SAP Single Sign-On 3.0 Now Available
On July 4, 2016, SAP released the latest version of the SAP Single Sign-On product. Release 3.0 expands the existing coverage for mobile and cloud scenarios, modernizes the X.509 certificate-based scenario, simplifies implementation through close platform integration, and offers continuous improvement of security protocols based on market requirements, among other new features and enhancements.
SAP Single Sign-On 3.0 continues to offer the sophisticated security functionality customers are looking for while placing a strong emphasis on simplification and a sustainable return-on-investment. Now let’s take a closer look at the new capabilities with SAP Single Sign-On 3.0.
For an overview, check out the new SAP Insider magazine article by Regine Schimmer: Secure Single Sign-On Across SAP Landscapes
A Look at the New Features in SAP Single Sign-On 3.0
Enhanced Support for Existing PKI Implementations
With SAP Single Sign-On 3.0 the Secure Login Server can now act as Registration Authority (RA) while your existing enterprise public key infrastructure (PKI) acts as Certificate Authority (CA), both for user and server certificates. This means that if you already have an enterprise PKI in place, you don’t have to establish a second one. Certificates can be signed based on your established PKI and security policy, and your storage and revocation processes remain valid.
For more information, read Stephan Andre’s blog SAP Single Sign-On 3.0 – Secure Login Server with Enterprise PKI.
Streamlined Certificate Lifecycle Management for SAP NetWeaver AS ABAP
SAP Single Sign-On 3.0 introduces more efficient management of the certificate lifecycle. The Secure Login Server administration console helps administrators manage the lifecycle of certificates by automating renewals for server components in your landscape. This significantly reduces manual effort, eliminates the risks of human errors, and prevents costly system downtime.
An automated central roll-out of trusted root certificates facilitates the transition from self-signed certificates to a PKI-based approach. In addition, the Secure Login Server can act as Registration Authority of an existing enterprise PKI (see above).
To see the configuration of Secure Login Server and certificate lifecycle management in action, watch our new demo videos: Part 1, Part 2.
Expanded Single Sign-On Support for Mobile Devices
The Secure Login Server allows you to provision X.509 certificates to mobile devices in multiple ways. In the past, you could use the Simple Certificate Enrollment Protocol (SCEP), which is supported by iOS. SAP Single Sign-On 3.0 now also supports the provisioning of X.509 certificates to a mobile device via the SAP Authenticator mobile app for iOS. You can now even develop your own custom code for certificate enrollment using the REST API provided by the Secure Login Server. Check out Stephan Andre’s blog SAP Single Sign-On 3.0 – Secure Login Server REST API for an example.
Optionally, customers can integrate Secure Login Server and the SAP Mobile Platform, and benefit from a seamless user experience for mobile applications. For more information, see Martin Grasshoff‘s blog.
In addition, SAP Single Sign-On 3.0 now also offers a mobile SSO solution for shared mobile devices. The solution is currently available via the SAP Authenticator app for Android and is based on NFC reader technology. For more information, read Donka Dimitrova’s blog SSO Solution Also for Shared Mobile Devices.
New Encryption-Only Mode to Ensure Secure Communication, Always
The new encryption-only mode of SAP Single Sign-On 3.0 enables network encryption for the SNC protocol used for communication with SAP systems, even if a user-specific security token is temporarily unavailable or not yet configured. This allows customers to immediately protect data communication during an implementation project, before user-specific configuration is in place, and to ensure data privacy if the end user has lost the smart card holding the required digital certificate, for example.
New, Integrated Secure Login Web Client
SAP Single Sign-On 3.0 comes with a new version of the Secure Login Web Client, based on a renovated architecture and more integration options. With the help of the Secure Login Web Client, a business process running in a browser session — either in the cloud or on-premise — can trigger seamless authentication for a native client on the user desktop, such as SAP GUI.
As of SAP Single Sign-On 3.0, the Secure Login Web Client no longer depends on Java or ActiveX, eliminating previous limitations around browser support. For more information, read Regine Schimmer’s blog Secure Login Web Client (SLWC): Future-Proof Architecture Update.
Enhancements for Cryptographic Capabilities and Security Protocols
SAP Single Sign-On 3.0 now also supports Perfect Forward Secrecy for SNC communication, mitigating the risk that compromised keys allow an attacker to decrypt previously recorded session data. In addition, the new release supports the SSL/TLS cipher suite “TLS_FALLBACK_SCSV”, ensuring better protection against protocol downgrade attacks.
From Release 2.0 to 3.0: Simple Update Process
SAP Single Sign-On 3.0 is a non-disruptive, evolutionary release building on a stable core. The stability of the core and the simplicity of the product remain our key objectives, keeping implementation efforts and TCO as low as possible.
So if you are already using release 2.0 today, what can you expect when updating to release 3.0? With the new version we offer a lean update process through a compatible functionality set with extended functionality being optional. What this means in practice for you:
- Version 3.0 continues to support all capabilities of version 2.0. The fundamentals of the main scenarios remain unchanged; an implementation started on version 2.0 does not need to be repeated or adapted on version 3.0.
- Version 3.0allows customers to extend the coverage of their existing implementation to additional scenarios. The new capabilities are optional and can be enabled any time.
- Updating product components from version 2.0 to 3.0 is as easy as a patch. Versions 2.0 and 3.0 are interoperable. This means that as long as no version 3.0 specific functionality is required, components can be updated in any order.
Don’t Miss our Upcoming Webinars
Get up to speed on the enhancements and simplifications that are available in the new version 3.0! Join us for one of the upcoming webinars “Simple Steps towards Higher Security with the new Release SAP Single Sign-On 3.0”, depending on your location and language preference:
- July 8, 10:00 AM CET (German). Hosted by the German User Group (DSAG), Working Group Identity Management & Security. Please note that you need to be a DSAG member in order to join the webinar.
- July 12, 10:00 AM (CT), 11:00 AM (ET), 9:00 AM (MT), 8:00 AM (PT), (English). Hosted by the Americas’ SAP Users’ Group (ASUG). Please note that you need to be an ASUG member in order to join the webinar.
- July 15, 02:00 PM CET (English). Hosted by the International Focus Group (IFG) for SAP Security, Data Protection & Privacy.
- August 26, 10:00 AM CET (German). Due to high demand, we will offer this additional webinar. To register please contact Christian Cohrs by August 19. Dial-in information will be sent out on August 22.
SAP Single Sign-On @ SAP TechEd 2016 and SAP User Groups Conferences
The replay of the SAP TechEd 2016 session SEC103: Simple Steps Toward Increased Security with the New SAP Single Sign-On 3.0 is now available! Watch now.
Visit us at SAP TechEd 2016 where you will have the opportunity to gain insight into security products from SAP. Learn more about our proven SAP Single Sign-On product and its latest enhancements in the following sessions:
- SEC103, Simple Steps Toward Increased Security with the New SAP Single Sign-On 3.0 (Lecture)
- SEC163, Protect your SAP Landscape with X.509 Certificates Using SAP Single Sign-On (Hands-On Workshop)
- MOB360, Enable SAP Single Sign-On for SAP Fiori Apps (Hands-On Workshop)
- SEC819, Road Map Q&A: SAP Single Sign-On
Register for SAP TechEd 2016 at the following locations:
Las Vegas, September 19-23, 2016
Bangalore, October 5-7, 2016
Barcelona, November 8-10, 2016
Also meet us at the DSAG Annual Conference 2016 (DSAG Jahreskongress 2016), taking place in Nürnberg, September 20-22. Join our SAP Security Workshop where we will present SAP Single Sign-On 3.0, among others. The workshop will take place on September 21, 13:00 – 16:30. Seats are limited, so register now.
For more information about the SAP Single Sign-On 3.0 release, check the following resources:
- Release note
- A new product overview presentation
- Replay of SAP TechEd 2016 session
- The updated documentation on the SAP Help Portal
- SAP Insider Article: Secure Single Sign-On Across SAP Landscapes
- Product Availability Matrix
- SAP software download
Great ! 😉
We are using SSO 2.0 SP06 in our company. We want to upgrade to SSO 3.0.
I cant find details for the same in SSO 3.0 guides. Have dealt with the SSO upgrade from 1.0 to 2.0 several years ago where one option was to build a new server side by side and then migrate the PKI.
Can you please point me to the right documentation for SSO 3.0 upgrade ?
I assume, that you have a Dev-Test-Pro environment. There are no dedicate migration documents because to move from SAPSSO 2.0 to 3.0 is more like an updating your software.
For Secure Login Server, you can deploy 3.0 on 2.0. Your PKI and configurations will remain.
Secure Login Client 2.0 is compatible with Secure Server 3.0. If you want to update it to 3.0, install 3.0 over 2.0. Your profiles and configurations to the new Secure Login Server 3.0 will remain and can be used without changes.
For the SNC Library, please use the migration document here: https://help.sap.com/viewer/bce2e80c873a4003a6d446e1f370696d/3.0/en-US/b5c5335479b54fb4a8617a8399901db3.html
Did you want to use some 3.0 new features?
Thanks for the info Valerie.
We have 2 tier landscape. DEV and PRD.
Aa advised, I will deploy the SLS 3.0 file SLSERVER00_0.SCA and SLSERVER02_0-80001957.SCA on my DEV box to get to SS0 3.0 SP02.
We need to explore new features of 3.0 (Security, mobile connectivity from external network, MFA etc)