Secure Authentication and SAP Single Sign-On
A securely established authentication infrastructure, bundle identity information for users in a central location that supports multi-factor and risk-based authentication including single sign-on across devices, resources, and apps in the cloud and on-premises.
SAP Single Sign-On 3.0
The solution allows customers to enable SSO for SAP desktop clients, web applications, and mobile devices, supporting primarily on-premises landscapes. The product enables the encryption of communication data for SAP GUI and other desktop clients and the digital signature of documents in SAP GUI transactions. In this context, SAP Single Sign-On 3.0 will remain as a cornerstone for on-premises SAP environments.
SAP Cloud Identity Services
Identity Authentication (IAS)
SAP Cloud Identity Services targets cloud applications beyond the corporate user base. This holistic service comes with capabilities of secure authentication, single sign-on, and identity provisioning. It acts as a central and strategic authentication hub providing a single and automated integration point for all SAP PaaS and SaaS applications. The hybrid operation of both solutions covers all SAP cloud and on-premises applications and supports various secure authentication methods and single sign-on standards.
Discover our broad range of consulting in the field of secure authentication
Your Benefits with our Services
General Needs and Advantages of SAP SSO
In a Single Sign-On (SSO) scenario, user authentication is performed only once. This happens usually against a trusted authentication entity like the Active Directory. After this authentication access to all SAP systems (applications) will be carried out automatically based on a secure token that identifies the user. SSO is not only used to simplify the login process for the end-user but also is a good tool to increase the security. With SSO, no longer passwords are transmitted between the systems over the network. Besides an increase in efficiency, you achieve even better security with less administrative effort.
While implementing SSO to the SAP landscape, no changes to the authorization of a user (authorization and role concept) are made. Only the login method will be replaced. The introduction of SSO offers many advantages such as increasing productivity, as the normal user-workflow is not disturbed. Simpler administration of the SAP user accounts is enabled by waiving passwords. Thus, higher acceptance of the end-user is achieved. In the SAP standard system, the communication is not encrypted, this affects both the SAP GUI and communication between the browser and web-based UIs. The SAP proprietary protocols DIAG (used for SAP GUI) and RFC do not cryptographically authenticate client and server, nor do they encrypt network communication.
Qualified Consulting Services
Xiting is the preferred implementation and exclusive training partner for SAP Single Sign-On 3.0.
We support SAP organizations in designing and implementing comprehensive authentication concepts that solve various authentication challenges. Besides SAP’s on-premises and cloud security solutions, Xiting also covers integration with Azure Active Directory and ADFS, reverse proxies, the SAP Business Technology Platform and SAP SaaS solutions, and other third-party products and infrastructure components involved in the authentication process. The experience of many years and hundreds of successfully completed SSO projects allowed us to constantly adopt our best practices for security in the area of secure authentication.
We understand both worlds, help to “translate” and to bridge the gap between IT and SAP security.
Passwords transmitted over the network are vulnerable to eavesdropping. Additionally, due to missing mutual authentication, rogue systems could intercept network traffic, manipulate content, and forward it to legitimate servers. The communication between client and server and between SAP servers can be protected using a symmetric encryption algorithm. The basis for this technology is provided by the SAP interface Secure Network Communications (SNC) which makes it possible to establish a secure connection to the SAP system through encryption and providing mechanisms for Single Sing-On.
SNC provides cryptographically strong mutual authentication, integrity protection of transmitted data, and encryption of network traffic. SNC ensures the communication between the SAP GUI running on the user’s computer and the SAP system. Based on the GSS-API a cryptographic library will be used to encrypt the data at the Network Interface (NI) protocol level and to support Kerberos and X.509 based authentication and SSO with an SAP system. Same applies for Transport Layer Security (TLS). If you have SAP systems for which you do not want to allow Single Sign-On, it is possible to enforce multi-factor authentication either for SAP GUI or the browser-based access.
Our project metholdogy
Our best practice implementation approach comprises several stages. Each SSO project starts with a workshop and analysis phase:
Clear communication between SAP Basis and other IT and security related stakeholders is key to success and requires early involvement and a common understanding. Kickoff your SSO project with our best practice workshop. We convey the required foundations and examine your requirements while considering your existing environment. Our solution concept helps to set the course for the implementation of the necessary SAP solution components. We support you in all project phases, from POC over Pilot to Go Live. We also integrate with your existing infrastructure and involved Non-SAP system components.