SAP Cloud Platform Identity Authentication

Agenda
Introduction
Identity Access Management for the Cloud
Delegated Authentication
User Management & User Self-Services
Further Information
© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2

Introduction
Identity and Access Management as a Service
In the SAP security portfolio

Identity and Access Management as a Service from SAP
Solution overview
A complete cloud identity suite that enables organizations to easily manage user on-boarding and helps users to
easily access their applications
SAP Cloud Platform Identity Provisioning

Automatically sets up user accounts and authorizations
Optimized for SAP cloud applications
Re-using existing on-premise and cloud user stores
Jointly working with the SAP Identity Management product
SAP Cloud Platform Identity Authentication

Simple and secure access to web based applications
Enterprise features like password policies and multi-factor
and risk-based authentication
On-premise user store integration
Easy consumer and partner on-boarding via self-services
This is the current state of planning and may be changed by SAP at any time.

Aspects for Identity Access Management in Hybrid Scenarios
Introduction
Protect Manage Integrate

Control application access Centrally manage Seamlessly integrate into
and apply various user profiles and existing single sign-on
authentication methods allow self services infrastructure

Product overview
SAP Cloud Platform Identity Authentication provides secure access to web applications.
It is a software as a service (SaaS) offering by SAP
Access protection
Identity federation based on SAML 2.0
Web single sign-on and desktop SSO
Secure on-premise integration with existing authentication system
Social and strong authentication
Risk-based authentication
Manage users and access to applications

User administration and integration with on-premise user stores
User groups and application access management
User self-services
Password and privacy policies
Enterprise features for integration

Branding of end user UIs
Programmatic integration via SCIM standard

Usage Scenarios
Employees (B2E) Consumers (B2C)

Partners (B2B)
Mobile worker Consumer Partner
Authenticate Cloud
applications Authenticate Self registration
Social authentication
SSO Identity …
Identity Data Authentication
Authentication On-premise
Authenticate
Active Directory
Data
Cloud On-premise
Corporate applications

Business-to-Employee Scenario (B2E)
Identity Authentication for B2E:

Single Sign-On from anywhere and on any
device
User self-service for password reset
User Interface in company look & feel
Administration services
– Corporate branding
– User management
– Application on-boarding
Firewall – Template configuration
Authentication based on common standards
like SAML
Password policy enforcement on application
level

Business-to-Customer (B2C) and Business-to-Business (B2B) Scenario
Identity Authentication for B2C and

B2B:
Self-registration with e-mail confirmation
Invitation flow
customer
partner On-behalf registration
Single Sign-On
Access on any device from outside
corporate network
Firewall Password reset self-service
Corporate branding
Authentication based on trusted standards
Password policies enforcement on
application level

Integrating SAP- and 3rd party-Applications
Identity access management
HR & Collaboration ERP, CRM Planning & Analytics 3rd party
SF Employee Microsoft:
S4HANA IBP
Central Office365, Azure
C4C
Jam Cloud Analytics Travel, …
Cloud for Customer
Authentication, SSO
SAP Cloud Platform Social Platforms

Delegate
Cloud Identity Authentication authentication Facebook, Google,
Service Twitter
Authentication, Provisioning
On-premise
HCM Identity Management
HR IDM IdP

Web Single Sign-On
Cloud On-Premise
Facebook Google+
Twitter
Social Authentication
(optional)
Identity Authentication On-Premise

Service authentication
… ….

Identity Access Management
for the Cloud
SAP Cloud Platform Identity Authentication - as authenticating authority
Secure Access and Single Sign-on
SAP S/4HANA, cloud

dentity Authentication
Service
SAP Mobile 3rd party Cloud

Secure
Innovation
Management
Applications SAP Cloud Platform
SAP Document
Center Other
Cloud Portal Sites
Corporate Network

Configurable access levels
Access protection on user level and on application level
Public access
Self registration is allowed
Social authentication [optional]
Internal access
User status Only users already registered
new, active, are entitled to access
inactive, locked
Private access
Only users registered for the
application can access

Custom password policy configuration
Custom password policies serve the need to comply with corporate security guidelines
Custom password policies

Min/max password length
Password expiration period
Max period for unused password
Min password age
Number of passwords in history
Number of failed logon attempts until user
gets locked
Time period a user gets locked due to
failed logon attempts

Risk-based authentication
Define authentication rules to control application access
Allow
U p
Two-factor authentication
Deny

Two-factor authentication with SAP Authenticator
Authentication with one-time passwords

Provide two means of identification
OTP required for login in addition to password
or security token
Second factor for high security scenarios
Based on SAP Authenticator mobile app

OTP (6-digit) created on mobile device
Available for iOS and Android
RFC 6238 compatible

Delegated Authentication
SAP Cloud Platform Identity Authentication - used as a proxy
Identity authentication service as a proxy to a corporate IdP
Delegated authentication
IdP proxy via the SAML standard – easy to establish
Identity provider proxy

Authentication is delegated to
Service corporate identity provider login
Reuse of existing single sign-on
Applicat ions
infrastructure
Easy and secure authentication for
business-to-employee (B2E) scenarios
Federation based on the SAML 2.0
standard
3rd party Cloud Corporate
Identity
Provider
Corporate Network

Authentication with on-premise user store
Integrate with an on-premise user store via a secure tunnel
On-premise user store

Users credentials from:
dentity Authentication Active Directory
Service
3rd party user store
Applicat ions
No user replication to the cloud required
Cloud Connector Internal network ports do not need to be
exposed to the Internet
In addition usual product features can
be used: UI configuration, policies, two-
SAP
LDAP NW JAVA factor-authentication
+ SAP SSO AS ABAP
SAP NetWeaver
Corporate Network

SPNEGO authentication
SPNEGO: integrate with MS Windows domain authentication
SPNEGO* authentication
Users authenticated with corporate
dentity Authentication LDAP enjoy single sign-on to cloud
Service
applications without re-authentication
Applicat ions Reuse of existing corporate identity
infrastructure
Secure authentication and SSO for
cloud and on-premise web applications
Kerberos Increase user productivity in B2E
token
scenarios
LDAP
Corporate LDAP
credentials AS AAP
Corporate Network
* Simple and Protected GSSAPI Negotiation Mechanism

Social IdP integration
Enable social login with popular identity providers in the Internet
Social media authentication

dentity Authentication Suitable for B2C, B2B scenarios
Service
Configurable per application
Applicat ions Linking and unlinking of social
accounts
Logon credentials
Social media username & password
3rd party Cloud Social Media

IdPs

IdP initiated SSO
Secure your business network and allow partner users to login via their corporate IdP
„ User Group 1“
SAML IdP 1 can access via
SAML IdP 1
Service
Application
SAML IdP 2
„ User Group 2“
can access via
SAML IdP 2
SAP Cloud Platform Identity Authentication as a proxy to multiple SAML identity providers
Authentication is initiated by the SAML identity provider
Upon successful authentication, a check for correct user group assignment can be configured (optional)

User Management &
User Self-Services
SAP Cloud Platform Identity Authentication - easy administration to reduce TCO
Administration services
User management & user self-services
Application Configuration User Management
Reporting Branding & Policies

User management
Web-based and programmatic user management capabilities
User administration
Web based user management
User search
Mass user import/export
Monitor user access
User groups administration

Define user groups
Assign users to groups
Integration
Programmatic integration via
SCIM REST APIs

User self-services
User self services reduce TCO especially for B2C- and B2B-scenarios
Convenient user self-services

Configurable self-registration
Account confirmation via email
Forgot password
User profile
Edit details & change password
Mobile device activation (for TFA)
(Un-)Link social accounts
Product features
Responsive UIs
Multilanguage support

Branding and customization
User interface, email templates and registration policies can be adjusted to corporate needs
Customization features
Company Logo
Application name and logo
Color style
Terms of use & privacy policy
Adjust UI texts via API
Mail templates (account confirmation,
forgot pwd., et al.)
Product features
Responsive UIs
Multilanguage support

Further Information
Further Information

Solution brief: https://www.sap.com/documents/2015/07/028d698e-5b7c-0010-82c7-eda71af511fa.html
Solution overview: https://wiki.scn.sap.com/wiki/x/yy67Gg
Application docu: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US
How-to guides: https://blogs.sap.com/2015/08/12/sap-cloud-identity-how-to-guides/
SAP Road Maps: http://www.sap.com/roadmaps
Service Description: http://www.sap.com/about/agreements.sap-cloud-services-customers.html
SAP Cloud Platform Identity Provisioning

Application docu
Solution overview
SAP Cloud Identity Access Governance

SAP.com - SAP Cloud Identity Access Governance

Thank you
Contact information:
Marko Sommer
Product Manager
marko.sommer@sap.com
Christian Cohrs
Product Manager
christian.cohrs@sap.com
Appendix
Acronym glossary
Acronym Full Text Acronym Full Text

B2B Business to Business OTP One-time password
B2C Business to Consumer REST Representational State Transfer
B2E Business to Employee RSA RSA is a public-key cryptosystem
C4C SAP Cloud for Customer SAML Security Assertion Markup Language
HCP SAP HANA Cloud Platform SCIM System for Cross-domain Identity Management
HR / HCM Human Resources, Human Capital Management SF / SFSF SuccessFactors
Simple and Protected GSSAPI Negotiation Mechanism

IAM / IDM Identity Access Management / Identity Management SPNEGO
(GSSAPI: Generic Security Service Application Program Interface)
IBP SAP Integrated Business Planning SSO Single Sign-On
IdP / SP Identity Provider / Service Provider (SAML) TCO Total Cost of Ownership
LDAP Lightweight Directory Access Protocol TFA / 2FA Two-factor-authentication
in cryptography, X.509 is a standard for a public key

OAuth Open Authorization Framework X.509
infrastructure (PKI)

© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

SAP Cloud Platform Identity Authentication

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Cloud Platform Identity Authentication

Uploaded by

Copyright:

Available Formats

Agenda

Identity Access Management for the Cloud

User Management & User Self-Services

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2

© 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 4

SAP Cloud Platform Identity Provisioning