Marko Sommer, SAP

October 25th, 2016

SAP HANA Cloud Platform Identity Authentication International Focus Group for SAP Security, Data Protection & Privacy

Customer

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2 Customer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the

permission of SAP. This presentation is not subject to your license agreement or any other service or subscription

agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation

and SAP's strategy and possible future developments, products and or platforms directions and functionality are all

subject to change and may be changed by SAP at any time for any reason without notice. The information in this

document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This

document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational

purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ

materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,

which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Legal disclaimer

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3 Customer

Agenda

Introduction

Delegate authentication from SAP Cloud applications to Identity Authentication

Identity federation with on-premise user stores in hybrid scenarios

Stronger means of authentication

Demo

Outlook

Introduction

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5 Customer

SAP HANA Cloud Platform Identity Authentication In the SAP security portfolio

SAP Business

Suite

SAP HANA Cloud Platform

SAP NetWeaver Application Server

SAP Access Control

SAP Identity Management

Make it simple for users to do what they are allowed to do

Know your users and what they can do

SAP Single Sign-On

Ensure corporate compliance to

regulatory requirements

Platform Security

Make sure that SAP solutions run securely

SAP Enterprise Threat Detection

Counter possible threats and identify attacks

Add-On for Code Vulnerability

Analysis

Find and correct vulnerabilities in customer

code

SAP HANA Cloud Platform Identity

Authentication

SAP HANA Cloud Platform Identity

Provisioning*

SAP Cloud Identity Access

Governance, access analysis

service

Manage access,

users and

compliance in the

cloud

SAP HANA

3rd Party Systems

SAP S/4HANA

SAP Cloud Applications

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6 Customer

Aspects for identity access management in hybrid scenarios Introduction

Protect Control application access

and apply various

authentication methods

Integrate Seamlessly integrate into

existing single sign-on

infrastructure

Manage Centrally manage

user profiles and

allow self services

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7 Customer

Access protection

Identity federation based on SAML 2.0

Web single sign-on and desktop SSO

Secure on-premise integration with existing authentication system

Social and strong authentication

Risk-based authentication

Manage users and access to applications

User administration and integration with on-premise user stores

User groups and application access management

User self-services

Password and privacy policies

Enterprise features for integration

Branding of end user UIs

Programmatic integration via SCIM standard

Product overview Introduction

SAP HANA Cloud Platform Identity Authentication provides secure access to web

applications. It is a software as a service (SaaS) offering by SAP

Identity Authentication

Service

Delegate authentication from

SAP Cloud applications to

Identity Authentication

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9 Customer

Secure access and single sign-on Identity access management

SAP HANA®

Cloud Platform

SAP S/4HANA, cloud

Cloud Portal Sites

SAP Document

Center

Applications

Other

SAP Mobile

Secure

Innovation

Management

Corporate Network

Logon

******

3rd party Cloud

Identity Authentication

Service

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10 Customer

User self-services User management & user self-services

Convenient user self-services

Configurable self-registration

Account confirmation via email

Forgot password

User profile

Edit details & change password

Mobile device activation (for TFA)

(Un-)Link social accounts

Product features

Responsive UIs

Multilanguage support

User self services reduce TCO especially for B2C- and B2B-scenarios

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11 Customer

Branding and customization User management & user self-services

Customization features

Company Logo

Application name and logo

Color style

Terms of use & privacy policy

Adjust UI texts via API

Mail templates (account confirmation,

forgot pwd., et al.)

Product features

Responsive UIs

Multilanguage support

User interface, email templates and registration policies can be adjusted to corporate needs

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12 Customer

Custom password policy configuration Identity access management

Custom password policies

Min/max password length

Password expiration period

Max period for unused password

Min password age

Number of passwords in history

Number of failed logon attempts until user

gets locked

Time period a user gets locked due to

failed logon attempts

Custom password policies serve the need to comply with corporate security guidelines

Identity federation with on-premise

user stores in hybrid scenarios

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14 Customer

Identity authentication service as a proxy to a corporate IdP Delegated authentication

Corporate

Identity

Provider

Identity provider proxy

Authentication is delegated to

corporate identity provider login

Reuse of existing single sign-on

infrastructure

Easy and secure authentication for

business-to-employee (B2E) scenarios

Federation based on the SAML 2.0

standard

Logon

******

Corporate Network

IdP proxy via the SAML standard – easy to establish

SAML

3rd party Cloud

SAML

Applications

Identity Authentication

Service

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15 Customer

On-premise user store

Users credentials from:

Active Directory

3rd party user store

No user replication to the cloud required

Internal network ports do not need to be

exposed to the Internet

In addition usual product features can

be used: UI configuration, policies, two-

factor-authentication

Authentication with on-premise user store Delegated authentication

SAP

NW JAVA

+ SAP SSO

LDAP

AS ABAP

Corporate Network

SAP NetWeaver

Logon

******

Integrate with an on-premise user store via a secure tunnel

Applications

Cloud Connector

Identity Authentication

Service

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16 Customer

SPNEGO* authentication

Users authenticated with corporate

LDAP enjoy single sign-on to cloud

applications without re-authentication

Reuse of existing corporate identity

infrastructure

Secure authentication and SSO for

cloud and on-premise web applications

Increase user productivity in B2E

scenarios

SPNEGO authentication Delegated authentication

AS AAP

Corporate LDAP

credentials

Kerberos

token

* Simple and Protected GSSAPI Negotiation Mechanism Corporate Network

LDAP

SPNEGO

SAML

Applications

SPNEGO: integrate with MS Windows domain authentication

Identity Authentication

Service

Stronger means of authentication

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 18 Customer

Risk-based authentication Identity access management

Logon

******

Network IP Ranges

User Group Membership

Logon

******

Deny

Allow

and/or

Two-factor-authentication

Define authentication rules to control application access

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 19 Customer

Two-factor authentication with SAP Authenticator Identity access management

Authentication with one-time passwords

Provide two means of identification

OTP required for login in addition to password

or security token

Second factor for high security scenarios

Based on SAP Authenticator mobile app

OTP (6-digit) created on mobile device

Available for iOS and Android

RFC 6238 compatible

Demo SAP HANA Cloud Platform Identity Authentication Service (IAS) - in use…

1. IAS as authenticating authority

2. IdP Proxy

3. Risk-based authentication

Outlook

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 22 Customer

This is the current state of planning and may be changed by SAP at any time.

Today Future Direction Planned Innovations

SAP HANA Cloud Platform Identity Authentication Product road map overview - key themes and capabilities

Q3 2016

Authentication & single sign-on

• Identity Federation and web single sign-on based

on SAML

• Social Authentication and Inbound Federation

• Risk-Based and Two-Factor Authentication

• Desktop SSO (SPNEGO)

• On-premise integration

User and Access Management

• Web user administration and on-premise user

store integration

• User Groups

• Convenient user self-services

• SCIM API

Enterprise features

• Corporate Branding of UIs and Privacy Policies

• Usage reporting

• US and EU Data Center

Authentication & single sign-on

• Two-Factor Authentication with SMS and email

• OpenID Connect support

• X.509 authentication

• OAuth protection of APIs

User and Access Management

• Custom password policies

• Custom user attributes

• User profile page customization

• Integration with SAP Identity Management

Enterprise features

• Troubleshooting and Audit Logs

• Privacy policies version management

• Custom mail service

• APJ Data center

• Disaster Recovery

Authentication & single sign-on

• Mobile native scenarios

• Two-Factor Authentication with RSA

• Reusable Risk-Based Authentication policies

• API based authentication flow

• Custom extension framework

• Security token service

User and Access Management

• Delegated Administration(B2B)

• Approval for self-registration and implicit User

Group assignment

• Just-in-time provisioning

Enterprise features

• Extended Data center coverage

• Advanced reporting and monitoring

Thank you Contact information:

Marko Sommer

Project Expert

Dietmar-Hopp-Allee 16

69190 Walldorf, Germany

marko.sommer@sap.com

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 25 Customer

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate

company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its

affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and

services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as

constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop

or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future

developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time

for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-

looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place

undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.