SAP Cloud Platform Identity Authentication - Product...
Transcript of SAP Cloud Platform Identity Authentication - Product...
PUBLIC
May, 2018
SAP Cloud Platform Identity AuthenticationProduct Overview
Introduction
Simplify
Integrate
Protect
Summary
Introduction
Simplify
Integrate
Protect
Summary
5PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Differentiating
On premise
Cloud
run / buy win / build
SAP Business Suite
SAP Business Warehouse
IoT Analytics
Machine learning
BlockchainBig Data
Standardization
6PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud PlatformKey Use Cases
IntegrateApps, Data & Processes
ExtendCloud & On-Prem Apps
Quickly add new functionality to your
existing cloud and on-prem apps to
optimize your existing investments
BuildDifferentiating Digital Apps
Rapidly build and run new cloud apps,
business services and APIs to solve new
problems, engage new customers, and drive
new revenue
ConnectPeople & Data
Connect your cloud and on-prem apps to
eliminate data silos and make digital access
simple, secure, and scalable
Deliver delightful user experiences across various
digital touchpoints enabling innovation, without
disrupting core business processes
7PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Platform CapabilitiesPlatform & Business Services
Runtime & Containers
Integration
Business Services
Security
Internet of Things
Collaboration
User Experience
Machine Learning
Data & Storage
DevOps
Analytics
Mobile
8PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Identity Management
Access
GovernanceUsers
Roles
AuthorizationsAuthentication & Single Sign-On
Role Mining
Request Role
2-Factor-Authentication
SAMLSCIM
Single Sign-On
SAP ID Service
SAP CP Identity Authentication
SAP Cloud Identity
SAP Single Sign-On
SAP Identity Management SAP Access Control
SAP Cloud Identity Access Governance
SAP CP Identity Provisioning
Compliance
Segregation of Duties
Business Roles
De-Provisioning
Digital Certificates
9PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Identity
Management
Authentication
& Single Sign-on
Governance, Risk
& Compliance
Users
Roles
Authorizations
Authentication
Role Mining
Request Role
2-Factor-Authentication
SAMLSCIM
Single Sign-On
SAP ID Service
SAP CP Identity Authentication
SAP Cloud Identity
SAP Single Sign-OnSAP Identity Management SAP Access Control
SAP Cloud Identity Access GovernanceSAP CP Identity Provisioning
Compliance
Segregation of Duties
Business RolesDe-Provisioning
Digital Certificates
10PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Identity
Management
Authentication
& Single Sign-on
Governance, Risk
& Compliance
SAP CP Identity Authentication
SAP Single Sign-OnSAP Identity Management SAP Access Control
SAP Cloud Identity Access GovernanceSAP CP Identity Provisioning
Accessing the applicationsSetting the stage
11PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Employees
Applications
Employees
Customers
Partners
Identity
Authentication
Identity
Provisioning
SAP Hybris
Identity
Identity
Provider
Single Sign-On
Identity
Management
12PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
End User
Identity
Authentication
Identity
Provisioning
Identity Store, e.g. HR
• Users, Groups, Roles
• Cloud or On-Premise
Secure Authentication &
Single Sign-On
Management of Identities
and Authorizations
Authentication and Provisioning Services
Corporate
Identity Provider
13PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Identity and Access Management and Governance as a Service from SAP
Solution Overview
A complete cloud identity suite enabling organizations to easily manage user on-boarding and access
▪ Cloud-based service for
identity lifecycle management
▪ Managing users, roles and groups
in cloud- and hybrid landscapes
▪ Based on SCIM industry standard
SAP Cloud Platform
Identity Provisioning
▪ Access governance solution on
SAP Cloud Platform
▪ Visibility into access issues for on
premise and cloud applications
SAP Cloud
Identity Access Governance
▪ Single sign-on to browser-based
applications (cloud and on-premise)
▪ Various authentication options
▪ Different user store integration
scenarios
SAP Cloud Platform
Identity Authentication
14PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Platform Identity Authentication Service
SimplifyOptimal User
Experience
IntegrateSeamlessly integrate into
existing infrastructure
ProtectSecure
application access
15PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Simplify
▪ Single sign-on for a beautiful user experience
▪ Convenient user self services
Integrate
▪ Integration with existing user stores
▪ Leverage open security standards
▪ Branding of end user UIs
Protect
▪ Various authentication options
▪ Access protection to applications
▪ Password and privacy policies
SAP Cloud Platform Identity Authentication Service (IAS)
Product Overview
Identity
Authentication
Corporate
User Store
Applications
User
Introduction
Simplify
Integrate
Protect
Summary
17PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Beautiful Logon Screens ...
18PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Simplified.
19PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Convenient user self-services
▪ Self-registration (optional)
▪ Account confirmation via email
▪ Forgot password
User profile self-services
▪ Edit details & change password
▪ Mobile device activation (for 2FA)
▪ (Un-)Link social accounts
Product features
▪ Responsive UIs
▪ Multi-language support
User Self-Services
Introduction
Simplify
Integrate
Protect
Summary
21PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Based on Open Security Standards
Identity
Authentication
Cloud Applications
User
On-premise
Applications
SAML
Corporate
Identity Provider
SAML
Cloud Applications
User
Interoperable
with all applications supporting SAML 2.0
standard
SAML
SAML
22PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Identity Provider Proxy
▪ Authentication is delegated to corporate
identity provider login
▪ Reuse of existing single sign-on
infrastructure
▪ Easy and secure authentication for
employee scenarios
▪ Federation based on the SAML 2.0
standard
Delegated Authentication
IAS as a Proxy to a Corporate Identity Provider (IdP)
Identity
Authentication
Corporate
Identity Provider
Applications
User
SAML
23PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
On-premise user store
▪ Users credentials from:
• Active Directory (through LDAP)
• AS ABAP (through SCIM*)
▪ No user replication to the cloud required
▪ Internal network ports do not need to be
exposed to the Internet
▪ In addition usual product features can be
used:
• UI configuration, policies, two-factor
authentication
* requires AS Java + SAP Single Sign-On (which enables SCIM interface)
Delegated Authentication
Authentication with an On-Premise User Store
Active
Directory
Identity
Authentication
ApplicationsUser
Cloud Connector
LDAP
24PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SPNEGO authentication
▪ Users authenticated with
Microsoft Active Directory enjoy single
sign-on to cloud applications without
re-authentication
▪ Reuse of existing corporate identity
infrastructure
▪ Secure authentication and SSO for cloud
and on-premise web applications
Delegated Authentication
Re-use of Windows Domain Authentication (SPNEGO)
Identity
Authentication
Applications
User
SPNEGO
Kerberos
Token
SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism
Active
Directory
25PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Delegated Authentication
Conditional Authentication
IAS
IdP 1
IdP 2
?
User
@velotics.com
@bestrun.com
Forwarding of requests to connected
IdPs based on
▪ email address domain
▪ user type
▪ group membership
26PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
IAS as a proxy to multiple IdPs
▪ Secure your business network and
allow partner users to login via their
corporate IdP
▪ Authentication is initiated by the
corporate IdP
▪ Upon successful authentication, a
check for correct user group
assignment can be configured
(optional)
• Sync of users from IdPs to groups in
IAS is required
Delegated Authentication
IdP-initiated Authentication
IAS
Application
IdP 1
IdP 2
Logon******
Logon******
27PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
How can Users be Created?
Identity
Authentication
applications
Manual
creationCSV-upload
Programmatically
through SCIM
* IPS: SAP Cloud Platform Identity Provisioning
Sync through
IPS*Self-registration
28PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Customization Features
▪ Company Logo
▪ Application Name and Logo
▪ Color style
▪ Terms of Use & Privacy Policy
▪ Adjust UI Texts via API
▪ eMail Templates
Product Features
▪ Responsive UIs
▪ Multilanguage support
Branding and Customization
29PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Logon Overlays in Customer Applications
Logon Screen as an overlay
(compared to a browser redirect to
navigate away from application)
▪ Can programmatically be
integrated by the application
▪ Out-of-the-box integration for
SAP Cloud Portal
Introduction
Simplify
Integrate
Protect
Summary
31PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Basic Authentication
▪ User ID / email and password
Re-use of Windows Domain Logon
▪ Use of Kerberos token for single sign-on
Two-Factor Authentication
▪ Second factor on mobile device
Delegated Logon
▪ Social IdPs
▪ Corporate IdP
Authentication Options
Identity
Authentication
Applications
User
Code
631 951Logon******
32PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Authentication with one-time passwords
▪ Provide two means of identification
▪ OTP required for login in addition to
password or security token
▪ Second factor for high security scenarios
Based on SAP Authenticator mobile app
▪ OTP (6-digit) created on mobile device
▪ Available for iOS and Android
▪ RFC 6238 compatible
(compatible with Authenticator apps from
Google and Microsoft)
Two-Factor Authentication with SAP Authenticator
Carrier
33PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Control Access to the Application
IAS
Member of
User Group
IP-Address
Range
Allow
Deny
User
Type
Authentication
Method
2-factor
Authentication
Self-
registered?
User
Application
Assignment
to Application
verified?
34PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Control Access to the Application
IAS
Member of
User Group
IP-Address
Range
User
Type
Authentication
Method
Self-
registered?
User
Application
Assignment
to Application
verified?
“employee”
Allow
35PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Control Access to the Application
IAS
Member of
User Group
IP-Address
Range
User
Type
Authentication
Method
Self-
registered?
User
Application
Assignment
to Application
verified?
2-factor
Authentication
“Admin”
“10.55.0.0/16”
36PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Protecting Self-Registration with Google reCAPTCHA / Phone Verification
Access Protection for Applications
▪ Protect the registration to applications
from spam and abuse
▪ Prevent bots from automated fake
user registrations to your websites
▪ Further information
• Google reCAPTCHA
• Phone Verification
37PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Custom Password Policy Configuration
Custom password policies can be
configured
38PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
User administration
▪ Web based user management
▪ User search
▪ Mass user import/export
▪ Monitor user access
User groups administration
▪ Define user groups
▪ Assign users to groups
Integration
▪ Programmatic integration via
SCIM REST APIs
User & Group Management
Introduction
Simplify
Integrate
Protect
Summary
40PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
All you can read! https://wiki.scn.sap.com/wiki/x/yy67Gg
41PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Platform Identity Authentication Service
SimplifyOptimal User
Experience
IntegrateSeamlessly integrate into
existing infrastructure
ProtectSecure
application access
Thank you.
46PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Acronym Glossary
Acronym Full Text Acronym Full Text
B2B Business to Business OTP One-time password
B2C Business to Consumer REST Representational State Transfer
B2E Business to Employee RSA RSA is a public-key cryptosystem
C4C SAP Cloud for Customer SAML Security Assertion Markup Language
HCP SAP HANA Cloud Platform SCIM System for Cross-domain Identity Management
HR / HCM Human Resources, Human Capital Management SF / SFSF SuccessFactors
IAM / IDM Identity Access Management / Identity Management SPNEGOSimple and Protected GSSAPI Negotiation Mechanism
(GSSAPI: Generic Security Service Application Program Interface)
IBP SAP Integrated Business Planning SSO Single Sign-On
IdP / SP Identity Provider / Service Provider (SAML) TCO Total Cost of Ownership
LDAP Lightweight Directory Access Protocol TFA / 2FA Two-factor-authentication
OAuth Open Authorization Framework X.509in cryptography, X.509 is a standard for a public key
infrastructure (PKI)
47PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Available APIs
REST APIs
Invitation REST API
User Management REST API
Forgot Password REST API
SCIM REST API
Change Tenant Texts REST API
Change Master Data Texts REST API
Further Information in the documentation:
https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-
US/cce8d64eed1c4d8d8311147336ffe2eb.html
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
www.sap.com/contactsap
Follow all of SAP