This blog is part of a five-part series. I recommend starting here: Enterprise Security Services– Security for the Cloud Age
SAP announced that it will invest heavily into integration in 2020. Security is only one aspect of integration, but an important one. Cloud Identity Services provide the bread-and-butter security capabilities: User authentication and provisioning. Who is affected by these services?
Below are just some examples:
Cloud Identity Services currently consists of two main components: Identity Authentication and Identity Provisioning. There will be more services in the future, but it’s a little too early to talk about these in detail.
Note: SAP Cloud Platform Identity Authentication service and SAP Cloud Platform Identity Provisioning service are now part of the product Cloud Security Services. We combined them under one official product name, because we’re planning to add more services in the future.
Identity Authentication is the strategic central point for authentication for any SAP cloud application. Many SAP cloud solutions come pre-integrated with Identity Authentication, and we are putting a lot of effort into increasing that list. In these cases, there’s no additional costs for using Identity Authentication – so if you’re using SAP S/4HANA Public Cloud, SAP SuccessFactors, SAP Integrated Business Planning (IBP), or SAP JAM you already have an Identity Authentication tenant, and you’re probably using it without knowing it.
SAP’s strategy is to deliver its cloud solutions pre-configured with Identity Authentication. This also means that you can authenticate against these SAP cloud solutions only via Identity Authentication service. But stop – what about the 3rd party SAML identity provider you might be using? No worries. You can still use it. You can easily configure it centrally against the Identity Authentication service. Your advantage: SAP can deliver preconfigured applications, which is required by most customers – and you can still integrate your 3rd party solution. Another benefit: There’s only one integration point into the SAP security cloud world.
The Identity Authentication service is designed for employee scenarios. It is all about business users who want to access an application to do their daily job. Why do I mention this? Because there is also a solution called SAP Customer Data Cloud. This solution is for consumers and the overall goal to provide better services or individual offerings based on user data. The Identity Authentication service does not collect/evaluate any user behavior or context data.
So let’s look at the example in the picture below. A user primarily wants to access a business application and not the Identity Authentication service. He is doing this by opening a Web address or via the SAP Fiori Launch Pad. Then the business application checks if a valid session is already available, or if a security token provided is provided by the web browser (from a former authentication – perhaps the user already accessed another application). If there is no adequate security token which can be used, the business application will ask the Identity Authentication service for a valid security token. The user is then able to authenticate via the following options:
After a successful authentication against the Identity Authentication service, the user – or more precisely the user’s browser – gets a SAML security token from the Identity Authentication service. This token is used to authenticate against the business application. The business application itself create a session with a session token. The scope of this session token is only valid for one application. In contrast, the security tokens from the Identity Authentication service can be used for various systems until the web browser is closed or the validity period is exceeded (customization).
What about all the other stuff in the picture? We have one question left to answer: Where is the user information stored?
We have three options:
A) You can use the identity store, which is part of the Identity Authentication service. This is the easiest and the default configuration. If you choose this option, you don’t have to consider any other options.
B) Here the source of the user data – let’s focus only on user name and password for now – is in an on-premise user store. In this case, the Identity Authentication service checks the user name/password information against this user store, but the SAML/OpenID Connect token will be still generated by the Identity Authentication service
C) The third option is to integrate with another SAML IDP provider. In this case, the Identity Authentication service forward the authentication request to another SAML IDP provider. It is also called “proxy mode”. The Identity Authentication service acts as a proxy and does not store the relevant user data. So why not use it without an Identity Authentication service? Perhaps you remember the section before: SAP delivers one integration point to SAP cloud applications and SAP is only able to deliver cloud applications which are ready to use with a known Identity Authentication service. A nice side effect is that most customers also like this approach, because the SAP administrators have a clear responsibility interface to corporate security: The Identity Authentication service.
Note: If you build your own freestyle application as a partner or customer on SAP Business Technology Platform, you can still replace the Identity Authentication service with any SAML IDP.
Please note that there are many possible combinations. In this blog, I will cover the scenarios that make up 80% of all use cases. Some of the more special topicsinclude:
Are you wondering how authentication and authorization work together on SAP Business Technology Platform? I will cover this topic under secure development services.
Links
SAP Community: https://community.sap.com/topics/cloud-platform-identity-authentication
Across the SAP cloud portfolio, user management basically comes in two flavors:
In the second option, you must maintain user data in different applications, which can be automated via the Identity Provisioning service, a kind of user data synchronization between different applications. Example: If a company uses SAP SuccessFactors, they would like for every new employee created in SAP SuccessFactors to automatically have a user in Identity Authentication, so they can access SAP S/4HANA cloud.
Many SAP cloud solutions come pre-integrated with this service and SAP continues to expand this list of applications.
But what is the relation to SAP Cloud Identity Access Governance? That’s easy to answer. Technically, SAP Identity and Access Governance re-use Identity Authentication and Provisioning, but provide premium features on top. These are capabilities like segregation of duties, re-certification, or business role management. SAP Cloud Identity Access Governance is of course only optional - Identity Provisioning works also standalone.
I would like to use the picture below to dig deeper into the Identity Provisioning service. You learned already that the service synchronizes users between various systems. Let me be clear: Identity Provisioning service has no feature parity with SAP Identity Management. SAP Identity Management is an on-premise solution that allows you to implement, develop and customize nearly every scenario you can think of. The price to pay for this flexibility is complexity. . The goal of the Identity Provisioning service is to provide a simple solution to sync up user data especially for SAP cloud solutions. It is based on the SCIM standard (System for Cross-domain Identity Management), so there are no specific connectors for each application. The applications must “speak” SCIM, with some rare exceptions. Do you remember the good old SAP Central User Administration (CUA)? Currently, the Identity Provisioning service is like CUA but with a broader scope (SAP cloud applications). Do we plan to evolve Identity Provisioning into a full-blown cloud identity management system? No, SAP Identity and Access Governance is the solution which will provide the premium functionality on top of the Identity Provisioning service.
Ok, back to the picture:
Non-SAP Cloud Identity Management systems
Of course we also have a lot of 3rd party identity management systems. SAP’s strategy is for these solutions to integrate with Identity Authentication via the proxy mode and with Identity Provisioning via the SCIM interface. Our services are the central hub for the SAP cloud world. It is not the strategy of Identity Provisioning to provide a solution which supports countless non-SAP applications.
Note: In many analysts reports an identity management system can be only a “leader” if it provides connectivity to many vendors. SAP’s identity management strategy is to provide best integration within the SAP portfolio. So don’t expect this solution to appear in the leader quadrant – our strategy is differs from the scope of most analyst reports.
Let me sum up some of the key functionalities:
Summary
Links
SAP community: https://community.sap.com/topics/cloud-platform-identity-provisioning
Supported systems: https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/81ca0c1b51b449daac240a18ee0...
NAVIGATE BACK TO ENTERPRISE SECURITY SERVICES
SAP announced that it will invest heavily into integration in 2020. Security is only one aspect of integration, but an important one. Cloud Identity Services provide the bread-and-butter security capabilities: User authentication and provisioning. Who is affected by these services?
Below are just some examples:
- An administrator who wants to provide seamless and secure access to SAP cloud applications
- A consultant designing the access management concept for a customer
- A developer who needs a user store so people can access a new application
Cloud Identity Services currently consists of two main components: Identity Authentication and Identity Provisioning. There will be more services in the future, but it’s a little too early to talk about these in detail.
Note: SAP Cloud Platform Identity Authentication service and SAP Cloud Platform Identity Provisioning service are now part of the product Cloud Security Services. We combined them under one official product name, because we’re planning to add more services in the future.
Identity Authentication
Identity Authentication is the strategic central point for authentication for any SAP cloud application. Many SAP cloud solutions come pre-integrated with Identity Authentication, and we are putting a lot of effort into increasing that list. In these cases, there’s no additional costs for using Identity Authentication – so if you’re using SAP S/4HANA Public Cloud, SAP SuccessFactors, SAP Integrated Business Planning (IBP), or SAP JAM you already have an Identity Authentication tenant, and you’re probably using it without knowing it.
SAP’s strategy is to deliver its cloud solutions pre-configured with Identity Authentication. This also means that you can authenticate against these SAP cloud solutions only via Identity Authentication service. But stop – what about the 3rd party SAML identity provider you might be using? No worries. You can still use it. You can easily configure it centrally against the Identity Authentication service. Your advantage: SAP can deliver preconfigured applications, which is required by most customers – and you can still integrate your 3rd party solution. Another benefit: There’s only one integration point into the SAP security cloud world.
The Identity Authentication service is designed for employee scenarios. It is all about business users who want to access an application to do their daily job. Why do I mention this? Because there is also a solution called SAP Customer Data Cloud. This solution is for consumers and the overall goal to provide better services or individual offerings based on user data. The Identity Authentication service does not collect/evaluate any user behavior or context data.
So let’s look at the example in the picture below. A user primarily wants to access a business application and not the Identity Authentication service. He is doing this by opening a Web address or via the SAP Fiori Launch Pad. Then the business application checks if a valid session is already available, or if a security token provided is provided by the web browser (from a former authentication – perhaps the user already accessed another application). If there is no adequate security token which can be used, the business application will ask the Identity Authentication service for a valid security token. The user is then able to authenticate via the following options:
- User name / password (standard)
- 509 certificate (often used in combination with SAP Single Sign-On)
- SPNEGO/Kerberos
- Optional: 2-factor authentication
- Forward request to a customer-configured corporate Identity Provider (IdP)
After a successful authentication against the Identity Authentication service, the user – or more precisely the user’s browser – gets a SAML security token from the Identity Authentication service. This token is used to authenticate against the business application. The business application itself create a session with a session token. The scope of this session token is only valid for one application. In contrast, the security tokens from the Identity Authentication service can be used for various systems until the web browser is closed or the validity period is exceeded (customization).
What about all the other stuff in the picture? We have one question left to answer: Where is the user information stored?
We have three options:
A) You can use the identity store, which is part of the Identity Authentication service. This is the easiest and the default configuration. If you choose this option, you don’t have to consider any other options.
B) Here the source of the user data – let’s focus only on user name and password for now – is in an on-premise user store. In this case, the Identity Authentication service checks the user name/password information against this user store, but the SAML/OpenID Connect token will be still generated by the Identity Authentication service
C) The third option is to integrate with another SAML IDP provider. In this case, the Identity Authentication service forward the authentication request to another SAML IDP provider. It is also called “proxy mode”. The Identity Authentication service acts as a proxy and does not store the relevant user data. So why not use it without an Identity Authentication service? Perhaps you remember the section before: SAP delivers one integration point to SAP cloud applications and SAP is only able to deliver cloud applications which are ready to use with a known Identity Authentication service. A nice side effect is that most customers also like this approach, because the SAP administrators have a clear responsibility interface to corporate security: The Identity Authentication service.
Note: If you build your own freestyle application as a partner or customer on SAP Business Technology Platform, you can still replace the Identity Authentication service with any SAML IDP.
Please note that there are many possible combinations. In this blog, I will cover the scenarios that make up 80% of all use cases. Some of the more special topicsinclude:
- Delegated authentication towards multiple identity providers (IDP-initiated authentication)
- Conditional authentication (partner or subsidiary use cases)
- Identity Federation with enrichment of attributesf
- Two-factor authentication options
- Risk-based authentication (request two-factor authentication based on the user context)
Are you wondering how authentication and authorization work together on SAP Business Technology Platform? I will cover this topic under secure development services.
Links
SAP Community: https://community.sap.com/topics/cloud-platform-identity-authentication
Identity Provisioning
Across the SAP cloud portfolio, user management basically comes in two flavors:
- Applications which delegate user management completely to Identity Authentication
- Applications with their own/separate user management store (ABAP, SAP SuccessFactors…)
In the second option, you must maintain user data in different applications, which can be automated via the Identity Provisioning service, a kind of user data synchronization between different applications. Example: If a company uses SAP SuccessFactors, they would like for every new employee created in SAP SuccessFactors to automatically have a user in Identity Authentication, so they can access SAP S/4HANA cloud.
Many SAP cloud solutions come pre-integrated with this service and SAP continues to expand this list of applications.
But what is the relation to SAP Cloud Identity Access Governance? That’s easy to answer. Technically, SAP Identity and Access Governance re-use Identity Authentication and Provisioning, but provide premium features on top. These are capabilities like segregation of duties, re-certification, or business role management. SAP Cloud Identity Access Governance is of course only optional - Identity Provisioning works also standalone.
I would like to use the picture below to dig deeper into the Identity Provisioning service. You learned already that the service synchronizes users between various systems. Let me be clear: Identity Provisioning service has no feature parity with SAP Identity Management. SAP Identity Management is an on-premise solution that allows you to implement, develop and customize nearly every scenario you can think of. The price to pay for this flexibility is complexity. . The goal of the Identity Provisioning service is to provide a simple solution to sync up user data especially for SAP cloud solutions. It is based on the SCIM standard (System for Cross-domain Identity Management), so there are no specific connectors for each application. The applications must “speak” SCIM, with some rare exceptions. Do you remember the good old SAP Central User Administration (CUA)? Currently, the Identity Provisioning service is like CUA but with a broader scope (SAP cloud applications). Do we plan to evolve Identity Provisioning into a full-blown cloud identity management system? No, SAP Identity and Access Governance is the solution which will provide the premium functionality on top of the Identity Provisioning service.
Ok, back to the picture:
- SAP Identity Management can of course be integrated with the Identity Provisioning service. If you have a hybrid landscape and you use SAP Identity Management for your on-premise systems, you can extend the reach to the cloud world via Identity Provisioning service – a hybrid identity management for a hybrid system landscape.
Note: There is still the option to connect your SAP Identity Management directly to cloud applications, but then you must re-implement all the work we have done in Identity Provisioning service. - Why an extra box for Identity Authentication service? It is just a SAP cloud application, right? Yes, you are right, but I wanted to highlight it because it is the central point for authentication in the cloud. If you use the built-in user store of Identity Authentication service, you want to keep this store updated and also distribute data which was changed by the user in Identity Authentication If you use Identity Authentication in a proxy mode, option C is more relevant to you.
- In large enterprises, you’ll always have a corporate user directory such as Microsoft Active Directory or Azure Active Directory. Sometimes it is the holy grail, and nobody gets access to it, sometimes it’s a requirement to integrate with it. With the Identity Provisioning service, you can connect to any SCIM-enabled system to synchronize user data across the landscape.
- In many cases, you want to synchronize user data within SAP cloud applications. It is part of SAP integration strategy for the Identity Provisioning service to be the default user management solution for SAP cloud applications. It will take some time until all the major SAP cloud applications are integrated (supporting SCIM or special connectors), but this is SAP’s midterm goal.
- Why do we have an extra box for SAP SuccessFactors? Because many SAP customers use it and it is the source for any HR-driven identity lifecycle. If there is a new employee, you want this information to be synchronized via the Identity Provisioning service to the Identity Authentication The new employee then automatically has access to standard applications within your company (lunch menu, address book, …).
- 3rd party cloud applications can also be integrated. However, we don’t provide content such as mapping information, and the solution must support SCIM.
Non-SAP Cloud Identity Management systems
Of course we also have a lot of 3rd party identity management systems. SAP’s strategy is for these solutions to integrate with Identity Authentication via the proxy mode and with Identity Provisioning via the SCIM interface. Our services are the central hub for the SAP cloud world. It is not the strategy of Identity Provisioning to provide a solution which supports countless non-SAP applications.
Note: In many analysts reports an identity management system can be only a “leader” if it provides connectivity to many vendors. SAP’s identity management strategy is to provide best integration within the SAP portfolio. So don’t expect this solution to appear in the leader quadrant – our strategy is differs from the scope of most analyst reports.
Let me sum up some of the key functionalities:
- Policy-based assignments
- Mapping between identity models
- Merging identities from multiple sources
- Directory with SCIM API access
Summary
- Default user synchronization solution for SAP cloud applications
- Simple and agile solution with a short time-to-value
- Openness via SCIM
- SAP Identity Management is recommended for on-premise landscapes
- Identity Provisioning service is recommended for SAP cloud systems
- If compliance is an important topic, check out SAP Identity and Access Governance
Links
SAP community: https://community.sap.com/topics/cloud-platform-identity-provisioning
Supported systems: https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/81ca0c1b51b449daac240a18ee0...
NAVIGATE BACK TO ENTERPRISE SECURITY SERVICES
- SAP Managed Tags:
8 Comments
