Nowadays most companies have complex IT landscapes. The implementation of single sign-on (SSO) within a company and across companies involves systems from different vendors. In such environments, the usage of open standards is essential. The most widely adopted standard in the industry is Security Assertion Markup Language (SAML) 2.0. To respond to customers’ needs, SAP includes an implementation of a SAML 2.0 service provider in its on-premise and on-demand application platforms. In addition, it provides a SAML 2.0 identity provider (IDP) as part of SAP Single Sign-On (SAP SSO). For more information about the IDP, see Identity Provider for SAP Single Sign-On and SAP Identity Management . In this blog, I will describe the competitive advantages of the IDP delivered by SAP for landscapes containing SAP and non-SAP systems.
Consider the following points when choosing an IDP and integrating it into a single sign-on (SSO) landscape:
- User data source
Where does the identity information come from?
- Authentication methods
What authentication mechanisms are used in the company? Which of these are supported by the IDP, and how do you want to extend them by adding new ones?
What systems are involved, and what SSO methods do they support? How are you going to integrate them into the SSO scenarios?
Is the IDP certified to be interoperable with other SAML 2.0 vendors?
- Identity Federation
Is the IDP capable of including identity information in the SAML 2.0 assertion from various sources, such as a Lightweight Directory Access Protocol (LDAP) server, an HR system, and a Customer Relationship Management (CRM) system?
- Advanced SSO Scenarios
In large companies, business systems are typically accessed by users from various sources: users from different departments, subsidiaries, and partner companies. Those users might have different authenticating authorities.
Is the IDP capable of proxying the authentication requests to other authenticating authorities, that is, does it support SAML 2.0 IDP Proxy Profile?
- Cloud Integration
Is the IDP ready to be used with cloud applications? Does it offer tighter integration with cloud applications beyond the standard SAML 2.0 single sign-on and single logout?
- Performance and Scalability
Can the IDP handle the expected number of logins? Can it scale to satisfy the future demands of the company?
- Support and Lifecycle Management
The IDP is a central component, and in most cases it is running in high-availability mode. Because of that, customers should pay special attention to the support provided by the vendor.
The IDP delivered by SAP is an add-on component running on top of SAP NetWeaver (NW) Application Server (AS) Java. Services provided by the application platform such as user management, session management, trust management, high availability, and failover are leveraged by the IDP. It can be downloaded from the SAP Software Download Center. For more information about how to download it, see Downloading and Installing the Federation Software. The required version of SAP NW AS Java is 7.20 or higher.
User Data Source
The IDP delivered by SAP supports various user data sources such as database, LDAP servers, and AS ABAP. The last of these is especially important if the users are centrally managed in an ABAP system, including Central User Administration (CUA). That is one of the advantages of the IDP delivered by SAP when integrating it into a landscape that includes SAP systems. For more information, see Configuring the UME to Use an AS ABAP as Data Source.
The IDP delivered by SAP supports the following authentication methods by default: username and password, client certificate, SPNEGO/Kerberos, and SAP logon ticket. Because of the extensibility provided by AS Java, additional authentication methods can be integrated as JAAS login modules. For more information, see Create and Configure a Login Module.
There is an official procedure for certifying login modules developed by third-party vendors. For more information, see SAP Web Application Server Java – External User Authentication JAAS.
The figure below shows authentication with SAP logon tickets. Using this feature, customers can enable SAML 2.0 SSO to third-party applications from their existing SAP Portal 7.0x.
With the IDP delivered by SAP, apart from the SAML 2.0 systems, you can also integrate non-SAML systems to perform single sign-on (SSO). With the IDP you can easily have SSO with older SAP systems by using SAP logon tickets. For more information, see Including Legacy Systems in Your SAML 2.0 Landscape in Identity Provide for SAP Single Sign-On and SAP Identity Management.
In theory it is expected that different systems are interoperable by implementing the SAML 2.0 standard. In practice this is not always the case. For that reason it is very important that the vendors perform tests with third-party products. SAP has successfully participated in the last two official interoperability test events conducted by Liberty Alliance and Kantara Initiative in 2009 and 2011.
Identity federation allows partners to share identity information so that they can recognize the user. Through the identity federation settings, you can specify what information will be contained in the assertion. Moreover, additional attributes can be added to the assertion by implementing a custom attribute provider. The attribute provider itself is responsible for obtaining the necessary data from the different sources such as an LDAP server, an HR and a CRM systems. There will be a dedicated blog describing the development of a custom attribute provider for the IDP delivered by SAP. The blog will contain examples based on real customer scenarios.
Advanced SSO Scenarios
To respond to the needs of large companies, the IDP delivered by SAP supports SAML 2.0 IDP Proxy Profile. For more information about the typical proxy scenarios, see Identity Provider Proxy in Identity Provider for SAP Single Sign-On and SAP Identity Management.
The following is a non-typical, but interesting proxy scenario.
The company in this example uses a number of SAP systems, and its users are managed in an LDAP server. The company has a requirement that these users have a Web Browser SSO to the SAP systems. In the example, a third-party IDP is used and the SAP systems act as service providers (SPs). Adding new SAP systems to the SSO setup or modifying the configuration requires communication between two different departments. In the course of time, the coordination between the two departments became cumbersome and time-consuming. Because of that, it was decided this process could be improved by using SAML 2.0 IDP proxy. For the SAP administrators, it was easy to choose the IDP delivered by SAP because they had already had experience with the administration of SAP AS Java systems, and not many other vendors supported the SAML 2.0 IDP Proxy Profile.
A typical integration with cloud applications focuses on single sign-on and single logout scenarios. An example of this type of scenario is the integration between SAP Portal and SuccessFactors. The identity provider component is installed on the SAP Portal system and supplements the SSO capabilities of the Portal. For more information, see the step-by-step configuration guide under Single Sign-On between SAP Portal and SuccessFactors.
Additional features beyond the standard SAML 2.0 single sign-on and single logout are provided with an on-premise user connector for SAP HAN Cloud Platform. By using this connector, the applications running on SAP HANA Cloud Platform can perform the following additional operations:
- Authenticate with a username and password against the on-premise IDP delivered by SAP.
- Authenticate with a client certificate against the on-premise IDP delivered by SAP.
- Search for users available in the user management engine (UME) of the on-premise IDP delivered by SAP.
- Retrieve user details such as profile attributes (first name, last name, e-mail, an so on.) and authorizations (group assignments).
For more information about the on-premise user connector, see On-Premise User Connector for SAP HANA Cloud Platform Applications.
Performance and Scalability
Because the IDP delivered by SAP runs on top of AS Java, it can benefit from the performance and scalability features of the server.
The IDP was tested for performance and achieved the following results:
- Approximately 1.5 million logins were performed in one hour. Each login includes receiving a signed SAML 2.0 authentication request, interactive authentication with a username and password, and issuing a SAML 2.0 response with a signed assertion.
- The tests showed that when instances were added, the throughput increased almost linearly.
These results were achieved using the setup below.
The cluster contains the following hardware elements:
- Central Instance
The central instance includes an enqueue server, a message server, SAP MaxDB database, and SAP Web Dispatcher.
Hardware: Intel Xeon(R) 5140 @ 2.33 GHz, 8 GB RAM
- Dialog Instances
Each dialog instance has two Java server nodes (processes).
- Instance 1 – Intel Xeon(R) 5140 @ 2.33 GHz, 8 GB RAM
- Instance 2 – Dual Core AMD Opteron Processor 280 @ 2.4 GHz, 8 GB RAM
- Instance 3 – Dual Core AMD Opteron Processor 280 @ 2.4 GHz, 8 GB RAM
- Instance 4 – Dual Core AMD Opteron Processor 280 @ 2.4 GHz, 8 GB RAM
Support and Lifecycle Management
SAP has well-established processes for support and lifecycle management of business critical systems and applications. Those processes are also applicable for the IDP delivered by SAP. Besides the standard level of support, SAP also offers a higher level of support called SAP Enterprise Support. For more information, see SAP Enterprise Support.
I look forward to your suggestions and comments on improving these features. Moreover, I will be glad to receive other ideas for the implementation of additional features for the SAP identity provider.