customer sap hana cloud platform identity authentication · sap hana cloud platform identity...
Post on 29-May-2018
236 Views
Preview:
TRANSCRIPT
Marko Sommer, SAP
October 25th, 2016
SAP HANA Cloud Platform Identity Authentication International Focus Group for SAP Security, Data Protection & Privacy
Customer
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2 Customer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the
permission of SAP. This presentation is not subject to your license agreement or any other service or subscription
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation
and SAP's strategy and possible future developments, products and or platforms directions and functionality are all
subject to change and may be changed by SAP at any time for any reason without notice. The information in this
document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This
document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational
purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Legal disclaimer
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3 Customer
Agenda
Introduction
Delegate authentication from SAP Cloud applications to Identity Authentication
Identity federation with on-premise user stores in hybrid scenarios
Stronger means of authentication
Demo
Outlook
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5 Customer
SAP HANA Cloud Platform Identity Authentication In the SAP security portfolio
SAP Business
Suite
SAP HANA Cloud Platform
SAP NetWeaver Application Server
SAP Access Control
SAP Identity Management
Make it simple for users to do what they are allowed to do
Know your users and what they can do
SAP Single Sign-On
Ensure corporate compliance to
regulatory requirements
Platform Security
Make sure that SAP solutions run securely
SAP Enterprise Threat Detection
Counter possible threats and identify attacks
Add-On for Code Vulnerability
Analysis
Find and correct vulnerabilities in customer
code
SAP HANA Cloud Platform Identity
Authentication
SAP HANA Cloud Platform Identity
Provisioning*
SAP Cloud Identity Access
Governance, access analysis
service
Manage access,
users and
compliance in the
cloud
SAP HANA
3rd Party Systems
SAP S/4HANA
SAP Cloud Applications
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6 Customer
Aspects for identity access management in hybrid scenarios Introduction
Protect Control application access
and apply various
authentication methods
Integrate Seamlessly integrate into
existing single sign-on
infrastructure
Manage Centrally manage
user profiles and
allow self services
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7 Customer
Access protection
Identity federation based on SAML 2.0
Web single sign-on and desktop SSO
Secure on-premise integration with existing authentication system
Social and strong authentication
Risk-based authentication
Manage users and access to applications
User administration and integration with on-premise user stores
User groups and application access management
User self-services
Password and privacy policies
Enterprise features for integration
Branding of end user UIs
Programmatic integration via SCIM standard
Product overview Introduction
SAP HANA Cloud Platform Identity Authentication provides secure access to web
applications. It is a software as a service (SaaS) offering by SAP
Identity Authentication
Service
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9 Customer
Secure access and single sign-on Identity access management
SAP HANA®
Cloud Platform
SAP S/4HANA, cloud
Cloud Portal Sites
SAP Document
Center
Applications
Other
SAP Mobile
Secure
Innovation
Management
Corporate Network
Logon
******
3rd party Cloud
Identity Authentication
Service
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10 Customer
User self-services User management & user self-services
Convenient user self-services
Configurable self-registration
Account confirmation via email
Forgot password
User profile
Edit details & change password
Mobile device activation (for TFA)
(Un-)Link social accounts
Product features
Responsive UIs
Multilanguage support
User self services reduce TCO especially for B2C- and B2B-scenarios
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11 Customer
Branding and customization User management & user self-services
Customization features
Company Logo
Application name and logo
Color style
Terms of use & privacy policy
Adjust UI texts via API
Mail templates (account confirmation,
forgot pwd., et al.)
Product features
Responsive UIs
Multilanguage support
User interface, email templates and registration policies can be adjusted to corporate needs
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12 Customer
Custom password policy configuration Identity access management
Custom password policies
Min/max password length
Password expiration period
Max period for unused password
Min password age
Number of passwords in history
Number of failed logon attempts until user
gets locked
Time period a user gets locked due to
failed logon attempts
Custom password policies serve the need to comply with corporate security guidelines
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14 Customer
Identity authentication service as a proxy to a corporate IdP Delegated authentication
Corporate
Identity
Provider
Identity provider proxy
Authentication is delegated to
corporate identity provider login
Reuse of existing single sign-on
infrastructure
Easy and secure authentication for
business-to-employee (B2E) scenarios
Federation based on the SAML 2.0
standard
Logon
******
Corporate Network
IdP proxy via the SAML standard – easy to establish
SAML
3rd party Cloud
SAML
Applications
Identity Authentication
Service
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15 Customer
On-premise user store
Users credentials from:
Active Directory
3rd party user store
No user replication to the cloud required
Internal network ports do not need to be
exposed to the Internet
In addition usual product features can
be used: UI configuration, policies, two-
factor-authentication
Authentication with on-premise user store Delegated authentication
SAP
NW JAVA
+ SAP SSO
LDAP
AS ABAP
Corporate Network
SAP NetWeaver
Logon
******
Integrate with an on-premise user store via a secure tunnel
Applications
Cloud Connector
Identity Authentication
Service
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16 Customer
SPNEGO* authentication
Users authenticated with corporate
LDAP enjoy single sign-on to cloud
applications without re-authentication
Reuse of existing corporate identity
infrastructure
Secure authentication and SSO for
cloud and on-premise web applications
Increase user productivity in B2E
scenarios
SPNEGO authentication Delegated authentication
AS AAP
Corporate LDAP
credentials
Kerberos
token
* Simple and Protected GSSAPI Negotiation Mechanism Corporate Network
LDAP
SPNEGO
SAML
Applications
SPNEGO: integrate with MS Windows domain authentication
Identity Authentication
Service
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 18 Customer
Risk-based authentication Identity access management
Logon
******
Network IP Ranges
User Group Membership
Logon
******
Deny
Allow
and/or
Two-factor-authentication
Define authentication rules to control application access
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 19 Customer
Two-factor authentication with SAP Authenticator Identity access management
Authentication with one-time passwords
Provide two means of identification
OTP required for login in addition to password
or security token
Second factor for high security scenarios
Based on SAP Authenticator mobile app
OTP (6-digit) created on mobile device
Available for iOS and Android
RFC 6238 compatible
Demo SAP HANA Cloud Platform Identity Authentication Service (IAS) - in use…
1. IAS as authenticating authority
2. IdP Proxy
3. Risk-based authentication
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 22 Customer
This is the current state of planning and may be changed by SAP at any time.
Today Future Direction Planned Innovations
SAP HANA Cloud Platform Identity Authentication Product road map overview - key themes and capabilities
Q3 2016
Authentication & single sign-on
• Identity Federation and web single sign-on based
on SAML
• Social Authentication and Inbound Federation
• Risk-Based and Two-Factor Authentication
• Desktop SSO (SPNEGO)
• On-premise integration
User and Access Management
• Web user administration and on-premise user
store integration
• User Groups
• Convenient user self-services
• SCIM API
Enterprise features
• Corporate Branding of UIs and Privacy Policies
• Usage reporting
• US and EU Data Center
Authentication & single sign-on
• Two-Factor Authentication with SMS and email
• OpenID Connect support
• X.509 authentication
• OAuth protection of APIs
User and Access Management
• Custom password policies
• Custom user attributes
• User profile page customization
• Integration with SAP Identity Management
Enterprise features
• Troubleshooting and Audit Logs
• Privacy policies version management
• Custom mail service
• APJ Data center
• Disaster Recovery
Authentication & single sign-on
• Mobile native scenarios
• Two-Factor Authentication with RSA
• Reusable Risk-Based Authentication policies
• API based authentication flow
• Custom extension framework
• Security token service
User and Access Management
• Delegated Administration(B2B)
• Approval for self-registration and implicit User
Group assignment
• Just-in-time provisioning
Enterprise features
• Extended Data center coverage
• Advanced reporting and monitoring
Thank you Contact information:
Marko Sommer
Project Expert
Dietmar-Hopp-Allee 16
69190 Walldorf, Germany
marko.sommer@sap.com
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 25 Customer
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
top related