SAP Single Sign-On 3.0 SP01 – Secure Login Server with Enterprise PKI
The new Secure Login Server version of SAP Single Sign-On 3.0 enhanced its X.509 capabilities by adding support for Enterprise PKI products like Microsoft Active Directory Certificate Services or Certificate Management over CMS (CMC) based solutions.
Up to version 2.0, multiple internal or HSM based certificate authorities (CAs) were provided. With version 3.0, a “Remote CA” can be implemented as registration authority, connecting to a PKI web service. Of course, multiple of such Remote CAs can be configured.
Update: With SP01, we have extended and improved the Remote CA support. See SAP Note 2375797 – Secure Login Server 3.0 SP01 – Remote CA Configuration for the details.
What’s the point?
For all these clients, Secure Login Server offers several authentication schemes and protocols including multi-factor and risk-based authentication, client profiles, and user name mapping algorithms which are required for modelling single sign-on workflows for specific SAP or non-SAP login scenarios.
On the other hand, the existing internal PKI of an enterprise is often seen as the “holy grail of corporate security”, and security policies may even ban any other certificate issuer. The main aspects are the ownership and protection of the CA´s private keys, plus the ownership of the issued certificates database, plus the authorisation management for approvals, operators, and registration authorities.
So the consequent solution for Secure Login Server is to integrate into given PKI setups, and to add the existing SSO modelling and integration functionality.
More details, please!
Technically, a Secure Login Server Remote CA consists of three components:
Just another CA which is created in Certificate Management, it can be used by any client or application server that supports Secure Login Server enrollment protocol version 3.0.
A NetWeaver HTTPS destination, with an URL linking to the PKI´s web service and the web service´s TLS root certificate as trusted certificate view.
The corresponding registration authority authentication credentials, also configured inside the HTTPS destination. Either basic authentication with username and password or TLS client authentication with private key and certificate is possible.
The remote side, a web service provided by the Enterprise PKI, depends on the respective product. Currently, Secure Login Server 3.0 supports two types of interfaces:
- Microsoft Active Directory Certificate Service and its Certificate Authority Web Enrollment
- Microsoft Active Directory Certificate Service and its Network Device Enrollment Service
- Simple CMC with HTTPS transport, which is in fact PKCS#10 / PKCS#7
The following clients already support Secure Login Server 3.0 with Remote CAs:
- Secure Login Client 3.0
- Certificate Lifecycle Management for ABAP (SSF_CERT_ENROLL, SSF_CERT_RENEW)
- Certificate Lifecycle Management command line interface (SAPSLSCLI)
Although Secure Login Server is optimised for issuing short-lived end user certificates, there was never a technical limitation in the validity configuration. Customers could issue longer lived certificates, if an account locking procedure was clearly defined.
But once the certificates come from an existing PKI, revocation management based on CRLs or OCSP is also possible. All certificate extensions set by the CA can be used by the receiving parties during verification. In fact, Secure Login Server is not even aware of them, as it trusts the Enterprise PKI.
One picture, please.
Much more details, documentation, videos can be found in the SAP Help Portal pages and our SSO Community.