Embed Size (px)
SAP Cloud Identity ServiceSecure Authentication, Single Sign-On and User Management in the Cloud
December 2015
Introduction
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 3Public
SAP Cloud Identity ServiceIn the SAP IT application security product portfolio
SAPBusiness
Suite
SAP CloudApplications
SAP MobileApplications
3rd PartySystems
SAP HANA Platform SAP NetWeaver Application Server
SAP AccessControl
SAP IdentityManagement
Make it simple for users to dowhat they are allowed to do.
Know your users and whatthey can do.
SAP SingleSign-On
Ensure corporatecompliance to
regulatory requirements.
PlatformSecurity
Make sure that SAPsolutions run securely
SAP EnterpriseThreat Detection
Counter possible threats andidentify attacks.
Add-On for CodeVulnerability
Analysis
Find and correctvulnerabilities in customer
code.
SAP CloudIdentity service
Manage the identity life-cyclein the cloud.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 4Public
Capabilities
SAP Cloud Identity ServiceIn the SAP HANA® Cloud Platform landscape
Integration User Experience Analytics
Dev & Ops Security Collaboration
Data & Storage Business Services Mobile
Internet of Things
SAP HANA® Cloud Platform(PaaS)
Runtimes
HANA XS
HCP Servers (IaaS)1
2
1) beta functionality 2) planned innovations / future direction
On-Premise /Managed Cloud
SaaS
SAP S/4HANA
SAP BusinessSuite
SAP BusinessWarehouse
SAP S/4HANA
SuccessFactors
SAP Cloud forCustomer
SAP Data Centers
Ariba
Hybris
Concur
…
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 5Public
RealtimeMobile
Today’s world is…
Always-on
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 6Public
Today
...anytime and anywhere,
business people….
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 7Public
sharepresent reviewdecide
travel
prepareapprovereadwrite
negotiatelearn
show
sellview
Today
purchase
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 8Public
Username
************ Logon
…need access to many applications…
Today
…take a coffee and logon
at their workplace or outside
”80% of employees report needingaccess to work documents from outsidethe office”1
1. BusinessWire.com “New Survey Finds Over Half of Employees Use Unauthorized Consumer Based File-Sharing Apps at Work” (SkyDox survey)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 9Public
…how manytimes a day
Today
… how manypasswords to
remember?
Username
************
Logon
Username
************
Logon
Username
************
Logon
Username
************
Logon
Username
************ Logon
Username
************ Logon
Username
************ Logon
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 10Public
Today
49%51%
Traditional Data Centers
Cloud Data Centers
1. Cisco Study http://www.zdnet.com/article/cisco-projects-data-center-cloud-traffic-to-triple-by-2017/2. IDC FutureScape: Worldwide IT Industry 2016 Predictions — Leading Digital Transformation to Scale
“2014 is the first year when the majority ofworkloads(51%) shift to the cloud”1
Cloud applications bring competitiveadvantage to businesses
“By 2018, at Least Half of IT Spending Will BeCloud Based, Reaching 60% of All ITInfrastructure and 60-70% of All Software,Services, and Technology Spending by 2020”2
Tomorrow
Product Overview
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 12Public
SAP Cloud Identity ServiceProduct overview
SAP Cloud Identity service:
ü Secure access via the internet
ü Web & mobile Single Sign-On
ü Identity Federation andAuthentication
ü Social and strong authentication
ü Central User Store
ü Branding and policies
ü User self-services
ü On-premise integration
SAP Cloud Identity
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 13Public
SAP Cloud Identity ServiceBusiness-to-Consumer scenario
ü Secure access and Single Sign-On across sites (based onSAML)
ü User self-services§ Configurable User Registration form§ Account activation with email verification§ Password reset§ User Profile page
ü Social Logon - Account linking/unlinkingü Unified user experience optimized for all devicesü Flexibility out-of-the-box§ Configurations per web application§ Branding (logo and colors)§ Own Privacy Policy and Terms of Use§ Password Policy
ü Central User Management§ Import existing users
Logon******
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 14Public
SAP Cloud Identity ServiceBusiness-to-Employee scenario
ü Secure access and Single Sign-On across cloud or on-premise web applications (based on SAML)
ü Central User Managementü Rich choice of authentication methods:§ Two-factor Authentication and Mobile SSO§ Authentication against
- Corporate User Store (LDAP, NW)- Other Identity Provider
§ SPNEGO authentication - no login required afterauthentication in the corporate domain
ü User self-services§ Account activation via email§ Password reset§ User Profile page
ü Unified user experience optimized for all devicesü Flexibility of configurations per applicationü Branding and Policies
Logon******
Corporate Network
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 15Public
Secure Access and Single Sign-OnAccess to cloud and on-premise web applications
SAP HANA®
Cloud Platform
SAP S/4HANA,cloud
Cloud Portal Sites
SAP MobileDocuments
Applications
Logon
other cloud
SAP Cloud Identity
Corporate Network
******
Other
SAPNetworkedLogistics Hub
SAP MobileSecure SAP
InnovationManagement
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 16Public
Secure Access and Single Sign-OnWeb Single Sign-On
SAP Cloud Identity
1
2
3
if correct
browser
new tab
new tab
Username
************
Logon
Identity Federation and Authenticationü User credentials give access to multiple applications§ Users have one username and password to remember§ Customers/Partners register once
ü Developers don’t need to build user management foreach in-house built application
ü IT does not need to manage disconnected silos of usersfor each application
ü Based on industry standard – SAML 2.0ü Authentication mechanisms applied centrallyWeb Single Sign-Onü Improved user productivity
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 17Public
Authentication Methods and User Store Variants1. SAP Cloud Identity as a cloud user store
Applications
Other Cloud
SAP Cloud Identity
Logon
******
Cloud User Store
ü Suitable for all scenarios B2E, B2B,B2C
ü Secure authentication and SSO forcloud and on-premise web apps
ü Self-services as registration, forgotpassword, User Profile page
ü Social logon and Two-FactorAuthentication
ü Branding and policies per applicationü Web User Managementü User groupsü Logon credentials§ email/userID/username§ password
SAML
SAML
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 18Public
Authentication Methods and User Store Variants1. SAP Cloud Identity as a cloud user store - Logon
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 19Public
Authentication Methods and User Store Variants1. SAP Cloud Identity as a cloud user store – Registration
or direct Register link
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 20Public
Authentication Methods and User Store Variants2. Social Authentication
Applications
Other Cloud
SAP Cloud Identity
Social Media Authentication
ü Suitable for B2C, B2B scenariosü Enabling per applicationü Linking and unlinking of Social
accounts possibleü Logon credentials§ Social Media username§ Social Media password
OAuth
Social MediaIdPs
SAML
SAML
Logon
******Logon
******
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 21Public
For Business-to-Consumer or Business-to-Partner Scenarios
Authentication Methods and User Store Variants2. Social Authentication – Logon
if logged in into Social media site
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 22Public
Authentication Methods and User Store Variants3. Two-Factor Authentication with SAP Authenticator
Applications
Other Cloud
SAP Cloud Identity
Two-Factor Authentication withOne-Time Passwords
ü Provides two means of identificationü Second factor required for high
security scenarios (HR, Bank,sensitive data access, apps for powerusers)
ü Configurable per applicationü Mobile SSO with SAP Authenticatorü Logon credentials§ email/userID/username§ Password
+§ 6 digit One-Time Password generated on
a mobile device
SAML
SAML
Logon
******Logon
passcode
username
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 23Public
Authentication Methods and User Store Variants3. Two-Factor Authentication with SAP Authenticator
Based on SAP Authenticator (free) Mobile Appü Generates 6-digit One-Time Passcodesü Available for iOS and Androidü RFC 6238 compatibleü Enables Mobile SSO
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 24Public
For Business-to-Partner or Business-to-Employee Scenarios
Authentication Methods and User Store Variants3. Two-Factor Authentication with SAP Authenticator
SAP Authenticator(free app - iOS and
Android)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 25Public
Authentication Methods and User Store Variants3. Mobile Single Sign-On for applications with Two-Factor Authentication
1
3. Subsequent Logons to thisapplication via SAP Authenticatorwon’t require entering Username,One-Time Passcode and Password (ifRemember me marked)
Username
************
Logon
ü Remember me
Onetime setup:1. Add a web application to SAP
Authenticator2. Open the application from the SAP
Authenticator – enter password andoptionally mark Remember me
Prerequisites:The user has activated the mobile device for Two-factor Authentication on SAP AuthenticatorThe application has Two-Factor Authentication enabled and IdP-Initiated SSO is enabled on Tenant level
3
2
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 26Public
Authentication Methods and User Store Variants4. SAP Cloud Identity as a proxy to a Corporate Identity Provider
CorporateIdentityProvider
Applications
Other Cloud
SAP Cloud Identity
Corporate Network
SAML Identity Provider Proxyü Authentication to cloud applications is
redirected to corporate Identity Providerlogin
ü Reusing existing corporate identityinfrastructure
ü Easy and secure authentication forexternalized Business-to-Employee(B2E) scenarios
ü Identity Provider options:§ SAML 2.0 compliant IDP§ SAP SSO(benefit from native apps, web and
mobile SSO)§ Microsoft ActiveDirectory FS 2.0
ü Logon credentials§ IDP username§ IDP password
SAML
SAML
Logon
******
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 27Public
Applications
SAP Cloud Identity
Corporate Network
Corporate On-premise User Storeü Users Credentials from:§ MS Active Directory§ Different User Stores – via SAP NetWeaver
AS JAVA- with SAP SSO -> to SAP NetWeaver AS ABAP- multiple Microsoft Active Directories
ü Replication and synchronization of userrecords to the cloud not required
ü Internal network ports do not need to beexposed to the Internet
ü External users can register and can bestored in the cloud
ü All SAP Cloud Identity features can beused: Branding, customizations andpolicies, 2FA
Prerequisites§ SAP HANA ® Cloud Platform Account§ SAP Cloud Connector
Authentication Methods and User Store Variants5. Corporate on-premise user store
Tunnel
SAP HANA®
Cloud Platform
or
SAP NWJAVA
SAP SSO
LDAP+
AS ABAP
SAML
Logon
******
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 28Public
Authentication Methods and User Store Variants5. Corporate on-premise user store - Logon
LDAP credentials
or
cloud credentials
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 29Public
Applications
SAP Cloud Identity
Corporate Network
SPNEGO* Authenticationü Users authenticated with Corporate LDAP
Credentials on their Desktops are gettingSingle Sign-On to cloud applicationswithout the need to enter their credentials
ü Reusing existing corporate identityinfrastructure
ü Secure authentication and SSO for cloudand on-premise web apps
ü Increase user productivity in B2EScenarios
Authentication Methods and User Store Variants6. SPNEGO Authentication
LDAP
AS AAP
Corporate LDAPcredentials
Kerberostoken
*Simple and Protected GSSAPI Negotiation Mechanism
HTTPS (SPNEGO)
SAML
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 30Public
Logon
******
LDAP Credentials
1
2
without login
Corporate Network
Authentication Methods and User Store Variants6. SPNEGO Authentication
For Business-to-Employee Scenarios inside Corporate Network
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 31Public
ü Forgot passwordü Configurable self-registrationü User Profile page§ Mobile device activation (for 2FA)§ Change password
ü Account activationü Upgrade accountü Invitation and on-behalf
registration (via REST API)
User Self-Services
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 32Public
Branding and CustomizationConfigurable per application
ü Logo and Colors§ On UIs§ In e-mails
ü Terms of Use & Privacy policyü Password policyü Multi-language support
DE, EN, ES, FR, JA, KO, NL, PL, PT, RU, ZH
Responsive UIs
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 33Public
Branding and CustomizationConfigurable Registration Form per application
More info: Documentation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 34Public
Access Levels and Authentication MethodsConfigurable per application
Public Access+ Social Logon forCustomers/Partners
Strong Authentication with a second factor -One-Time Passcode
Private Access
SAP Authenticator(free app - iOS and
Android)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 35Public
Administration Console FunctionalityOverview
Applications Configurationsü Identity Provider and SAML settingsü Application accessü Authentication optionsü Policies – ToU, Privacy, Passwordü Branding(logo and colors)ü Email templatesü Registration form(add fields)
User Managementü Administrators (users and admin roles)ü User administrationü User groupsü Users Import per applicationü Users Downloadü APIs – SCIM User Search, Invite,
Register
Usage ReportingChange Logsü CSV download
Responsive UI (SAP Fiori)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 36Public
Administration Console FunctionalityUser Management
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 37Public
Administration Console FunctionalityUser Management
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 38Public
Administration Console FunctionalityAdministrators Roles
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 39Public
SAP HANA® Cloud Platform and SAP Cloud Identity IntegrationEasy SAML Trust configuration with just a click of a button
Trust configuration integration:ü The Trust can be easily configured in the
SAP HCP Cockpit Trust section - SAPCloud Identity will be added as defaultTrusted IDP just by clicking a button
ü In SAP Cloud Identity Admin Console –the SAP HCP account is added as anapplication (SP)
ü Customers have Login out-of-the-box toprotected SAP HCP applications andother SAP HCP services
SAP HCP Account
*For customers using SAP Cloud Identity and SAP HANA® Cloud Platform
Enterprise Aspects
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 41Public
SAP Cloud Identity runs in SAP manageddatacenter infrastructure§ World-class data center located in:
§ St. Leon-Rot (2) and Walldorf
§ Advanced network security§ Reliable data backup§ Built-in compliance, integrity, and confidentiality
SAP Cloud Identity Data Center Presence
SAP Cloud Identity Data Centers
Rot/Walldorf
http://www.sapdatacenter.com/ SAP HANA Cloud Data Centers
Ashburn
Sydney
Phoenix
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 42Public
AuthenticateVarious authentication
methods possible
ProtectPassword policies and
option to use strongauthentication
CentralizeManage centrallyuser profiles and
the user access toapplications
EncryptData encryption fordata-in-motion and
sensitive data-at-rest
SAP Cloud Identity Security Aspects
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 43Public
SAP Cloud Identity Enterprise Service Levels
24/7Global Support
99.9%Service Availability
2 weeksRelease Cycle
Customer Reference
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 45Public
SAP Runs SAP: Enabling Simple and Secure Authenticationand Identity Management with SAP® Cloud Identity
CompanySAP SE
HeadquartersWalldorf, Germany
IndustryHigh tech
Products and ServicesEnterprise software and services
Employees74,000
Revenue€16.82 billion
Web Sitewww.sap.com
Objectives� Offer single sign-on (SSO) to applications for SAP employees for things like HR tasks, external cloud applications like
the SAP® Jam™ social software platform, and public Web sites like www.sap.com� Avoid disconnected silos of users for every site or application� Strengthen security by unifying authentication across the enterprise� Avoid multiple logins for employees and multiple registrations for external users� Reduce total cost of ownership (TCO)
Resolution� Developed a central authentication and SSO software-as-a-service based on open industry standards and protocols� Created a universal user interface that supports all devices, from smartphones to desktop computers� Authenticated external users through a cloud user store and SAP employees through an on-premise corporate user
store� Onboarded more than 1,000 applications with SAP’s tenant of the SAP Cloud Identity service� Offered SAP Cloud Identity as the authentication, SSO, and user management security service for SAP HANA® Cloud
Platform
Benefits� Improved internal and external user productivity and the user experience through uniform logon and SSO to cloud
applications� Simplified access via social logon and self-services like registration and password reset for SAP customers and
partners� Increased security through centralized user management and password policy enforcement� Lowered TCO and reduced risks with a single authentication and user management system that replaced the various
systems across the enterprise and cloud
>8.5 millionRegistered users
~1,000Applications onboarded
~150,000Active users every week
“SAP Cloud Identity service is a great catalyst for our transition to a cloud company. It combines secureauthentication and efficient identity management for all of our target groups: employees, customers,partners, and public users.”Charles Carney, Project Lead, SAP IT, SAP SE
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 46Public
SAP Runs SAP: SAP Cloud Identity Service @SAPSecure logon and SSO for internal and external websites and apps
>8,5 mil registered users
~1000 applications
Community Network~150,000 active users/week
public websites and SAP internal apps
http://sap.com
https://www.sapstore.com/Jam
HANA® Cloud Platform
+ many others
Further Information
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 48Public
SAP Cloud Identity ServiceUseful Information
SAP Cloud Identity on hcp.sap.comSAP Cloud Identity on SCNSAP Cloud Identity Service - Solution BriefSAP Cloud Identity Roadmap on SAP Service Market Place (SMP)
Video Tutorials via SAP HANA Academy SeriesSAP Cloud Identity online helpSAP Cloud Identity How-to Guides on SCNSAP Cloud Identity Demo in SAP Demo Store
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 49Public
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or anSAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademarkinformation and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE orSAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop orrelease any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time forany reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placeundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
