SAP Security in a Hybrid World Kiran Kola
Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal Propagation Demos 2
SAP helps protect your digital business Cybersecurity is a critical element in the Digital Transformation journey Transactions and data must be secured throughout the entire end-2-end business process 1. Customers and employees are hyper-connected, always on, with seamless access anywhere and anytime 2. Cloud and hybrid cloud environments have become the norm, challenging traditional Protect the 4 walls security approaches 3. Digitally connected supply chains are based on high trust and availability of all parties 4. The Internet of Things and Big Data bring unprecedented data streams and volumes 5. Confidentiality, integrity, and availability of data is the basis for secure operations and trusted relationships 3
Identity and Access Management as a Service from SAP Solution overview SAP Cloud Platform offers an end-to-end Identity and Access Management (IAM) solution as a service that helps companies improve the security of their cloud business processes SAP Cloud Platform Identity Provisioning Automatically sets up and manages user accounts and authorizations in an end-to-end identity lifecycle Re-uses existing on-premise and cloud user stores Integrates with SAP Identity Management SAP Cloud Platform Identity Authentication Simple and secure access to web-based applications Enterprise features such as password policies and multifactor and risk-based authentication On-premise user store integration Easy consumer and partner on-boarding via self-services 4
SAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Product description Identity Provisioning offers a comprehensive, low cost approach to identity lifecycle management in the cloud Solution overview Manage user accounts and authorizations in a cloud-based service Provision identities from user stores in the cloud and on-premise Enable business applications to quickly support single sign-on with Identity Authentication Key value proposition Fast and efficient administration of user onboarding Centralized end-to-end lifecycle management of corporate identities in the cloud Automated provisioning of existing on-premise identities to cloud applications Retrieve cloud users and their attributes Create accounts and assign authorizations SAP Cloud Platform Identity Provisioning Retrieve on premise users and their attributes Corporate network 6
SAP Cloud Platform Identity Provisioning Employee life-cycle management in the cloud Automated, end-to-end identity life-cycle management for your employees On-boarding Role/position change Promotion Off-boarding Create user accounts Assign authorizations Update authorizations Update authorizations De-provision user and authorizations 7
SAP Cloud Platform Identity Provisioning Example: SAP SuccessFactors as the source for employee identity data When an employee record is created in SAP SuccessFactors, Identity Provisioning on-boards the new user to all cloud applications required for the person s role On-boarding Read the new employee s identity data from SAP SuccessFactors Define the initial authorization profile based on authorization policies Create user accounts and assign authorizations for the new employee in the relevant business systems Manage Update user details and authorizations automatically to ensure consistency between SAP SuccessFactors identity data and cloud applications Off-boarding De-provision authorizations Off-board employees from the cloud applications 8
SAP Cloud Platform Identity Provisioning Supported source and target systems Identity Provisioning supports multiple systems as sources of identity information and forwards identities to any of the listed target systems Source Systems On-premise: SAP NetWeaver Application Server for ABAP Microsoft Active Directory Cloud: SAP SuccessFactors SAP Cloud Platform Identity Authentication Microsoft Azure Active Directory Generic: SCIM-enabled solution LDAP Server SCIM SAP Cloud Platform Identity Provisioning Target Systems SAP Cloud Platform SAP Cloud Platform Identity Authentication SAP Hybris Cloud for Customer SAP Jam Concur Google G Suite Microsoft Azure Active Directory SCIM-enabled solution Cloud Foundry User Account and Authentication Server 9
SAP Cloud Platform Identity Provisioning Policy-based authorization management Assign authorizations to business applications through policy-based mapping of user store attributes Authorization policy management Simple and flexible policy definition Reuses existing user store data Microsoft Active Directory: User attributes and groups SAP NetWeaver AS ABAP: User attributes and roles SAP Cloud Platform Identity Authentication: User attributes and groups Efficient authorization assignment with quick updates 10
SAP Cloud Platform Identity Provisioning Data transformation modeling Integrate identity data models of different applications by defining rules for data transformation Apply a filter to decide which identities are read from the source system and written to the target SCIM Map attributes between the source and target systems data models to handle differences in the models Modify the format of the data taken from the source system to make it compatible with the target system SAP Cloud Platform Identity Provisioning 11
SAP Cloud Platform Identity Provisioning Integration with SAP Identity Management Existing customers of SAP Identity Management can extend their identity lifecycle management to cover cloud-based scenarios using Identity Provisioning and Identity Authentication Recommendations for on-premise landscapes SAP Identity Management is optimized for on-premise expectations (customization, performance) Recommendations for cloud systems Identity Provisioning offers a deployment model and simplicity suitable for cloud-based business applications. Identity Provisioning is the platform for broad cloud integration, allowing customers to efficiently on-board new applications SAP Identity Management includes a small set of connectors for cloud applications, Recommendations for hybrid scenarios Integration of SAP Identity Management with Identity Provisioning to benefit from the advantages of both worlds SAP Cloud Platform Identity Provisioning & Identity Authentication SAP Identity Management Cloud On-premise 12
SAP Cloud Platform Identity Provisioning DEMO 13
SAP Cloud Platform Identity Authentication Service
Identity provider options on SAP Cloud Platform SAML U/P X.509 Internet SAML SAP HANA Cloud Platform Corporate network SAML * SAP ID Service SAP Cloud Identity Bring your own identity provider SAP s public IdP on the Internet Free service, similar to social IdPs Shared user base with SCN, SAP Service Marketplace and other public SAP web sites Authentication only - no user lifecycle management Default IdP for HCP trial accounts Cloud solution for Identity lifecycle management Pay-per-logon-requests (counted once per day and user) Isolated user base per tenant User import and export Rich customization and branding features Main scenarios: B2C and B2B Pre-configured trusted IdP for productive HCP accounts Prerequisite: SAML 2.0 compliance Main scenario: B2E * Product-specific support for authentication mechanisms, such as Kerberos, X.509, 15
SAP Cloud Platform Identity Authentication Product Overview SAP Cloud Platform Identity Authentication provides secure access to web applications. It is a software as a service (SaaS) offering by SAP Access protection Identity federation based on SAML 2.0 Web single sign-on and desktop SSO Secure on-premise integration with existing authentication system Social and strong authentication Risk-based authentication Manage users and access to applications User administration and integration with on-premise user stores User groups and application access management User self-services Password and privacy policies Enterprise features for integration Branding of end user UIs Programmatic integration via SCIM standard Identity Authentication 16
Business-to-Employee Scenario (B2E) Firewall Identity Authentication Employee Central Central User Store Identity Authentication for B2E: Single Sign-On from anywhere and on any device User self-service for password reset User Interface in company look & feel Administration services Corporate branding User management Application on-boarding Template configuration Authentication based on common standards like SAML Password policy enforcement on application level 17
Business-to-Customer (B2C) and Business-to-Business (B2B) Scenario Identity Authentication for B2C and B2B: Self-registration with e-mail confirmation customer Identity Authentication partner Invitation flow On-behalf registration Single Sign-On Firewall Access on any device from outside corporate network Password reset self-service Corporate branding Authentication based on trusted standards Password policies enforcement on application level 18
Integrating SAP- and 3 rd party-applications Identity access management HR & Collaboration ERP, CRM Planning & Analytics 3 rd party SF Employee Central S4HANA IBP Microsoft: Office365, Azure Jam C4C Cloud for Customer Cloud Analytics Travel, Authentication, SSO Cloud SAP Cloud Platform Identity Authentication Service Delegate authentication Social Platforms Facebook, Google, Twitter On-premise HCM Authentication, Provisioning Identity Management HR IDM IdP 19
Secure Access and Single Sign-on Identity access management SAP S/4HANA, cloud ****** Logon Identity Authentication Service SAP Mobile Secure 3 rd party Cloud Innovation Management Applications SAP Cloud Platform Cloud Portal Sites SAP Document Center Other Corporate Network 20
Configurable access levels Identity access management Access protection on user level and on application level Public access Self registration is allowed Social authentication [optional] User status new, active, inactive, locked Internal access Only users already registered are entitled to access Private access Only users registered for the application can access 21
Custom password policy configuration Identity access management Custom password policies serve the need to comply with corporate security guidelines Custom password policies Min/max password length Password expiration period Max period for unused password Min password age Number of passwords in history Number of failed logon attempts until user gets locked Time period a user gets locked due to failed logon attempts 22
Risk-based authentication Identity access management Define authentication rules to control application access Allow User Group Membership and/or ****** ****** Logon Logon Network IP Ranges Deny Two-factor-authentication 23
Two-factor authentication with SAP Authenticator Identity access management Authentication with one-time passwords Provide two means of identification OTP required for login in addition to password or security token Second factor for high security scenarios Based on SAP Authenticator mobile app OTP (6-digit) created on mobile device Available for ios and Android RFC 6238 compatible 24
Delegated Authentication SAP Cloud Platform Identity Authentication - used as a proxy
Identity authentication service as a proxy to a corporate IdP Delegated authentication IdP proxy via the SAML standard easy to establish Applications SAML Identity Authentication Service SAML Identity provider proxy Authentication is delegated to corporate identity provider login Reuse of existing single sign-on infrastructure 3 rd party Cloud ****** Logon Corporate Identity Provider Easy and secure authentication for business-to-employee (B2E) scenarios Federation based on the SAML 2.0 standard Corporate Network 26
Authentication with on-premise user store Delegated authentication Integrate with an on-premise user store via a secure tunnel Applications ****** Logon Identity Authentication Service On-premise user store Users credentials from: Active Directory 3rd party user store No user replication to the cloud required Cloud Connector Internal network ports do not need to be exposed to the Internet LDAP SAP NW JAVA + SAP SSO SAP NetWeaver AS ABAP Corporate Network In addition usual product features can be used: UI configuration, policies, twofactor-authentication 27
SPNEGO authentication Delegated authentication SPNEGO: integrate with MS Windows domain authentication SAML Identity Authentication Service SPNEGO* authentication Users authenticated with corporate LDAP enjoy single sign-on to cloud applications without re-authentication Applications SPNEGO Reuse of existing corporate identity infrastructure Secure authentication and SSO for cloud and on-premise web applications Kerberos token Increase user productivity in B2E scenarios LDAP Corporate LDAP credentials AS AAP Corporate Network * Simple and Protected GSSAPI Negotiation Mechanism 28
Social IdP integration Delegated authentication Enable social login with popular identity providers in the Internet Applications 3 rd party Cloud SAML ****** OAuth Logon Identity Authentication Service Social Media IdPs Social media authentication Suitable for B2C, B2B scenarios Configurable per application Linking and unlinking of social accounts Logon credentials Social media username & password 29
IdP initiated SSO Delegated authentication Secure your business network and allow partner users to login via their corporate IdP SAML IdP 1 ****** Logon User Group 1 can access via SAML IdP 1 SAML IdP 2 ****** Logon Identity Authentication Service User Group 2 can access via SAML IdP 2 Application SAP Cloud Platform Identity Authentication as a proxy to multiple SAML identity providers Authentication is initiated by the SAML identity provider Upon successful authentication, a check for correct user group assignment can be configured (optional) 30
Solution Chart Identity and Access Management (IAM) solution 31
SAP Cloud Platform Identity Authentication DEMO 32
SAP Cloud Connector & Principal Propagation
Secure backend connectivity with the SAP Cloud Platform Cloud Connector Establishes secure VPN connection between the SAP Cloud Platform and on-premise systems Connectivity created by on-premise agent through reverse-invoke process Supports pre-configured destination API and certificate inspection to safeguard against forgeries Complementary to SAP Gateway, Cloud Integration and 3rd party integration suites both on-premise and in the cloud Cloud XS HTTP(S), RFC SAP Cloud Platform SAP Cloud Platform Cloud Connector Reverse Proxy LDAP Demilitarized Zone (DMZ) Corporate network SAP/non-SAP backend system(s) 34
Principle Propagation Introduction Principle Propagation means the ability to forward the user context of a message unchanged from the sender to the receiver. Application Server SAP Backend 35
SCP: Authentication and Single Sign-On Log in and Principal Propagation 1 2 3 4 5 steps to make back-end data available on SCP pre-requisite: mutual SAML trust SP IDP SAML trust setup between 1a) SP = SCP and 1b) IDP, e.g. SCI, SAML assertion with user ID or LOGIN_NAME attribute pre-requisite: SAP Cloud Connector (SCC) Virtual host mapping, System certificate, Principal Propagation: CA certificate, mapping and pattern pre-requisite: ABAP system SSL server requesting client certificate, trust setup for SCC s system certificate, user ID mapping to ABAP user (EXTID_DN or CERTRULE) pre-requisite: SCP destination Configured destination, with Principal Propagation enabled account member application user SCC admin data requests 5a account login Account Cockpit SCP (SAP Cloud Platform) SCP HCP - -customer account service/ application service/ application subscriptions SCP HCP --provider account service/ application SCC trust destination 4 2 (SCP Connector) 5b 1a assertion account trust platform trust SCI (SAP Cloud Identity Authentication Service) SCI - customer SCI - customer 1b tenant tenant app appl. users SCI - SAP tenant SCP users cloud on premise 5 Log in to SCP, Principal Propagation to backend 5a) Log in based on SAML assertion, 5b) user ID mapped from SCP bearer assertion to X.509 in SCC, 5c) X.509 user ID from SCC mapped to actual ABAP user back-end (ABAP) 3 5c ABAP user 36
SCP: Authentication and Single Sign-On Principal Propagation in detail (Mutual SSL trust, and SAML / X.509 forwarding) browser (SSL client) SSL sessions Principal Propagation application user 2 IDP SCP 1 2 SCC SSL server destination SSL server SCC client 1 3 2 3 SAML assertion SAML bearer assertion Client 4 SSL server ABAP CA 4 5 forwarded user certificate mapping ABAP user 3 1) 1 Establish tunnel from SCC to SCP (trust established automatically) 2) 2 Browser to SCP Browser: validates SSL server certificate, HCP: will trust any client (on SSL level) 2 authenticated by SAML assertion from IDP 3) 3 SCP to SCC (trust established automatically) 3 propagation by SAML bearer assertion from IDP 4) 4 SCC to ABAP back-end SCC: by default, any SSL server is trusted optional: whitelist setup for specific SSL servers ABAP:present ICM s SSL server certificate, requests client certificate matching certificate list, trust client matching profile parameters (icm/https/trust_client_with...) 4 5 propagation by forwarded X.509 user certificate (ssl_client_cert header) mapping X.509 user certificate to ABAP user id via EXTID_DN or CERTRULE SCP (SAP Cloud Platform) HCP SCP -account customer account service/ application service/ application SCC (SCP Connector) WebDispatcher destination back-end (ABAP) 1 2 3 ABAP user 37
Summary Administrators Developers Users No need to manage a separate user store for cloud-based applications No user provisioning required Wide range of options for implementing the IdP Integration with IdP via well-known and proven security protocols Identity Provisioning provides a seamless integration of new cloud applications into the identity lifecycle management Identity Provisioning offers fast time-to-value and low TCO Out-of-the-box integration for authentication and SSO No coding required configuration only Simple APIs for Java, HTML5 and HANA XS to retrieve federated user attributes Single sign-on to browser-based applications running on SAP Cloud Platform No need for a separate user account and password in the cloud Together with the SAP Cloud Platform Identity Authentication service, Identity Provisioning enables customers to run identity and access management in a cloud consumption model 38