updated date: 15.Jul.2023

Security is one of the top priorities for enterprise customers. For enterprise end users, having a seamless log-in process to different systems automatically without manually inputting credentials, can not only improve user experience but also increase enterprise security. With that being said, SSO plays a key role in the process.

In this article, we are addressing scenarios where RISE with SAP Private Cloud Edition customers (their SAP workloads managed by SAP on hyperscalers or SAP DC) run in multi-cloud environments, and have more than one enterprise IDP. With this setup, how they can both federate SOO within their SAP landscape with SAP IDPs and security solutions, meanwhile can also harmonize SSO and security workflow management with other third-party IDPs (like, Azure AD). Meaning that each IDP for its own purpose can keep its autonomy, and can still be federated to a certain extent on demand.

In this article, we mainly focus on direct client-to-server SSO scenarios.

A follow-up blog with regard to SSO on the server side can be found here, 'Demystify Single Sign-On on Server Side for SAP RISE Customers'.

Terminologies and Abbreviations

Single Sign-On (short as SSO)	Commonly used SSO methods: SAML 2.0, OpenID Connect, Kerberos/SPNEGO, X.509 Fig. 1 below explains the roles and responsibilities in SSO process
Identity Provider (short as IDP)	A system entity that provides authentification service in SSO processes. In Kerberos, it's been called KDC (key distribution center), in OpenID & oAuth is been called AS (authorization server) For RISE with SAP Private Cloud Edition customers, IDPs could be SAP Cloud Identity Services (on BTP), SAP Single Sign-On, Azure Active Directory by Microsoft, .etc.
Service Provider (short as SP)	A system entity that consumes authentification service in the SSO processes. In OpenID & oAuth is been called RS (resource server) For RISE with SAP Private Cloud Edition customers, SPs could be SAP NetWeaver, SAP HANA, SAP Fiori, SAP BTP, SAP SaaS (SuccessFactors, Ariba, Concur, Fieldglass), and Hyperscaler services (eg. Microsoft Office 365), .etc.
Identity Management (short as IDM)	A system entity, used for IAM workflow management, identity lifecycle management, and access governance. For RISE with SAP Private Cloud Edition customers, IDMs could be SAP CIS Identity Provisioning, SAP Cloud Identity Access Governance, SAP Identity Management, SAP Access Control
Identity and Access Management (short as IAM)	A framework of policies and technologies to ensure that the right users have the appropriate access to technology resources
Federated SSO	A mechanism that uses one single IDP across multiple IT systems or even organizations.
Harmonized SSO [Highly Recommended]	A mechanism that uses more than one IDP in multi-cloud environments, with each IDP value for its own purpose (due to its unique design and native integration with some SPs). For RISE with SAP Private Cloud Edition customers, SAP IDPs (SAP CIS, SAP SSO) are used for SAP workloads, while still keeping other third-party IDP (eg. Azure AD for Microsoft Office 365 and native Azure services), and in between IDPs with some integration.

Fig. 1: SSO process roles and responsibilities

Architecture Design

In this section, we will first go through the SAP IDPs and IDMs used for SAP landscape SSO federation, and will also list the major SAP products SSO integration. Then by following, we will consider RISE with SAP Private Cloud Edition customers in multi-cloud environments, then propose the 'Security Hub and Spoke' concept which can do SSO harmonization in such setups.

SAP SSO Federation for SAP Workforce (SAP IDPs & IDMs integration with SAP SPs):

List of SAP Identity Provider Solutions:

Identity Provider Solution	Supported Method	Deployment
SAP Cloud Identity Services - Identity Authentication	Kerberos SAML 2.0 OpenID Connect OAuth2 SPNEGO X.509 Social Sign-On (FaceBook, Google, Twitter, LinkedIn)	Cloud Subscription on BTP
SAP Single Sign-On 3.0	Kerberos SPNEGO X.509 SAML 2.0	SAP RISE managed VM

SAP Identity Management Solutions:

SAP IDMs provide you enterprise-level IAM workflow management, identity lifecycle management, access governance and audition.

Identity Management Solution	Deployment
SAP Cloud Identity Services - Identity Provisioning	Cloud Subscription on BTP
SAP Cloud Identity Access Governance	Cloud Subscription on BTP
SAP Identity Management	SAP RISE managed VM
SAP Access Control	SAP RISE managed VM

List of Major SAP Solutions SSO integration guide:

* Please note that the below list is not able to list all SAP products and all integration scenarios, more support could be found on SAP official documentation.

SAP Product	SSO Method	Identity Provider
SAP GUI	Kerberos	SAP Secure Login Service on BTP
		SAP Single Sign-On
	X.509	SAP Single Sign-On
SAP Fiori	SAML	SAP Cloud Identity Services Fiori (for ABAP) SSO guide
	Kerberos/X.509/SAML2.0	SAP Single Sign-On Fiori SSO guide
SAP NetWeaver (web GUI)	SAML/OAuth	SAP Cloud Identity Services Web-based SSO configuration
		SAP Single Sign-On
SAP HANA	Kerberos	SAP Single Sign-On HANA Keberos SSO guide
	SAML 2.0	SAP Cloud Identity Services HANA SAML 2.0 SSO guide
SAP BTP (PaaS)	SAML/OAuth	BTP SSO guide
SAP Analytics Cloud (PaaS)	SAML 2.0	SAP Cloud Identity Services SAC SSO guide
SAP SuccessFactors (SaaS)	SAML 2.0	SAP Cloud Identity Services
SAP Concur (SaaS)	SAML 2.0 / OpenID	SAP Cloud Identity Services
SAP Ariba (SaaS)	SAML 2.0 / OpenID	SAP Cloud Identity Services
SAP Fieldglass (SaaS)	SAML 2.0	SAP Cloud Identity Services
SAP C4C	SAML 2.0 / OpenID	SAP Cloud Identity Services

SAP SSO Harmonization with third-party SSO:

In a multi-cloud environment, there could be multiple identity providers (IDP), each IDP is designed for its own purpose with native integration with its own cluster of service providers.

Enterprise customers can always directly configure trust between SAP IDP (BTP CIS) and hyperscaler IDPs. For detailed guidance or tutorials, please consult hyperscaler providers (Microsoft, Amazon, or Google). Here we do a short review based on the hyperscaler documentation from hyperscaler providers' websites (see Fig. 2, 3, 6).

As most enterprise customers use Microsoft Office 365 and might already have Azure AD in place, hence we propose the 'Security Hub and Spoke' architecture. We suggest using Microsoft Azure AD as the 'hub' for SSO harmonization, then SAP IDP and other hyperscaler IDPs will play as 'spoke' in the multi-cloud landscape. (see Fig. 2, 4, 5)

In cases where customers use Google G-Suite instead, customers can still build trust between SAP IDP and Google IDP. (see Fig. 6)

With these setups, each IDP will keep its autonomy, while still having the 'trust' harmonized and having the sync in place.

Integration with Azure IDP (Microsoft Entra, previously, Azure AD)		(see Fig. 2)	Microsoft Entra (previously, Azure Active Directory) (native built for Microsoft Office 365, Azure native services) as an example Microsoft Entra (previously, Azure Active Directory) (Microsoft guide) integration with SAP Cloud Identity Services (SAP guide)
Integration with AWS IDP (AWS IAM Identity Center)		(see Fig. 3)	AWS IAM Identity Center integration with SAP (AWS best practice, AWS tutorial)
		(see Fig. 4)	Microsoft Entra (previously, Azure AD) integration with AWS IAM Identity Center (AWS guide) Microsoft Entra (previously, Azure AD) integration with Microsoft AD (Microsoft guide)
Integration with GCP IDP (Google Cloud Identity)		(see Fig. 5)	Microsoft Entra (previously, Azure AD) integration with Microsoft AD (Microsoft guide) Microsoft Entra (previously, Azure AD) integration with Google Cloud Identity (Google guide)
		(see Fig. 6)	Google Cloud Identity integration with SAP Cloud Identity Services (tutorial) Google Cloud Identity integration with Microsoft AD (Google guide)

Fig. 2: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer's own hyperscaler is Azure, as an example)

Fig. 3: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer's own hyperscaler is AWS, as an example)

Fig. 4: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer's own hyperscaler is AWS & Azure, as an example)

Fig. 5: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer's own hyperscaler is GCP & Azure, as an example)

Fig. 6: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer's own hyperscaler is GCP, as an example)

Disclaimer:

• SAP takes no responsibility for managing and operating customers’ own data center, nor for customers’ own hyperscaler subscription


• SAP takes no responsibility for provisioning and managing customers' SSO


• SAP product information is based on SAP official documentation online, as of this blog’s updated date of time.


• The architecture designs that appeared in this blog, have been considered with each hyperscalers' (Azure, AWS, GCP) reference architecture from hyperscalers providers’ (Microsoft, Amazon, and Google) official documentation online, as of this blog’s updated date of time.

Acknowledgment to contributors/reviewers/advisors:

Ke Ma (a.k.a. Mark), co-author, Senior Consultant, SAP IES AI CoE / RISE Cloud Advisory RA group

Frank Gong, co-author, Digital Customer Engagement Manager, SAP ECS

Stephan Andre, SAP BTP Security, Development Manager

Tommaso Nuccio, Security Architect, SAP IES Security

Yash Karia, SAP IAM Consultant, SAP IES Platform

Sven Herzog, SAP IAM Consultant, SAP IES Platform

Kevin Flanagan, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, EMEA North

Luc DUCOIN, Cloud Architect & Advisor, RISE Cloud Advisory

Richard Traut, Cloud Architect & Advisor, RISE Cloud Advisory

Sven Bedorf, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, MEE

Extended Reading:

Demystify Single Sign-On on Server Side for SAP RISE Customers

SAP Secure Login Service for SAP GUI Now Available, by SAP colleague, martina.kirschenmann

Join our RISE with SAP community here

Join our SAP Single Sign-On community here

Join our BTP Security community here

Google Cloud Identity integration with SAP Cloud Identity Services, by SAP colleague,

alexander.zubev

A SSO Guide for SAP RISE PCE customers, by SAP colleague, matthias.kaempfer

SAP Lens - AWS Well-Architected Framework, by AWS official website

SSO with SAML 2.0: how does it work, by VMware Youtube Channel