SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On Public

Speakers Las Vegas, Oct 19-23 Christian Cohrs, Area Product Owner Barcelona, Nov 10-12 Regine Schimmer, Product Management 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 2

Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 3

Agenda Product overview SAP Single Sign-On Main scenarios and recommendations Capabilities Summary 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 4

SAP Single Sign-On Overview Public

SAP Security products In the IT application security product portfolio SAP Business Suite SAP Cloud Applications SAP Single Sign-On SAP Identity Management SAP Access Control SAP Cloud Identity service SAP Enterprise Threat Detection SAP Code Vulnerability Analysis SAP Mobile Applications Make it simple for users to do what they are allowed to do. Know your users and what they can do. Ensure corporate compliance to regulatory requirements. Manage the identity life-cycle in the cloud. Counter possible threats and identify attacks. Find and correct vulnerabilities in customer code. 3 rd Party Systems Platform Security Make sure that SAP solutions run securely SAP HANA Cloud Platform SAP NetWeaver Application Server 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 6

SAP Single Sign-On Benefits Security Productivity Simplicity 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 7

SAP Single Sign-On Benefits in detail Security With just one password to remember, a strong password policy is finally feasible No more need for password reminders on post-it notes All passwords stored in one protected, central place Productivity Increased efficiency for users who only need to remember one password Higher productivity due to reduced efforts for manual authentication, password reset, helpdesk interaction, Simplicity Lean product, fast implementation project, quick ROI No more efforts to provision, protect and reset passwords across many systems No more efforts to manage password policies across many systems 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 8

SAP Single Sign-On Product description SAP Single Sign-On provides simple, secure access to IT applications for business users. It offers advanced security capabilities to protect your company data and business applications. Simple and secure access Single sign-on for native SAP clients and web applications Single sign-on for mobile devices Support for cloud and on-premise landscapes Secure data communication Encryption of data communication for SAP GUI Digital signatures FIPS 140-2 certification of security functions Advanced security capabilities Two-factor authentication Risk-based authentication using access policies RFID-based authentication Hardware security module support 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 9

SAP Single Sign-On Main Scenarios Public

SAP Business Suite Single sign-on based on Kerberos / SPNEGO SAP GUI, SAP NetWeaver Business Client, Analysis for Office, Web browser,.. SAP Business Suite Secure Login Client CommonCryptoLib SPNEGO for ABAP SAP Business Suite Microsoft Active Directory Token: Kerberos SPNEGO only available in newer SAP NetWeaver releases SAP NetWeaver 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 11

SAP and Non-SAP Applications Single sign-on based on X.509 certificates SAP GUI, SAP NetWeaver Business Client, Analysis for Office, Web browser,.. SAP and non- SAP applications Secure Login Client Secure Login Server (or own PKI) CommonCryptoLib SAP Business Suite Microsoft Active Directory, ABAP, LDAP, other login modules Token: X.509 certificate Non-SAP systems Legacy systems SAP NetWeaver This option supports most platforms and clients. Recommended for heterogeneous and intranet scenarios 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 12

Cloud and Cross-Company Single sign-on and Identity Federation based on SAML SAP and non-sap applications Web client SAP Identity Provider Corporate network Cloud applications Microsoft Active Directory, ABAP, LDAP, other login modules Token: SAML SAP / non-sap Web applications Internet Web client SAML is a public standard for Web applications. Recommended for extranet scenarios, partner integration 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 13

SAP Single Sign-On Single sign-on for NetWeaver Business Client 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 14

SAP Single Sign-On Single sign-on for SAP BusinessObjects Analysis for Office 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 15

SAP Single Sign-On Capabilities Public

SAP Single Sign-On Cryptographic capabilities of the CommonCryptoLib State of the art capabilities Encryption AES 256bit RSA Digital Signatures ECDSA RSA Key exchange Diffie-Hellman with elliptic curves Hash function SHA-2 (up to SHA-512) Perfect Forward Secrecy for TLS with ECDHE Elliptic Curves P-224, P-256, P-384, P-521 See SAP Note 2004653 for complete list of capabilities FIPS 140-2 certification Received in January 2015 for the crypto kernel of CommonCryptoLib Mandatory for customers in some industries 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 17

SAP Single Sign-On Digital signatures Benefits of digital signatures Confirm that a document was created by a known sender Confirm that a document was not tampered with during transmission Provide the means for a binding signature that cannot be denied afterwards Usage with SAP NetWeaver AS ABAP Based on Secure Store & Forward (SSF) interface Server-side digital signatures: supported by SAP CommonCryptoLib SAP Single Sign-On includes support for Hardware Security Modules Client-side digital signatures: supported by Secure Login Client for SAP GUI More Information on SAP Help Portal and SAP Service Marketplace Digital Signing with Secure Store and Forward (SSF) Digital Client Signature Digital Signatures (SSF) with a Hardware Security Module SAP Note 1973271 - Secure Login Library 2.0 HSM Configuration for SSF 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 18

SAP Single Sign-On Two-factor authentication Authentication requires two means of identification Knowledge of a password Possession of a physical device, such as a cell phone Options for the second factor SAP Authenticator mobile app Generates one-time passwords (RFC 6238 compatible) Available for ios and Android One-time password sent using SMS One-time password sent using e-mail RSA / RADIUS Usage scenarios Recommended for scenarios with special security requirements Web and SAP GUI applications 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 19

SAP Single Sign-On Risk-based authentication based on context Risk-based authentication Risk-based enforcement of stronger authentication Example: User access from outside the corporate network Two-factor authentication is required INTERNET 2FA Token SAP Identity Provider or Secure Login Server INTRANET Evaluate context such as IP address, user roles, device,.. Accept access, deny access or enforce 2FA Return SSO token (SAML or X.509) DMZ CORPORATE LDAP 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 20

SAP Single Sign-On Limit business functionality based on context Risk-based authorization handling Relies on SAP Identity Provider, using SAML 2.0 Access policy information added to SAML assertion after authentication On AS Java, dynamic reduction of available roles based on access policy. See SAP note 2151025. On AS ABAP, access policy information available in security session. See SAP note 2057832. SAML assertion Runtime Check access policy and handle access restrictions SAP Application Server Temporarily reduce user roles and authorizations for session on AS Java Extend customer exits in applications on AS ABAP to allow risk-based authorization checks, e.g. for admin tasks or data download Including access policy information from SAP IdP 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 21

SAP Single Sign-On Mobile single sign-on with SAP Authenticator Details Relies on time-based one-time passwords for authentication SAP Authenticator apps available for ios and Android Self-registration for end users Administrative user interfaces Usage Scenarios Single sign-on for web applications Single sign-on for Fiori native client (see SCN blog for details) Alternative options In many cases, mobile single sign-on is also possible using the standard technologies Kerberos, X.509 or SAML 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 22

SAP Single Sign-On RFID-based user identification Identify users with RFID token (Radio Frequency Identification) Instant user identification with RFID token Single sign-on based on X.509 certificates Usage Scenarios Warehouse and production scenarios Kiosk/terminal computers Technical integration Identification data stored in Microsoft Active Directory Support for several RFID reader device types 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 23

Planned innovation, subject to change Certificate Lifecycle Management Scope The security capabilities of the Application Server ABAP are often based on certificates When customers have a security policy that defines a short certificate validity, certificates expire on a regular basis and need to be updated Certificate Lifecycle Management helps manage the renewal of certificates, reduces the manual efforts and prevents downtimes Registration of Application Server ABAP with Secure Login Server Administrator establishes trust relationship between AS ABAP and Secure Login Server Administrator configures for each relevant certificate the corresponding Secure Login Server profile Automated renewal of certificates Scheduled ABAP report checks the local Application Server ABAP for certificates that are about to expire ABAP report retrieves renewed certificate from Secure Login Server and installs it Benefit No more manual steps required SAP supported solution Mitigate risk of unexpected downtime This is the current state of planning and may be changed by SAP at any time. 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 24

Summary Public

Summary SAP Single Sign-On offers a suite of security and productivity capabilities, for SAP as well as non-sap applications It offers Investment protection Flexibility Single sign-on for heterogeneous system landscapes What are the main business drivers? Protect business, reputation and trust Lower password related costs Simplicity and agility 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 26

SAP TechEd Online Continue your SAP TechEd education after the event! Access replays of keynotes, Demo Jam, SAP TechEd live interviews, select lecture sessions, and more! Hands-on replays http://sapteched.com/online 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 27

Further Information Related SAP TechEd sessions: SEC806 - Roadmap Q&A SAP Single Sign-On SEC162 - Single Sign-On and Authorizations for SAP Fiori Made Simple (Hands-On) SEC263 - Risk-Based Authentication for SAP Fiori and SAP Portal (Hands-On) SEC700 - Risk-Based Authentication in Action (Code review) TEC102 - Security Strategy Overview SEC106 - The Cloud Solution for Authentication, Single Sign-On and User Management SAP Public Web http://scn.sap.com/community/sso http://www.sap.com/pc/tech/security/software/single-sign-on/index.html SAP Education and Certification Opportunities www.sap.com/education Watch SAP TechEd Online www.sapteched.com/online 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 28

Thank you Contact information: Christian Cohrs Area Product Owner SAP Single Sign-On christian.cohrs@sap.com Regine Schimmer Product Management SAP Single Sign-On regine.schimmer@sap.com 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 31

2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 32