SAP Security in a Hybrid World. Kiran Kola

Similar documents
BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

SAP Single Sign-On 2.0 Overview Presentation

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Unified Secure Access Beyond VPN

SAP IoT Application Enablement Best Practices Authorization Guide

SAP API Management Cloud Connector PUBLIC

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Creating Application Definitions in Hana Cloud Platform Mobile Services

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Intro to the Identity Experience Engine. Kim Cameron, Microsoft Architect of Identity ISSE Paris November 2016

Cloud Access Manager Overview

App Gateway Deployment Guide

Introduction. The Safe-T Solution

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

O365 Solutions. Three Phase Approach. Page 1 34

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Office 365 and Azure Active Directory Identities In-depth

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Horizon Workspace Administrator's Guide

Identity Provider for SAP Single Sign-On and SAP Identity Management

SharePoint 2019 and Extranet User Manager

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Tech Dive: Microsoft Azure Identity Management and Office 365

Hybrid Identity de paraplu in de cloud

Integration Patterns for Legacy Applications

Single Sign-On for PCF. User's Guide

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Integrating AirWatch and VMware Identity Manager

Exam : Implementing Microsoft Azure Infrastructure Solutions

News and Updates June 1, 2017

Novell Access Manager 3.1

Challenges in Authenticationand Identity Management

SAP API Management and API Business Hub Overview

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

UGKnowledge. SAP User Groups

SAP HANA Operation Expert Summit BUILD User Management & Security Overview Andrea Kristen/SAP HANA Product Management May 2014.

Dell One Identity Cloud Access Manager 8.0. Overview

Azure Active Directory from Zero to Hero

WSO2 Identity Management

Salesforce External Identity Implementation Guide

SSO Integration Overview

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

CA CloudMinder. Administration Guide 1.52

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Expertise that goes beyond experience.

Use EMS to protect your mobile data and mobile app

SAS and F5 integration at F5 Networks. Updates for Version 11.6

Liferay Security Features Overview. How Liferay Approaches Security

API Security Management with Sentinet SENTINET

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Przejmij kontrolę nad użytkownikiem, czyli unifikacja dostępu do aplikacji w zróżnicowanym środowisku

Salesforce External Identity Implementation Guide

Administering Jive Mobile Apps for ios and Android

Adaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

API Security Management SENTINET

ShareFile Technical Presentation

VMware Identity Manager Administration

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Salesforce External Identity Implementation Guide

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Crash course in Azure Active Directory

Azure Active Directory B2C. Daniel Dickinson Enterprise Mobility Specialist

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Centrify Identity Services for AWS

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Access Management Handbook

Security Guide Zoom Video Communications Inc.

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

AppController :21:56 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

5 OAuth EssEntiAls for APi AccEss control layer7.com

Introduction to application management

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

OpenIAM Identity and Access Manager Technical Architecture Overview

Tivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic

PCI DSS Compliance. White Paper Parallels Remote Application Server

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SAML-Based SSO Solution

John Heimann Director, Security Product Management Oracle Corporation

Centrify for Dropbox Deployment Guide

Google Identity Services for work

Partner Center: Secure application model

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Configure Unsanctioned Device Access Control

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

SAML-Based SSO Solution

SAP Global Track and Trace Onboarding Guide

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Transcription:

SAP Security in a Hybrid World Kiran Kola

Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal Propagation Demos 2

SAP helps protect your digital business Cybersecurity is a critical element in the Digital Transformation journey Transactions and data must be secured throughout the entire end-2-end business process 1. Customers and employees are hyper-connected, always on, with seamless access anywhere and anytime 2. Cloud and hybrid cloud environments have become the norm, challenging traditional Protect the 4 walls security approaches 3. Digitally connected supply chains are based on high trust and availability of all parties 4. The Internet of Things and Big Data bring unprecedented data streams and volumes 5. Confidentiality, integrity, and availability of data is the basis for secure operations and trusted relationships 3

Identity and Access Management as a Service from SAP Solution overview SAP Cloud Platform offers an end-to-end Identity and Access Management (IAM) solution as a service that helps companies improve the security of their cloud business processes SAP Cloud Platform Identity Provisioning Automatically sets up and manages user accounts and authorizations in an end-to-end identity lifecycle Re-uses existing on-premise and cloud user stores Integrates with SAP Identity Management SAP Cloud Platform Identity Authentication Simple and secure access to web-based applications Enterprise features such as password policies and multifactor and risk-based authentication On-premise user store integration Easy consumer and partner on-boarding via self-services 4

SAP Cloud Platform Identity Provisioning Service

SAP Cloud Platform Identity Provisioning Product description Identity Provisioning offers a comprehensive, low cost approach to identity lifecycle management in the cloud Solution overview Manage user accounts and authorizations in a cloud-based service Provision identities from user stores in the cloud and on-premise Enable business applications to quickly support single sign-on with Identity Authentication Key value proposition Fast and efficient administration of user onboarding Centralized end-to-end lifecycle management of corporate identities in the cloud Automated provisioning of existing on-premise identities to cloud applications Retrieve cloud users and their attributes Create accounts and assign authorizations SAP Cloud Platform Identity Provisioning Retrieve on premise users and their attributes Corporate network 6

SAP Cloud Platform Identity Provisioning Employee life-cycle management in the cloud Automated, end-to-end identity life-cycle management for your employees On-boarding Role/position change Promotion Off-boarding Create user accounts Assign authorizations Update authorizations Update authorizations De-provision user and authorizations 7

SAP Cloud Platform Identity Provisioning Example: SAP SuccessFactors as the source for employee identity data When an employee record is created in SAP SuccessFactors, Identity Provisioning on-boards the new user to all cloud applications required for the person s role On-boarding Read the new employee s identity data from SAP SuccessFactors Define the initial authorization profile based on authorization policies Create user accounts and assign authorizations for the new employee in the relevant business systems Manage Update user details and authorizations automatically to ensure consistency between SAP SuccessFactors identity data and cloud applications Off-boarding De-provision authorizations Off-board employees from the cloud applications 8

SAP Cloud Platform Identity Provisioning Supported source and target systems Identity Provisioning supports multiple systems as sources of identity information and forwards identities to any of the listed target systems Source Systems On-premise: SAP NetWeaver Application Server for ABAP Microsoft Active Directory Cloud: SAP SuccessFactors SAP Cloud Platform Identity Authentication Microsoft Azure Active Directory Generic: SCIM-enabled solution LDAP Server SCIM SAP Cloud Platform Identity Provisioning Target Systems SAP Cloud Platform SAP Cloud Platform Identity Authentication SAP Hybris Cloud for Customer SAP Jam Concur Google G Suite Microsoft Azure Active Directory SCIM-enabled solution Cloud Foundry User Account and Authentication Server 9

SAP Cloud Platform Identity Provisioning Policy-based authorization management Assign authorizations to business applications through policy-based mapping of user store attributes Authorization policy management Simple and flexible policy definition Reuses existing user store data Microsoft Active Directory: User attributes and groups SAP NetWeaver AS ABAP: User attributes and roles SAP Cloud Platform Identity Authentication: User attributes and groups Efficient authorization assignment with quick updates 10

SAP Cloud Platform Identity Provisioning Data transformation modeling Integrate identity data models of different applications by defining rules for data transformation Apply a filter to decide which identities are read from the source system and written to the target SCIM Map attributes between the source and target systems data models to handle differences in the models Modify the format of the data taken from the source system to make it compatible with the target system SAP Cloud Platform Identity Provisioning 11

SAP Cloud Platform Identity Provisioning Integration with SAP Identity Management Existing customers of SAP Identity Management can extend their identity lifecycle management to cover cloud-based scenarios using Identity Provisioning and Identity Authentication Recommendations for on-premise landscapes SAP Identity Management is optimized for on-premise expectations (customization, performance) Recommendations for cloud systems Identity Provisioning offers a deployment model and simplicity suitable for cloud-based business applications. Identity Provisioning is the platform for broad cloud integration, allowing customers to efficiently on-board new applications SAP Identity Management includes a small set of connectors for cloud applications, Recommendations for hybrid scenarios Integration of SAP Identity Management with Identity Provisioning to benefit from the advantages of both worlds SAP Cloud Platform Identity Provisioning & Identity Authentication SAP Identity Management Cloud On-premise 12

SAP Cloud Platform Identity Provisioning DEMO 13

SAP Cloud Platform Identity Authentication Service

Identity provider options on SAP Cloud Platform SAML U/P X.509 Internet SAML SAP HANA Cloud Platform Corporate network SAML * SAP ID Service SAP Cloud Identity Bring your own identity provider SAP s public IdP on the Internet Free service, similar to social IdPs Shared user base with SCN, SAP Service Marketplace and other public SAP web sites Authentication only - no user lifecycle management Default IdP for HCP trial accounts Cloud solution for Identity lifecycle management Pay-per-logon-requests (counted once per day and user) Isolated user base per tenant User import and export Rich customization and branding features Main scenarios: B2C and B2B Pre-configured trusted IdP for productive HCP accounts Prerequisite: SAML 2.0 compliance Main scenario: B2E * Product-specific support for authentication mechanisms, such as Kerberos, X.509, 15

SAP Cloud Platform Identity Authentication Product Overview SAP Cloud Platform Identity Authentication provides secure access to web applications. It is a software as a service (SaaS) offering by SAP Access protection Identity federation based on SAML 2.0 Web single sign-on and desktop SSO Secure on-premise integration with existing authentication system Social and strong authentication Risk-based authentication Manage users and access to applications User administration and integration with on-premise user stores User groups and application access management User self-services Password and privacy policies Enterprise features for integration Branding of end user UIs Programmatic integration via SCIM standard Identity Authentication 16

Business-to-Employee Scenario (B2E) Firewall Identity Authentication Employee Central Central User Store Identity Authentication for B2E: Single Sign-On from anywhere and on any device User self-service for password reset User Interface in company look & feel Administration services Corporate branding User management Application on-boarding Template configuration Authentication based on common standards like SAML Password policy enforcement on application level 17

Business-to-Customer (B2C) and Business-to-Business (B2B) Scenario Identity Authentication for B2C and B2B: Self-registration with e-mail confirmation customer Identity Authentication partner Invitation flow On-behalf registration Single Sign-On Firewall Access on any device from outside corporate network Password reset self-service Corporate branding Authentication based on trusted standards Password policies enforcement on application level 18

Integrating SAP- and 3 rd party-applications Identity access management HR & Collaboration ERP, CRM Planning & Analytics 3 rd party SF Employee Central S4HANA IBP Microsoft: Office365, Azure Jam C4C Cloud for Customer Cloud Analytics Travel, Authentication, SSO Cloud SAP Cloud Platform Identity Authentication Service Delegate authentication Social Platforms Facebook, Google, Twitter On-premise HCM Authentication, Provisioning Identity Management HR IDM IdP 19

Secure Access and Single Sign-on Identity access management SAP S/4HANA, cloud ****** Logon Identity Authentication Service SAP Mobile Secure 3 rd party Cloud Innovation Management Applications SAP Cloud Platform Cloud Portal Sites SAP Document Center Other Corporate Network 20

Configurable access levels Identity access management Access protection on user level and on application level Public access Self registration is allowed Social authentication [optional] User status new, active, inactive, locked Internal access Only users already registered are entitled to access Private access Only users registered for the application can access 21

Custom password policy configuration Identity access management Custom password policies serve the need to comply with corporate security guidelines Custom password policies Min/max password length Password expiration period Max period for unused password Min password age Number of passwords in history Number of failed logon attempts until user gets locked Time period a user gets locked due to failed logon attempts 22

Risk-based authentication Identity access management Define authentication rules to control application access Allow User Group Membership and/or ****** ****** Logon Logon Network IP Ranges Deny Two-factor-authentication 23

Two-factor authentication with SAP Authenticator Identity access management Authentication with one-time passwords Provide two means of identification OTP required for login in addition to password or security token Second factor for high security scenarios Based on SAP Authenticator mobile app OTP (6-digit) created on mobile device Available for ios and Android RFC 6238 compatible 24

Delegated Authentication SAP Cloud Platform Identity Authentication - used as a proxy

Identity authentication service as a proxy to a corporate IdP Delegated authentication IdP proxy via the SAML standard easy to establish Applications SAML Identity Authentication Service SAML Identity provider proxy Authentication is delegated to corporate identity provider login Reuse of existing single sign-on infrastructure 3 rd party Cloud ****** Logon Corporate Identity Provider Easy and secure authentication for business-to-employee (B2E) scenarios Federation based on the SAML 2.0 standard Corporate Network 26

Authentication with on-premise user store Delegated authentication Integrate with an on-premise user store via a secure tunnel Applications ****** Logon Identity Authentication Service On-premise user store Users credentials from: Active Directory 3rd party user store No user replication to the cloud required Cloud Connector Internal network ports do not need to be exposed to the Internet LDAP SAP NW JAVA + SAP SSO SAP NetWeaver AS ABAP Corporate Network In addition usual product features can be used: UI configuration, policies, twofactor-authentication 27

SPNEGO authentication Delegated authentication SPNEGO: integrate with MS Windows domain authentication SAML Identity Authentication Service SPNEGO* authentication Users authenticated with corporate LDAP enjoy single sign-on to cloud applications without re-authentication Applications SPNEGO Reuse of existing corporate identity infrastructure Secure authentication and SSO for cloud and on-premise web applications Kerberos token Increase user productivity in B2E scenarios LDAP Corporate LDAP credentials AS AAP Corporate Network * Simple and Protected GSSAPI Negotiation Mechanism 28

Social IdP integration Delegated authentication Enable social login with popular identity providers in the Internet Applications 3 rd party Cloud SAML ****** OAuth Logon Identity Authentication Service Social Media IdPs Social media authentication Suitable for B2C, B2B scenarios Configurable per application Linking and unlinking of social accounts Logon credentials Social media username & password 29

IdP initiated SSO Delegated authentication Secure your business network and allow partner users to login via their corporate IdP SAML IdP 1 ****** Logon User Group 1 can access via SAML IdP 1 SAML IdP 2 ****** Logon Identity Authentication Service User Group 2 can access via SAML IdP 2 Application SAP Cloud Platform Identity Authentication as a proxy to multiple SAML identity providers Authentication is initiated by the SAML identity provider Upon successful authentication, a check for correct user group assignment can be configured (optional) 30

Solution Chart Identity and Access Management (IAM) solution 31

SAP Cloud Platform Identity Authentication DEMO 32

SAP Cloud Connector & Principal Propagation

Secure backend connectivity with the SAP Cloud Platform Cloud Connector Establishes secure VPN connection between the SAP Cloud Platform and on-premise systems Connectivity created by on-premise agent through reverse-invoke process Supports pre-configured destination API and certificate inspection to safeguard against forgeries Complementary to SAP Gateway, Cloud Integration and 3rd party integration suites both on-premise and in the cloud Cloud XS HTTP(S), RFC SAP Cloud Platform SAP Cloud Platform Cloud Connector Reverse Proxy LDAP Demilitarized Zone (DMZ) Corporate network SAP/non-SAP backend system(s) 34

Principle Propagation Introduction Principle Propagation means the ability to forward the user context of a message unchanged from the sender to the receiver. Application Server SAP Backend 35

SCP: Authentication and Single Sign-On Log in and Principal Propagation 1 2 3 4 5 steps to make back-end data available on SCP pre-requisite: mutual SAML trust SP IDP SAML trust setup between 1a) SP = SCP and 1b) IDP, e.g. SCI, SAML assertion with user ID or LOGIN_NAME attribute pre-requisite: SAP Cloud Connector (SCC) Virtual host mapping, System certificate, Principal Propagation: CA certificate, mapping and pattern pre-requisite: ABAP system SSL server requesting client certificate, trust setup for SCC s system certificate, user ID mapping to ABAP user (EXTID_DN or CERTRULE) pre-requisite: SCP destination Configured destination, with Principal Propagation enabled account member application user SCC admin data requests 5a account login Account Cockpit SCP (SAP Cloud Platform) SCP HCP - -customer account service/ application service/ application subscriptions SCP HCP --provider account service/ application SCC trust destination 4 2 (SCP Connector) 5b 1a assertion account trust platform trust SCI (SAP Cloud Identity Authentication Service) SCI - customer SCI - customer 1b tenant tenant app appl. users SCI - SAP tenant SCP users cloud on premise 5 Log in to SCP, Principal Propagation to backend 5a) Log in based on SAML assertion, 5b) user ID mapped from SCP bearer assertion to X.509 in SCC, 5c) X.509 user ID from SCC mapped to actual ABAP user back-end (ABAP) 3 5c ABAP user 36

SCP: Authentication and Single Sign-On Principal Propagation in detail (Mutual SSL trust, and SAML / X.509 forwarding) browser (SSL client) SSL sessions Principal Propagation application user 2 IDP SCP 1 2 SCC SSL server destination SSL server SCC client 1 3 2 3 SAML assertion SAML bearer assertion Client 4 SSL server ABAP CA 4 5 forwarded user certificate mapping ABAP user 3 1) 1 Establish tunnel from SCC to SCP (trust established automatically) 2) 2 Browser to SCP Browser: validates SSL server certificate, HCP: will trust any client (on SSL level) 2 authenticated by SAML assertion from IDP 3) 3 SCP to SCC (trust established automatically) 3 propagation by SAML bearer assertion from IDP 4) 4 SCC to ABAP back-end SCC: by default, any SSL server is trusted optional: whitelist setup for specific SSL servers ABAP:present ICM s SSL server certificate, requests client certificate matching certificate list, trust client matching profile parameters (icm/https/trust_client_with...) 4 5 propagation by forwarded X.509 user certificate (ssl_client_cert header) mapping X.509 user certificate to ABAP user id via EXTID_DN or CERTRULE SCP (SAP Cloud Platform) HCP SCP -account customer account service/ application service/ application SCC (SCP Connector) WebDispatcher destination back-end (ABAP) 1 2 3 ABAP user 37

Summary Administrators Developers Users No need to manage a separate user store for cloud-based applications No user provisioning required Wide range of options for implementing the IdP Integration with IdP via well-known and proven security protocols Identity Provisioning provides a seamless integration of new cloud applications into the identity lifecycle management Identity Provisioning offers fast time-to-value and low TCO Out-of-the-box integration for authentication and SSO No coding required configuration only Simple APIs for Java, HTML5 and HANA XS to retrieve federated user attributes Single sign-on to browser-based applications running on SAP Cloud Platform No need for a separate user account and password in the cloud Together with the SAP Cloud Platform Identity Authentication service, Identity Provisioning enables customers to run identity and access management in a cloud consumption model 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback