PUBLIC

2017

SAP Single Sign-OnProduct Overview

2PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

SAP security products portfolio

SAP Single Sign-On product overview

Technologies and scenarios

▪ Kerberos

▪ X.509 certificates

▪ Security Assertion Markup Language (SAML)

Features and capabilities

Summary

Agenda

SAP security products portfolio

4PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

The SAP security portfolio

Secure access

SAP Single Sign-On

SAP Cloud Platform Identity Authentication

Secure code

SAP NetWeaver AS, add-on

for code vulnerability analysis

Detect attacks

SAP Enterprise

Threat Detection

Manage users and permissions

SAP Identity Management

SAP Access Control

SAP Cloud Platform Identity Provisioning

SAP Cloud Identity Access Governance

5PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Secure access

Preventing unauthorized

access to your business

systems is crucial for

security. Single sign-on

solutions offer secure,

convenient single login

for all business

applications, on-premise

as well as in the cloud.

Secure access

SAP Single Sign-On

SAP Cloud Platform Identity Authentication

6PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Manage users and permissions

Secure access

SAP Single Sign-On

SAP Cloud Platform Identity Authentication

Handling users and

permissions can be a

challenge in

heterogeneous and

hybrid landscapes.

Centralized solutions

help you implement a

compliant identity

management approach.

Manage users and permissions

SAP Identity Management

SAP Access Control

SAP Cloud Platform Identity Provisioning

SAP Cloud Identity Access Governance

7PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Secure code

Secure code

SAP NetWeaver AS,

add-on for code

vulnerability analysis

Secure access

SAP Single Sign-On

SAP Cloud Platform Identity Authentication

How can you protect

custom ABAP code in

your on-premise

landscape? Code

vulnerability analysis

tools enable you to fix

security loopholes.

Manage users and permissions

SAP Identity Management

SAP Access Control

SAP Cloud Platform Identity Provisioning

SAP Cloud Identity Access Governance

8PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Detect attacks

Internal and external

cyber attacks are on

the rise. SAP

Enterprise Threat

Detection lets you

monitor your system

landscape in real time.

Secure code

SAP NetWeaver AS, add-on

for code vulnerability analysis

Detect attacks

SAP Enterprise

Threat Detection

Secure access

SAP Single Sign-On

SAP Cloud Platform Identity Authentication

Manage users and permissions

SAP Identity Management

SAP Access Control

SAP Cloud Platform Identity Provisioning

SAP Cloud Identity Access Governance

SAP Single Sign-On product overview

10PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Single Sign-On – authenticate just once

for secure and user-friendly access to

multiple SAP and non-SAP applications,

on-premise and in the cloud

From anywhere – including mobile

devices and different desktop systems

Security – introduce security measures to

meet corporate and regulatory

requirements

Low cost – leverage the benefits of quick

implementation and low cost of

ownership

Customer needs and value proposition

11PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Security▪ Secure authentication with one strong password, optionally with additional factors

▪ Eliminates need for password reminders on post-it notes

▪ All passwords kept in one protected, central place

Cost efficiency ▪ Efficiency gains as users only need to remember one password

▪ Higher productivity due to reduced efforts for manual authentication, password reset,

helpdesk interaction,…

▪ Low TCO of running a secure landscape through management of server-side certificates

Simplicity▪ Lean product, fast implementation project, quick ROI

▪ No more need to provision, protect, and reset passwords across many systems

▪ No longer requires management of password policies across many systems

Benefits in detail

12PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Simple and secure access

▪ Single sign-on for SAP desktop clients and web applications

▪ Single sign-on for mobile devices

▪ Support for cloud and on-premise landscapes

Secure data communication

▪ Encryption of data communication for SAP GUI and other desktop

clients

▪ Digital signatures

▪ FIPS 140-2 certification of cryptographic functions

Advanced security capabilities

▪ Two-factor and risk-based authentication

▪ Authentication with smart cards or RFID tokens

▪ Simplified lifecycle management of server-side certificates

Support for on-premise and hybrid landscapes

Technologies and scenarios

14PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Single sign-on▪ Authenticate once to an authentication server (MS-Active Directory, AS ABAP,..)

▪ The returned security token confirms your identity for each subsequent login to business

applications

Multiple sign-on▪ Authenticate each time you access a business application

▪ Authentication against a central authentication server, not the business application itself

Multi-factor authentication▪ In addition to knowledge of information (password), authentication requires a physical

element (possession of mobile phone, RSA SecurID card, etc.)

▪ Implementation option for both single sign-on and multiple sign-on

Supported authentication modes

15PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Security capabilities must be easy to implement and use. Customers should not have to weigh the implementation efforts

against the benefits of running a secure landscape. That’s why simplicity is key for SAP Single Sign-On.

Simple software roll-out

▪ The cryptographic library is shipped and updated as part of the

regular SAP Kernel

▪ The desktop client is installed using SAPSetup and can be easily

integrated into the SAP GUI roll-out

▪ No need to install add-ons, no need to modify ABAP sources

Simple configuration

▪ You can use standard ABAP transactions SPNEGO and

SNCWIZARD for the configuration

▪ It is no longer necessary to work on the server command line

Simple operations

▪ SAP Single Sign-On is tightly integrated into the SAP NetWeaver

stack, re-using its existing, proven infrastructure and security

framework

Focus on simplicity

16PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

SAP Single Sign-On is quick and easy to set up with straightforward implementation processes and automated guidance.

Take a look at the following video tutorials:

Single sign-on with Kerberos

Single sign-on with X.509 certificates

Certificate lifecycle management for

SAP NetWeaver Application Server ABAP

Suggested playlist:

All SAP Single Sign-On videos on YouTube

SSO made easy: Simplification tutorials

17PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

▪ Implementation option based on user authentication to Microsoft Windows

domain during desktop login

▪ Active Directory provides a Kerberos security token that SAP business

applications accept as proof of identity

▪ Supported on desktop systems (Windows, OS X) and mobile devices (iOS)

that are part of a Windows domain

▪ Requires access to the corporate network

▪ Users need to have an account in Active Directory

▪ Very fast implementation, very low TCO, no additional server required

▪ Single sign-on for SAP NetWeaver, covering web based and desktop clients such

as SAP GUI, Business Client, RFC client applications such as SAP Analysis for

Office, SAP HANA database, and many more

▪ Network encryption is available for SAP GUI and RFC clients

KerberosSecure access to SAP business applications – at a low TCO

18PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Authentication scenario

1. User authenticates to

Windows domain

2. Active Directory provides

Kerberos security token to

user

3. User opens a system

connection using a native

client or browser

4. Kerberos token is forwarded

to system using SNC (for

SAP GUI and RFC clients)

or SPNEGO (for browsers).

The Kerberos token is

validated offline on the

server, no connection to AD

required

Start desktop client, app or browser and open connection

1

3

Business user

NW AS JAVA

SAP GUI & RFC (SNC)

Browser (SPNEGO)

Browser (SPNEGO)Windows

login

Kerberos

security

token

Microsoft Active Directory

2

SAP NetWeaver

AS Java

SAP NetWeaver

AS ABAP

Kerberos authentication

4

Kerberos: Process flowSingle sign-on based on the corporate Windows domain

19PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

▪ Implementation option where users authenticate to Secure Login Server (SLS) to

retrieve a short-lived X.509 certificate, or reuse already available certificates

▪ User authentication to SLS can be manual or automated, based on an existing

Windows authentication or an authenticated web browser session

▪ SAP business applications accept the certificate as proof of identity

▪ Supported on desktop (Windows, OS X) and mobile devices (iOS, Android)

▪ Secure Login Server is not required if certificates are already available to users

▪ Secure Login Server is a lean alternative to introducing a full-blown PKI

▪ Secure Login Server supports two-factor and risk-based authentication, and

different user stores (LDAP, ABAP, ..)

▪ X.509 certificates are highly interoperable, supporting both SAP and 3rd party

web applications and clients, including many legacy systems

▪ Network encryption is available for SAP GUI and RFC clients

X.509 certificatesHighly interoperable single sign-on to SAP and non-SAP applications

20PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Authentication scenario

1. (*) User authenticates to

Secure Login Server.

Authentication can be

automatic (using e.g.

Kerberos) or manual, even

based on multiple factors

2. (*) Secure Login Server

returns an X.509 certificate,

valid for a set period of time

(e.g. a work day)

3. User opens a system

connection

4. X.509 certificate token is

forwarded to system and

allows authentication

(*) Steps 1 and 2 are not required if the user

is already in possession of a certificate

Start desktop client, app or browser and open connection

1

3

Business user

NW AS JAVA

SAP GUI & RFC (SNC)

Browser (TLS client

authentication)

Browser (TLS client

authentication)

X.509

certificate

Secure Login Server

(on AS Java)

2

Other web

servers

SAP NetWeaver

AS ABAP

Certificate-based

authentication

4

X.509 certificates: Process flowHighly interoperable single sign-on to SAP and non-SAP applications

Au

the

ntica

tio

n

21PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Existing certificate

▪ SAP Single Sign-On can use an existing certificate for authentication

▪ Certificate could come from a smart card or pre-deployed on the device

▪ Advantage: No new server component is required

▪ Disadvantage: Some added-value scenarios of Secure Login Server are not available

Secure Login Server (SLS)

▪ Part of the product SAP Single Sign-On

▪ Provides certificates to end user desktops, mobile devices and backend systems

▪ Advantage: Enables scenarios such as multi-factor authentication and certificate lifecycle management

▪ Disadvantage: SLS is an additional server component, running on AS Java

Secure Login Server (SLS) with Enterprise PKI integration

▪ SLS can be configured as a registration agent in front of an existing enterprise PKI

▪ Advantage: All SLS scenarios are available. At the same time, the certificate signing process of the existing

PKI remains in place

▪ Disadvantage: Depends on capabilities of enterprise PKI, such as supported number of profiles

Options for enabling SSO with X.509 certificates

22PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Business user

NW AS JAVA

Scenario

▪ Customers that already have an

enterprise PKI do not want to

establish a second one

▪ Secure Login Server (SLS)

integrates with existing

enterprise PKI for both user and

server certificates

▪ Benefits

Certificate signing based on established

PKI and security policy

Storage and revocation processes

unchanged

SAP system integration decoupled from

PKI, managed by SLS

Secure Login Server Enterprise PKI(ADCS* or CMC** compatible)

SAP NetWeaver

Application Server ABAP

Provision user

certificates

Renew server certificates

Forward request

Return certificate

*Active Directory Certificate Services

** Certificate management over CMS, RFC 5272

Secure Login Server as Registration Authority of an existing PKI

23PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Extension scenarios for X.509 certificates

Instant user identification based on RFID token

(Radio Frequency Identification)

▪ For warehouse and production scenarios where efficient

authentication is key

▪ Kiosk/terminal computers shared among teams

▪ Simple configuration using Microsoft Active Directory to validate

identities

▪ Supports PC/SC and WaveID RFID reader devices

Encryption Only Mode for data privacy

▪ Enables network encryption for SNC even if a user-specific

security token is not available, e.g. due to a forgotten smart card

▪ Allows customers to protect data communication from the start

of the implementation project, before user-specific configuration

is in place

24PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

SAP NetWeaver uses server-side X.509 certificates for a number of security functions. Depending on the certificate validity,

certificates need to be renewed on a regular basis. Certificate lifecycle management manages the renewal of certificates,

reduces manual efforts, and prevents downtimes.

Process steps

▪ Establish and configure a trust relationship between

SAP NetWeaver and the Secure Login Server

▪ Schedule a job that identifies expiring certificates

and automatically renew them

Benefits

▪ Prevent downtimes caused by expired certificates

▪ Replace error-prone manual steps with a robust

automated process

Additional capabilities

▪ Automated central roll-out of trusted root certificates to the

landscape

▪ Option for integration with existing enterprise PKI

For a step-by-step guide, see our how-to

video at: https://youtu.be/wi2vBos1KwYi

X.509 server certificate lifecycle management

25PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

The process steps of certificate lifecycle management are triggered from the business system. SAP provides applications for

SAP NetWeaver AS for ABAP, SAP NetWeaver AS for Java, and a generic command line client for the communication with

Secure Login Server

SAP NetWeaver AS for ABAP ▪ Report “SSF_CERT_ENROLL” establishes the trust relationship and exchange of metadata between the SAP NetWeaver AS ABAP and

the Secure Login Server

▪ Report “SSF_CERT_RENEW” can be executed both manually or scheduled to check and renew certificates that will expire during the

configured grace period

▪ Certificates and attributes are displayed in transaction STRUST

SAP NetWeaver AS for Java▪ Certificate lifecycle management is configured in the

Secure Login CLM Cockpit

▪ The cockpit allows customers to register the SAP

NetWeaver AS Java with Secure Login Server, define the

certificates to be managed as part of the enrollment and

schedule jobs to renew certificates on a regular basis

▪ Certificates and attributes are displayed in SAP

NetWeaver Administrator

Configuring X.509 certificate lifecycle management for SAP NetWeaver

26PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

▪ Implementation option where users authenticate to the SAP Identity Provider to

retrieve a SAML assertion

▪ SAP web applications accept the assertion as proof of identity

▪ The assertion definition is very flexible and enables the easy mapping of

attributes between systems, for loosely coupled integration across organizations

▪ Supported by browser-based applications on desktop and mobile devices

▪ SAP Identity Provider is based on SAP NetWeaver AS for Java

▪ SAP Identity Provider supports two-factor and risk-based authentication against

different user stores (LDAP, ABAP, ..)

▪ SAML assertions are accepted by a broad range of both SAP and 3rd party web

applications

▪ SAML assertions enable single sign-on during the lifetime of the browser session

Security Assertion Markup Language (SAML) Identity federation and single sign-on for cross-organizational scenarios

27PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Start browser and open connection

3

1

Business user

NW AS JAVA

Au

the

ntica

tio

n Create SAML assertion

and redirect back

to Service Provider

Authentication scenario

1. User opens a connection to

the business system, which

is configured as a SAML

Service Provider

2. Business system redirects

browser to the IdP

3. User authenticates to IdP,

either automatically (using

e.g. SPNEGO) or manually,

even based on multiple

factors

4. IdP establishes a security

session, returns a SAML

assertion, and redirects the

browser back to the SP

5. User is authenticatedSAP Identity Provider

(IdP) on AS Java

4

Service Provider (SP),

e.g. SAP NetWeaver

AS ABAP or Java

SAML-based

authentication

2Business application

server redirects browser

to the Identity Provider

5

Security Assertion Markup Language (SAML): Process flow Identity federation and single sign-on for cross-organizational scenarios

28PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

▪ Users authenticate once to the authentication server to store a shared secret on

their mobile device

▪ Time-based One-Time Passwords (TOTP) based on the shared secret are

passed from SAP Authenticator to the SAP Identity Provider, which enables

single sign-on for web-based business applications

▪ SAP Authenticator is available on mobile devices (iOS, Android)

▪ SAP Authenticator supports browser-based applications, the SAP Fiori client, and

customer-developed mobile apps

▪ SAP Authenticator-based authentication requires AS Java

▪ SAP Authenticator can be combined with two-factor and risk-based authentication

▪ Fast implementation due to automated roll-out of the configuration to mobile

devices

▪ Highly flexible approach with few infrastructure prerequisites

SAP Authenticator Lean solution for single sign-on on mobile devices

29PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Browser

accesses SP

and authenticates

with SAML

IdP returns SAML

assertion to mobile

device

Start SAP Authenticator app on mobile device,

open browser or Fiori client connection,

send one-time password (OTP)

1

3

Business user

NW AS JAVARe

gis

tra

tion

Store shared secret

on mobile device

Authentication scenario

1. User registers mobile device

once with the SAP

Authentication Library

2. Shared secret is stored on

mobile device once

3. User starts SAP Authenticator

on mobile device and opens a

link to a web or Fiori client

application

4. Access is redirected to the IdP

and user is authenticated with

OTP

5. IdP establishes a security

session, returns a SAML

assertion, and redirects the

browser to the SP

6. User is authenticatedSAP Authentication Library

and Identity Provider (IdP)

2

4 User authenticated

at IdP based on OTP

6

Service Provider (SP)

5

SAP Authenticator: Process flow Lean solution for single sign-on on mobile devices

Features and capabilities

31PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Authentication based on two means of identification▪ Knowledge of a password

▪ Possession of a physical device, such as a cell phone

Options for the second factor▪ SAP Authenticator, a Time-based One-Time Password (TOTP)

generator on iOS, Android, Windows 10 (Mobile and Desktop)

▪ Send one-time passwords via SMS or e-mail

▪ 3rd party OTP generators compliant with the standard

RFC 6238

▪ 3rd party applications supporting the RADIUS protocol,

such as RSA

Usage scenarios▪ Recommended for systems with high security requirements

▪ Configurable per system or even user

▪ Seamless integration into Secure Login Client for certificate-

based scenarios

SAP Authenticator

for iOS

Two-factor authentication

32PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Risk-based authentication

Risk-based authentication

▪ Dynamic adjustment of required authentication process during logon

▪ Based on contextual information and configurable rules

▪ Takes a risk-based approach to balance between security and usability

Available contextual information

▪ Client IP address

▪ User roles

▪ Available client certificate

▪ …

Sample scenarios

▪ Allow access only from certain IP ranges

▪ Request 2nd authentication factor if the first authentication step is based

on a password instead of an X.509 certificate

▪ Enforce two-factor authentication for administrators

33PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Secure Login Web Client (SLWC) enables customers to integrate an existing single sign-on solution for web and cloud

applications with desktop clients

Customer requirement

▪ Customers may have a compliance requirement to process the initial end-user authentication with a corporate-

or cloud-based- identity provider

▪ After authenticating to the identity provider, users experience single sign-on for web applications

▪ However, manual authentication is still necessary for desktop applications such as SAP GUI, as these require

either an X.509 certificate or a Kerberos token to authenticate

Solution

▪ SLWC allows an authenticated browser session to trigger and monitor the desktop enrollment of a certificate

▪ SLWC is based on the Secure Login Server and runs inside all common browsers, on Windows and macOS

Example

▪ Secure Login Server is configured as a SAML service provider, trusting the corporate identity provider

▪ When the user accesses the SLWC page of the Secure Login Server, the session is authenticated using the

standard SAML flow of the identity provider

▪ After authentication, SLWC creates and stores a certificate on the desktop for SAP GUI single sign-on

Integrating cloud and on-premise, browser and native clients

34PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Use cases for digital signatures▪ Authenticity: Confirm that a document was created by a known sender

▪ Integrity: Confirm that a document was not tampered with during

transmission

▪ Non-repudiation: Provide the means for a binding signature that

cannot be denied afterwards

Enhanced client support▪ In the past, client-side digital signatures required SAP GUI for Windows

▪ SAP Single Sign-On 3.0 introduces a web signer interface that allows

an application to perform client-side digital signatures from a web page,

using plain JavaScript

Benefit▪ Client-side digital signatures can be triggered from web applications

▪ The JavaScript interface is supported by all modern web browsers

▪ Based on the Secure Login Client, available on Windows and macOS

Digital signatures on the desktop

35PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Secure Login Server (SLS) offers mobile single sign-on with proven X.509 digital

certificate technology, covering a broad range of customer scenarios

Simple Certificate Enrollment Protocol (SCEP) on iOS

▪ iOS has built-in support for SCEP

▪ SLS allows end users to import a SCEP configuration profile on their device,

triggering the enrollment of an end-user certificate to the iOS system key chain

▪ The certificate can be used to enable single sign-on for e.g. Safari

SAP Mobile Platform (SMP)

▪ Starting with version 3.0 SP11, SMP can act as a proxy for SLS

▪ Applications on SMP are assigned an SLS profile, which defines the certificate

enrollment flow for clients

▪ After enrollment the certificate can be used for app single sign-on

SAP Cloud Platform Mobile Services - mobile service for development and

operations

▪ An SLS destination and profile can be defined in the Mobile Service cockpit

▪ The SDK for iOS allows customers to easily integrate SLS with their own apps

Mobile SSO based on Secure Login Server

36PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

SAP Single Sign-On for SAP Fiori clients on iOSUsing the SAP Authenticator app

SAP Authenticator supported authentication scenarios

▪ Creation of time-based one time passwords (TOTP) for two-factor

authentication

▪ Enrollment of a certificate from Secure Login Server in the SAP key

chain on iOS

SAP Fiori Client

▪ SAP Fiori Client supports certificate based single sign-on to the Fiori

Launchpad

▪ A planned version of the SAP Fiori Client on the iTunes store has

access to the SAP key chain

▪ Certificates enrolled by SAP Authenticator can be used by the SAP

Fiori Client to enable single sign-on

Planned to be released with a support

package for SAP Mobile Platform SDK 3.0

This is the current state of planning and

may be changed by SAP at any time.

37PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

SAP Single Sign-On allows customers to use X.509 certificates for a number of

security scenarios. On the desktop, these scenarios rely on the Secure Login

Client, which is available for Windows and macOS. Secure Login Client (SLC) for

macOS now supports the same scenarios as the Windows version.

Secure Login Server Integration

▪ SLC now supports the enrollment of certificates from Secure Login Server to

macOS desktop systems

Multi-factor authentication

▪ Advanced authentication capabilities such as multi-factor authentication and risk-

based authentication are now available on macOS

Browser integration

▪ Customers can enroll certificates from Safari on macOS, using the Secure Login

Web Client

▪ Customers can perform digital signatures on the desktop, triggered from a UI5

web application running in Safari on macOS

Support for macOS

38PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

The Federal Information Processing Standard (FIPS) 140-2 is defined by the National Institute of Standards

and Technology (NIST) and specifies quality requirements for cryptographic modules

The cryptographic capabilities of the SAP CommonCryptoLib were certified to comply with the standard on

January 6th, 2015 and re-certified on May 5th, 2017

Certification details (Cert# 2900)

http://csrc.nist.gov/groups/STM/cmvp/document

s/140-1/140val-all.htm

FIPS 140-2 validation certificate

http://csrc.nist.gov/groups/STM/cmvp/document

s/140-

1/140crt/FIPS140ConsolidatedCertMay2017.pdf

Cryptographic capabilities: SAP CommonCryptoLibFIPS 140-2 certification

39PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Situation

▪ Common compliance requirement: Only allow encrypted communication to SAP systems

▪ Unencrypted communication can be blocked (see SAP Note 1690662)

▪ Business continuity risk: If communication is blocked and SAP Single Sign-On was not yet configured

on all clients, some people may lose system access

Solution

▪ Record unencrypted access to the backend in the Security Audit Log (see SAP Note 2122578)

▪ Enable logging function to detect unencrypted connections from client machines, then configure them to

use SAP Single Sign-On

▪ Once there are no more clients with missing configuration, enforce encrypted communication

(see SAP Note 1690662)

Eliminate unencrypted SAP GUI / RFC access to SAP NetWeaver AS ABAP

40PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Store private keys in hardware

▪ Protect Secure Login Server Certificate Authority

▪ Protect private keys for digital signatures (Secure Store and Forward, SSF)

▪ Performance acceleration

SafeNetThales

Hardware security module support

Summary

42PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

SAP comprehensive solutions for single sign-on enable efficient and

secure authentication and access to business applications

Security

▪ Secure authentication and FIPS-certified cryptographic functions

▪ Risk-based authentication and two-factor authentication

▪ Digital signatures

Productivity

▪ Single sign-on to SAP and non-SAP applications

▪ Fast return on investment

Ready for the future

▪ Based on industry standards and state-of-the-art security functions

▪ On-premise and in the cloud, for desktop and mobile devices

43PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Get more information

https://www.sap.com/community/topic/sso.html

Welcome to the SAP Community

Thank you.

Contact information:

Christian Cohrs

Product Manager

christian.cohrs@sap.com

Regine Schimmer

Product Manager

regine.schimmer@sap.com

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components

of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated

companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are

set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release

any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,

and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The

information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various

risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,

and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)

in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

© 2017 SAP SE or an SAP affiliate company. All rights reserved.