The Identity Authentication service is a default integration component for many SAP Cloud products in order to enable single sign-on. In this blog I will explain the main usage scenarios how it enables single sign-on for both corporate and external users.
Identity Authentication is a public cloud service which serves in principle two fundamental usage scenarios:
- It can act as an identity provider (IdP) that validates user’s credentials and offers single sign-on for relying parties
- It can act as a proxy for integration into an already existing single sign-on infrastructure with a corporate IdP
The following video demonstrates those two usage scenarios: Identity Authentication Service in a Nutshell
These two fundamental usage scenarios – Identity Authentication as authenticating authority vs. Identity Authentication as a proxy – can be very flexibly controlled by a concept called ‘Conditional Authentication’. Via conditional authentication rules an administrator can determine where the users should authenticate. E.g. for a public site used by both corporate and external users, the corporate users may benefit from single sign-on with the corporate IdP whereas external users must authenticate locally in Identity Authentication.
Identity Authentication as Authenticating IdP
Identity Authentication offers its users a variety of authentication options. Ideally secure authentication can be established without bothering the user to enter his credentials manually (e.g. username and password). Authentication with client certificates (X.509) or via Kerberos/SPNEGO are such options that enable single sign-on combined with ease-of-use for the end user. If stronger means of authentication are required, then an administrator has a choice for the following multi-factor authentication mechanisms: requesting time-based one-time password-tokens (TOTP), RSA tokens or PIN sent via SMS.
Basic authentication is of course also possible with the option to configure the password policy according to the security requirements defined in a company. It is also possible to validate the credentials in a corporate user store instead of a local password in Identity Authentication. With the so-called ‘Corporate User Store’ scenario an admin can configure e.g. Microsoft Active Directory as the authority to do the password validation check. Identity Authentication will then display the login screen, yet the users can use the same password which they have for the corporate domain of a company.
Identity Authentication for integration with a corporate IdP
Identity Authentication can be used to integrate SAP cloud solutions with an existing single sign-on infrastructure. In that way corporate users can benefit from single sign-on with their established corporate IdP. Such an integration scenario is based on the SAML (Security Assertion Markup Language) standard where Identity Authentication will act as a proxy for the corporate IdP. Identity Authentication can either simply forward authentication tokens from the corporate IdP or enrich the assertion with additional user profile data required for SAP business applications.
Pure B2C usage
As we have seen above, Identity Authentication is focused on business-to-employee (B2E) scenarios and for applications that will be used by both corporate and external users.
Identity Authentication also offers functionalities for business-to-consumer (B2C) scenarios, like user self-registration, user invitation flow, and a user profile application. Yet it does not provide the feature set that is required for complex consumer applications like a public webshop. Here usually capabilities like a Web SDK, a UI builder etc. are essential. Identity Authentication also lacks a sophisticated enterprise consent management, if very fine granular user consent for dealing with personal data is required.
Identity Authentication is thus the service of choice to enable single sign-on for corporate users, but not the ideal solution when it comes to B2C usage. SAP offers the SAP Customer Identity solution which is focused and specialized for the latter type of business applications.
Identity Authentication is a public cloud service enabling single sign-on for many SAP cloud solutions. It offers a wide range of authentication options including multi-factor-authentication. It can also be used for federation with a corporate identity provider, in order to integrate SAP cloud solutions seamlessly into an already existing single sign-on infrastructure.
SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services
Identity Authentication service in a nutshell: https://www.youtube.com/watch?v=uwlGrrxwRJ0