
▪ Provides short-lived certificates to end user desktops and backend systems
▪ Advantage: Enables scenarios such as multi-factor authentication and certificate lifecycle management
▪ Disadvantage: SLS is an additional server component, running on AS Java

Existing certificate
▪ SAP Single Sign-On can use an existing certificate for authentication
▪ Certificate could for example come from a smart card
▪ Advantage: No additional server component required
▪ Disadvantage: Some added-value scenarios of Secure Login Server are not available

Secure Login Server (SLS) with Enterprise PKI integration

▪ SLS can be configured as a registration agent in front of an existing enterprise PKI
▪ Advantage: All SLS scenarios are available. At the same time, the certificate signing process of the existing
PKI remains in place

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18

Secure Login Server as Registration Authority of an existing PKI

Scenario
▪ Customers that already have an
Provision user enterprise PKI do not want to
certificates establish a second one
Business user ▪ Secure Login Server (SLS)
integrates with existing
Forward request enterprise PKI for both user and
server certificates
▪ Benefits
Return certificate − Certificate signing based on
established PKI and security
Secure Login Server Enterprise PKI
(ADCS* or CMC** compatible) policy
NW AS JAVA − Storage and revocation processes
Renew server certificates
unchanged
− SAP system integration decoupled
from PKI, managed by SLS
SAP NetWeaver *Active Directory Certificate Services
** Certificate management over CMS, RFC 5272

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 19

Extension scenarios for X.509 certificates

Instant user identification based on RFID* token

▪ For warehouse and production scenarios where efficient

authentication is key
▪ Used on shared e.g. kiosk computers
▪ Simple configuration using Microsoft Active Directory to
validate identities
▪ Supports PC/SC and WaveID® RFID reader devices

* Radio Frequency Identification

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20

X.509 server certificate lifecycle management

SAP NetWeaver uses server-side X.509 certificates for a number of security functions. Depending on the certificate validity,
certificates need to be renewed on a regular basis. Certificate lifecycle management manages the renewal of certificates,
reduces manual efforts, and prevents downtimes.

Process steps
▪ Establish and configure a trust relationship between
SAP NetWeaver and the Secure Login Server
▪ Schedule a job that identifies expiring certificates
and automatically renews them
Benefits
▪ Prevent downtimes caused by expired certificates
▪ Replace error-prone manual steps with a robust
automated process
Additional capabilities
▪ Automated central roll-out of trusted root certificates to the
landscape
▪ Option for integration with existing enterprise PKI

i For a step-by-step guide, see our how-to

video at: https://youtu.be/wi2vBos1KwY

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

Configuring X.509 certificate lifecycle management for SAP NetWeaver

The process steps of certificate lifecycle management are triggered from the business system.

SAP NetWeaver AS for ABAP

▪ Report “SSF_CERT_ENROLL” establishes the trust relationship and exchange of metadata between the SAP NetWeaver AS ABAP and
the Secure Login Server
▪ Report “SSF_CERT_RENEW” can be executed both manually or scheduled to check and renew certificates that will expire during the
configured grace period
▪ Certificates and attributes are displayed in transaction STRUST

SAP NetWeaver AS for Java

▪ Certificate lifecycle management is configured in the
Secure Login CLM Cockpit
▪ The cockpit allows customers to register the SAP
NetWeaver AS Java with Secure Login Server, define the
certificates to be managed as part of the enrollment and
schedule jobs to renew certificates on a regular basis
▪ Certificates and attributes are displayed in SAP
NetWeaver Administrator

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 22

Single sign-on based on Security Assertion Markup Language (SAML)
Identity federation and single sign-on for cross-organizational scenarios

▪ Users authenticate to the SAP Identity Provider to retrieve a SAML assertion

▪ SAP web applications accept the assertion as proof of identity
▪ The assertion definition is very flexible and enables the easy mapping of
attributes between systems, for loosely coupled integration across organizations

▪ Supported by browser-based applications on desktop and mobile devices

▪ SAP Identity Provider is based on SAP NetWeaver AS for Java

▪ SAP Identity Provider supports two-factor and risk-based authentication against

different user stores (LDAP, ABAP, ..)
▪ SAML assertions are accepted by a broad range of both SAP and 3rd party web
applications
▪ SAML assertions enable single sign-on during the lifetime of the browser session

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23

Security Assertion Markup Language (SAML): Process flow
Identity federation and single sign-on for cross-organizational scenarios

1 Start browser and open connection

Authentication scenario
1. User opens a connection to
the business system, which
is configured as a SAML
Service Provider
2. Business system redirects
Business application browser to the IdP
Business user 2 server redirects browser 3. User authenticates to IdP,
to the Identity Provider either automatically (using
3 4
Create SAML assertion e.g. SPNEGO) or manually,
Authentication

5 SAML-based
and redirect back authentication Service Provider (SP),
even based on multiple
to Service Provider e.g. SAP NetWeaver factors
ASNW AS or
ABAP JAVA
Java 4. IdP establishes a security
session, returns a SAML
assertion, and redirects the
browser back to the SP
SAP Identity Provider
(IdP) on AS Java 5. User is authenticated

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 24

Two-factor authentication for X.509 and SAML scenarios

Authentication based on two means of identification

▪ Knowledge of a password
▪ Possession of a physical device, such as a smart phone

Options for the second factor

▪ Time-Based One-Time Password (TOTP) generators
– SAP Authenticator app
– Third-party generators compliant with RFC 6238
▪ Third-party applications supporting the RADIUS protocol,
such as RSA SecurID®
▪ One-time passwords via SMS or e-mail

Usage scenarios
▪ Recommended for systems with high security requirements
▪ Configurable per system or even user
▪ Seamless integration into Secure Login Client for certificate-
based scenarios
Microsoft Authenticator SAP Authenticator
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25
Risk-based authentication

Risk-based authentication
▪ Dynamic adjustment of required authentication process during logon
▪ Based on contextual information and configurable rules
▪ Takes a risk-based approach to balance between security and usability

Available contextual information

▪ Client IP address
▪ User roles
▪ Available client certificate
▪ …

Sample scenarios
▪ Allow access only from certain IP ranges
▪ Request 2nd authentication factor if the first authentication step is based
on a password instead of an X.509 certificate
▪ Enforce two-factor authentication for administrators

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 26

Digital signatures on the desktop

Use cases for digital signatures

▪ Authenticity: Confirm that a document was created by a known sender
▪ Integrity: Confirm that a document was not tampered with during
transmission
▪ Non-repudiation: Provide the means for a binding signature that
cannot be denied afterwards

Enhanced client support

▪ In the past, client-side digital signatures required SAP GUI for Windows
▪ SAP Single Sign-On 3.0 introduces a web signer interface that allows
an application to perform client-side digital signatures from a web page,
using plain JavaScript

Benefit
▪ Client-side digital signatures can be triggered from web applications
▪ The JavaScript interface is supported by all modern web browsers
▪ Based on the Secure Login Client, available on Windows and macOS

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27

Support for macOS

Secure Login Client (SLC) for macOS brings single sign-on based on
X.509 certificates to the macOS platform.

Secure Login Server integration

▪ SLC supports the enrollment of certificates from Secure Login Server to
macOS desktop systems

Multi-factor authentication
▪ Advanced authentication capabilities such as multi-factor authentication and
risk-based authentication are available on macOS

Browser integration
▪ Customers can enroll certificates from Safari on macOS, using the Secure
Login Web Client
▪ Customers can perform digital signatures on the desktop, triggered from a
UI5 web application running in Safari on macOS

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28

Cryptographic capabilities: SAP CommonCryptoLib
FIPS 140-2 certification

The Federal Information Processing Standard (FIPS) 140-2 is defined by the National Institute of Standards
and Technology (NIST) and specifies quality requirements for cryptographic modules.

Certification details (Cert# 2900)

https://csrc.nist.gov/projects/cryptographic-module-
validation-program/Certificate/2900

FIPS 140-2 validation certificate

http://csrc.nist.gov/groups/STM/cmvp/documents/140-
1/140crt/FIPS140ConsolidatedCertMay2017.pdf

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 29

Hybrid landscapes
Secure authentication and single sign-on
How to decide on the right solution

SAP Single Sign-On and SAP Cloud Identity Services, Identity Authentication both support secure
authentication and single sign-on. While SAP Single Sign-On focuses on employee scenarios, and on-
premise, the Identity Authentication service targets cloud applications beyond the corporate user base.

Solution Supported Supported User types in Specific capabilities Consumption model

SSO clients focus
technologies
SAP Single • Kerberos/ • Browser • Employee • Risk-based authentication • On-premise
Sign-On SPNEGO • Desktop • Digital signatures • Some capabilities require
• X.509 clients • Certificate lifecycle SAP AS Java
certificates management • Some capabilities require
• SAML a desktop client
SAP Cloud • SAML • Browser • Employee • Self-registration • Cloud subscription
Identity • SPNEGO • Partner • User management • Run by SAP
Services, • Social IdP • Branding • Zero footprint on desktop
Identity • Risk-based authentication
Authentication

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 31

Single sign-on technologies in a hybrid system landscape

Technical implications

SAML X.509 Certificates Kerberos/SPNEGO

Cloud • Support for browser • Requires steps on end-user • Requires the end-user
applications desktop for certificate enrollment device to be inside a
• No device or network • Requires custom domain for TLS Windows domain
requirements client authentication to public • Requires configuration
• Requires initial user cloud services on cloud service and
authentication to the Active Directory
identity provider
On-Premise • Support for browser • Support for web and desktop • Support for web and
applications applications desktop applications
• No device or network • Very flexible • Very easy setup
requirements • Supporting fully automated • Supporting fully
• Requires initial user authentication automated authentication
authentication to the
identity provider

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 32

Combining single sign-on solutions in a hybrid system landscape

The best of both worlds can be achieved by combining technologies.

• Use SAP Cloud Identity Services, Identity Authentication

for browser applications, on-premise and cloud

• Use SAP Single Sign-On with X.509 certificates or

Kerberos for desktop clients on-premise

• For access from on-premise desktop to cloud services,

automate authentication to SAP Cloud Identity Services,
Identity Authentication by using Kerberos/SPNEGO or
X.509 certificates

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 33

Summary
Summary

SAP’s comprehensive solutions for single sign-on enable efficient

and secure authentication and access to business applications

Security
▪ Secure authentication and FIPS-certified cryptographic functions
▪ Risk-based authentication and two-factor authentication
▪ Digital signatures

Productivity
▪ Single sign-on to SAP and non-SAP applications
▪ Fast return on investment

Ready for the future

▪ Based on industry standards and state-of-the-art security functions
▪ Supporting hybrid and multi-vendor landscapes
▪ On-premise and in the cloud
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 35
Where to find more information

SAP Single Sign-On

https://community.sap.com/topics/single-sign-on

Security software
https://community.sap.com/topics/security

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 36

Appendix
Thank you.
Contact information:
Martina Kirschenmann
Product Manager
martina.kirschenmann@sap.com
Follow us

www.sap.com/contactsap

© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.