Not allowed to work with your SAP cloud CRM in a café?

No problem here is how you restrict access to your private network.

The new cloud era is one of the best things that could have happened for those people, who like to work wherever they are, and at any point in time. Simply open your device, login with your cloud application and start earning money. SAP’s C4/Hana suite, which is a native cloud solution, is no different.

However this might stress out your IT department, and even regulatory agencies, a bit, because you can now use just any random device to access sensitive data in unmanaged and potentially unsecure environments.

Quick reminder: Your IT colleagues take care of your computers, update cycles, the network you access it from, anti-virus software and many more to make sure you and your customer data are safe. These safety barriers no longer work if you access your SAP Cloud for Customer (C4C) system from your friend’s Android smartphone without a VPN. And if that phone is made by an Asian telecom provider some countries will call the secret services right away 😉

“Sorry, but we cannot use the public cloud systems for that matter” your CTO might say.

So how do you restrict access to public cloud SAP C4/Hana systems to your private network?

One effective way of circumventing the problem is to implement a so called corporate identity provider (IdP). This corporate IdP can only be accessed from within your network. That shuts out everyone outside of your IT perimeter. They see the login screen but cannot get past it.

In today’s blog I will describe the setup with typical SAP cloud products: Marketing Cloud, C4C and SAP Identity Authentication Service (IAS) for SingleSignOn in between C4C and Marketing Cloud.

Fig1. SAP IAS is at the heart of securing your public cloud access

Your initial Cloud login, no matter if Marketing Cloud or C4C or whatever, goes through SAP IAS. You can configure IAS to use different IdPs for login depending on user attributes such as email domain, user group or IP-Address range for instance. The diagram above shows the mechanism that kicks in for users that are supposed to login only from your corporate network.

IAS recognize that it needs to redirect the login request to your corporate Identity Provider. And this particular redirect can only succeed from within your corporate network, hence it is not reachable from the internet. Et voila you just limited cloud access for that group of users to your internal network. Let’s have a look at some of the settings in more detail.

IAS provides the means for flexible authentication

So far IAS only supports corporate Identity Providers with SAML authentication. You establish trust by importing the SAML metadata xml vice-versa in IAS and your corporate IdP. You can find the metadata.xml of your IAS tenant under Application & Resources -> Tenant Settings -> SAML 2.0 Configuration -> Download Metadata File.

Fig.2 Screenshot from Identity Provider Screen on SAP IAS

We recommend that you implement authentication rules for each cloud application. You can assign rules to all available IdPs including your corporate one. That way you can create a very flexible rule set that limits the majority of your workforce to your internal private network but still allows that fancy marketing agency to access your marketing cloud tenant from their site.

Fig.3 Screenshot from Application Setup Screen on SAP IAS

In the example above users from the email-domain “convista.com” are routed to either the corporate IdP or the default IAS upon login depending on their user type.

Find some more info on SAP IAS and corporate IdP here:

Final Words

I showed you how you can limit access to your public cloud to your private network and where to find further instructions regarding SAP Identity Authentication Service. Furthermore, I have described how, at the same time, you can still give access to third parties outside of your network.