With the acquisition of SECUDE assets in 2011, SAP was able to enhance its security offerings with new functionality, combining existing and new features into the SAP NetWeaver Single Sign-On offering. Together with SAP NetWeaver Identity Management for managing users and SAP Access Control, SAP now provides a comprehensive security suite to run a landscape in a secure and compliant way. Following are some of SAP NetWeaver Single Sign-On’s benefits:

• Fewer help-desk calls are required to reset forgotten passwords, reducing IT costs
• User efficiency and productivity increase because users don’t have to reenter passwords multiple times
• Changes in legal regulations concerning access management, which occur more frequently, can be easily implemented
• Password fatigue from required different user name and password combinations and the potential storage of login information in unsafe locations are eliminated
• Password phishing becomes a lot more difficult because the password has to be entered only once; thereafter, a security token is used
• Encryption options help protect sensitive business data
• Authentication techniques can be leveraged across company boundaries to incorporate business partners and subsidiaries

SAP NetWeaver Single Sign-On covers diverse single sign-on (SSO) requirements. Changes in your system landscape or extending your applications into the cloud, for example, do not mean that you have to purchase a new SSO solution. The modular structure of the SAP solution allows you to easily adjust to new requirements. By using public standards it can also support non-SAP applications, and allows you to integrate existing central authentication mechanisms.

We’ll explain the main capabilities of SAP NetWeaver Single Sign-On before discussing some common scenarios implemented at organizations. Finally, we’ll show you a compatibility matrix you can use to see which SSO options are available for different SAP systems.

Main Capabilities of SAP NetWeaver Single Sign-On

The principle of one log-on sounds very simple, but in many cases, the complexity of a system landscape poses a lot of challenges that are not so easy to address. Figure 1 shows the component overview of SAP NetWeaver Single Sign-On.

Figure 1

Components of SAP NetWeaver Single Sign-On

The use of each component is determined by the system landscape as well as by the requirements of the IT and business departments. The components can be implemented in any combination based on individual requirements. For example, you can use SSO with Kerberos integration, certificates, or Security Assertion Markup Language (SAML).

Component Overview

Now we’ll take a look at each of the SAP NetWeaver Single Sign-On components.

Component 1: SSO for SAP GUI for Windows via Kerberos

The main use case of this component is to enable SSO for SAP GUI for Windows (Table 1). It is a simple deployment, but has limited support of client technologies. Technically, it reuses the existing Kerberos authentication token on the client side (Microsoft Active Directory) for the SAP landscape. Secure Login Client integrates with SAP GUI for Windows, analyzes the existing security tokens, and transfers them to the SAP system. On the server side, Secure Login Library reads Kerberos-based authentication tokens and integrates with the authentication layer in SAP NetWeaver ABAP. In SAP NetWeaver ABAP each user needs to be mapped to the Microsoft Active Directory account. Otherwise, the authentication layer does not accept the Kerberos authentication token.

Table 1

SSO for SAP GUI for Windows via Kerberos

Component 2: Web SSO for SAP NetWeaver ABAP via SPNEGO

Web SSO based on Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) takes advantage of the Integrated Windows Authentication (IWA) of Microsoft. Prerequisites for this type of authentication are an existing Microsoft Active Directory Server authentication and a Microsoft client operation system. The security token is transferred via http(s) to the SAP NetWeaver ABAP server, and Secure Login Library is able to interpret this security token. The implementation of this functionality was done in 2013 and required different changes in the SAP NetWeaver ABAP stack. This feature is not available in old SAP NetWeaver ABAP servers. You can find an overview about the current supported applications servers by going to https://service.sap.com/pam and following menu path SAP NetWeaver Single Sign-On 2.0 > PDF Essentials. SPNEGO also requires a user mapping in SAP NetWeaver ABAP. Table 2 shows a short overview about the required components.

Table 2

Web SSO for SAP NetWeaver ABAP via SPNEGO

Component 3: Web SSO for SAP and Non-SAP via SAML 

Web SSO and identity federation are based on the public SAML standard. SAP implemented the standard (Table 3), which is ideal to support heterogeneous system landscapes. There are two main components: SAML Service Provider (SP) and SAML Identity Provider (IdP). IdP is a kind of central component for authentication that can issue SAML assertions to authenticate against a Web application server (AS), such as SAP NetWeaver ABAP, SAP NetWeaver Java, or non-SAP Web application servers. The IdP is delivered via SAP NetWeaver Single Sign-On and is running on an SAP NetWeaver Java server itself. The application server has to support the SAML standards as a SAML SP. SAP NetWeaver Java supports SAML as an SP since version 7.2 and SAP NetWeaver ABAP since version 7.02. SAML is often used in combination with extranet and partner integration scenarios.

Table 3

Web SSO for SAP and non-SAP systems via SAML

Component 4: SSO for SAP and Non-SAP via X.509 Certificates

X.509 certificates are based on a public standard and are widely supported by SAP and non-SAP applications (Table 4). Secure Login Client integrates in this scenario with the client certificate store and proprietary SAP clients. Furthermore, Secure Login Client connects to the Secure Login Server, which provides out-of-the-box, short-living X.509 certificates to the client to authenticate against various user interfaces and related back-end systems. It also provides many ways to integrate third-party authentication. Most organizations use the integration with Microsoft Active Directory Server (Kerberos authentication).

Table 4

SSO for SAP and non-SAP systems via X.509 certificates

Component 5: Password Manager for Legacy Passwords

The Password Manager enables you to securely store the remaining legacy passwords. It is a local client and currently available for Microsoft-based operating systems. In Table 5 you see no security token in relation to the password manager, because the focus of this component is to store remaining passwords. The main goal of an SSO implementation should be to replace the transfer of passwords (components 1-4) with a security token.

Table 5

Password manager for legacy passwords

Scenarios

We start with a simple, but typical scenario: SSO for the proprietary SAP GUI for Windows, with which SAP users access their on-premise SAP Business Suite functionality (Figure 2). Of course, they expect SSO support for SAP GUI. This support is realized with the simple integration with Microsoft Active Directory. SAP NetWeaver SSO offers an integration component on the client side (Secure Login Client) as well as on the server side (Secure Login Library). It allows for integration with the Kerberos protocol that Microsoft Active Directory uses for authentication purposes.

Figure 2

Simple scenario

Most users, however, do not exclusively work with applications based on SAP GUI for Windows. Let’s take a look at scenarios with different types of client applications (Figure 3).

Figure 3

Typical scenario

Users increasingly work with Web-based applications, SAP GUI for Java, or applications based on SAP NetWeaver Business Client (NWBC). In these cases SAP NetWeaver Single Sign-On offers an implementation based on X.509 certificates that are supported by a wide range of user clients. The required certificates are generated out of the box. Thus, a company does not need to implement a complete public key infrastructure (PKI).

This option is generally recommended in intranet scenarios in which end users have different ways of accessing their applications. Furthermore, it is possible to include non-SAP application servers because most application servers in the market support logon with X.509 certificates. To implement this scenario, the Secure Login Server, Secure Login Library, and the Secure Login Client from SAP NetWeaver Single Sign-On are required.

Usually, business processes do not run exclusively within an organization. Instead, they directly integrate partners or customers by offering information or self-services. Information is usually accessed via a Web browser. In terms of SSO, this poses a particular challenge because you cannot deploy anything at the customer or partner side and hence cannot involve a client component. Therefore, SAP has implemented the public SAML standard, which is ideally suited for such a scenario. SAP offers a Web SSO solution based on this standard (Figure 4).

Figure 4

Authentication using the SAML standard

In addition, you can leverage the concept of identity federation to minimize administration efforts for users in your IT landscape. A prerequisite is that your Web application servers support SAML as a service provider. SAP NetWeaver Single Sign-On provides the SAML identity provider as a central component for authentication and to issue the SAML assertion, which is accepted by a SAML service provider. SAP NetWeaver ABAP currently supports SAML (as a service provider) since the release 7.02, and SAP NetWeaver Java since 7.2.

A current trend is the simultaneous use of applications in your own data center and in cloud-based environments. It usually doesn’t take long until the question arises as to how to guarantee a unified access management. The example in Figure 5 depicts the option of an internal portal extended with cloud applications and a parallel use of SAP proprietary clients.

Figure 5

Cloud-based applications an SSO scenario

The combination of SAP NetWeaver SSO modules can also be applied to the example above (modules 3 and 4). If an organization has decided to use the Secure Login Server, it can also use this for authentication against SAP’s identity provider. In this way you can combine the benefits of the individual modules and can realize an SSO strategy reaching from your data center into the cloud, and this is based on public standards. The end users do not recognize in this case the technology that is behind the science. In many cases they authenticate in the morning against the Microsoft Active Directory. They receive in the background a certificate that is ideal for many internal uses cases, and if they access a cloud-based application, the users automatically receive a SAML assertion out of the X.509 certificate. In the future, organizations might decide to use SPNEGO for the example above, if they only want to integrate SAP-based applications. The same scenario can be also covered via the modules 1, 2, and 3. SPNEGO for SAP NetWeaver ABAP is a new feature and is not available in old releases.

However, what about remaining passwords? There are applications for which access cannot be standardized. This type of application allows only for user and password access. For these cases SAP NetWeaver Single Sign-On offers a password manager that you can install locally on your PC. It allows secure end-user administration of passwords. Furthermore, you can train the application to recognize logon via user and password, and automatically perform this logon the next time.

Finally, we want to mention SAP ID Service (Figure 6). This cloud-based service offers SSO and synchronizes user data for many SAP cloud-based offerings. You are using this service already indirectly if you log on to SAP Community Network, SAP Service Marketplace, or the official SAP Portal. It also integrates with SAP HANA Cloud, SAP Business ByDesign, and SuccessFactors. The service focuses right now only on SAP cloud offerings, but could expand in the future.

Figure 6

SAP ID Service

Compatibility Matrix SAP Platform and SSO Technologies (Optional)

Figure 7 provides an overview about SSO technologies and the SAP platform support. This overview helps you to decide which SSO technology fits your IT landscape best. Let’s start from the left to the right to explain the most important information.

Figure 7

SAP platform compatibility matrix for SSO options (source: SAP)

Web GUI clients (e.g., Business Server Pages, Web Dynpro) are broadly supported via X.509 certificates (component 4). Also, old SAP releases integrate with this technology. This is a big advantage for heterogeneous system landscapes. SAP GUI (DIAG) clients also support X.509 certificates (component 4). For SAP NetWeaver AS Java this is not relevant because end users access applications not via SAP GUI for Windows (DIAG protocol).

Web GUI clients in relation to SPNEGO is already available for SAP NetWeaver AS Java but not for SAP NetWeaver AS ABAP. This has changed and the capability is now available as part of SAP NetWeaver Single Sign-On (component 2) in SAP NetWeaver AS ABAP 7.3. SAP plans to make this also available in older releases (technical not possible in releases before SAP NetWeaver AS 7.00). An update is expected to come soon and will be available on the SAP Marketplace.  

SAP GUI clients (DIAG/RFC) for Windows directly support Kerberos in combination with Secure Login Client (component 1). This is also available in old releases. Note that SAP GUI for Java supports only the authentication via X.509 certificates. SAP GUI for Java is sometimes used on Linux and Macintosh client computers. Again, SAP GUI via DIAG is not relevant to SAP NetWeaver AS Java.

SAML (component 3) supports Web GUI clients (http/https) on SAP NetWeaver AS ABAP and SAP NetWeaver AS Java. There are currently no plans to enable DIAG- and RFC-based clients for SAML because this public standard is designed for Web clients only, and not proprietary clients.

Dr. Susanne Rothaug

Dr. Susanne Rothaug has been with SAP since 2001, working in various areas of SAP NetWeaver product management. Currently, she is a solution manager for SAP NetWeaver foundation topics. 

You may contact the author at susanne.rothaug@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.

Matthias Kaempfer

Matthias Kaempfer is a solution manager for the SAP NetWeaver foundation. He focuses on authentication, identity management, and various SAP NetWeaver security platform topics. Before joining SAP AG in 2000, Matthias was an applications developer to automate IT-related processes. Later, he worked as an IT service architect to optimize the end-to-end IT business processes and moved to SAP NetWeaver Lifecycle Management as a product manager.

Matthias will be presenting at the upcoming SAPinsider GRC 2017 conference, June 14-16, 2017, in Amsterdam. For information on the event, click here. 

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.