Skip to Content
Technical Articles
Author's profile photo Ke Ma

Harmonized Single Sign-On for SAP RISE Customers in Multi-Cloud Environment

updated date: 15.Jul.2023

Security is one of the top priorities for enterprise customers. For enterprise end users, having a seamless log-in process to different systems automatically without manually inputting credentials, can not only improve user experience but also increase enterprise security. With that being said, SSO plays a key role in the process.

In this article, we are addressing scenarios where RISE with SAP Private Cloud Edition customers (their SAP workloads managed by SAP on hyperscalers or SAP DC) run in multi-cloud environments, and have more than one enterprise IDP. With this setup, how they can both federate SOO within their SAP landscape with SAP IDPs and security solutions, meanwhile can also harmonize SSO and security workflow management with other third-party IDPs (like, Azure AD). Meaning that each IDP for its own purpose can keep its autonomy, and can still be federated to a certain extent on demand.

In this article, we mainly focus on direct client-to-server SSO scenarios.

A follow-up blog with regard to SSO on the server side can be found here, ‘Demystify Single Sign-On on Server Side for SAP RISE Customers‘.

Terminologies and Abbreviations

Single Sign-On
(short as SSO)
  • Commonly used SSO methods: SAML 2.0, OpenID Connect, Kerberos/SPNEGO, X.509
  • Fig. 1 below explains the roles and responsibilities in SSO process
Identity Provider
(short as IDP)
Service Provider
(short as SP)
  • A system entity that consumes authentification service in the SSO processes.
  • In OpenID & oAuth is been called RS (resource server)
  • For RISE with SAP Private Cloud Edition customers, SPs could be SAP NetWeaver, SAP HANA, SAP Fiori, SAP BTP, SAP SaaS (SuccessFactors, Ariba, Concur, Fieldglass), and Hyperscaler services (eg. Microsoft Office 365), .etc.
Identity Management
(short as IDM)
Identity and Access Management
(short as IAM)
  • A framework of policies and technologies to ensure that the right users have the appropriate access to technology resources
Federated SSO
  • A mechanism that uses one single IDP across multiple IT systems or even organizations.
Harmonized SSO
[Highly Recommended]
  • A mechanism that uses more than one IDP in multi-cloud environments, with each IDP value for its own purpose (due to its unique design and native integration with some SPs).
  • For RISE with SAP Private Cloud Edition customers, SAP IDPs (SAP CIS, SAP SSO) are used for SAP workloads, while still keeping other third-party IDP (eg. Azure AD for Microsoft Office 365 and native Azure services), and in between IDPs with some integration.

Fig. 1: SSO process roles and responsibilities

Architecture Design

In this section, we will first go through the SAP IDPs and IDMs used for SAP landscape SSO federation, and will also list the major SAP products SSO integration. Then by following, we will consider RISE with SAP Private Cloud Edition customers in multi-cloud environments, then propose the ‘Security Hub and Spoke’ concept which can do SSO harmonization in such setups.

SAP SSO Federation for SAP Workforce (SAP IDPs & IDMs integration with SAP SPs):

List of SAP Identity Provider Solutions:

Identity Provider Solution Supported Method Deployment
SAP Cloud Identity Services
Identity Authentication

Kerberos

SAML 2.0

OpenID Connect

OAuth2

SPNEGO

X.509

Social Sign-On
(FaceBook, Google, Twitter, LinkedIn)

Cloud Subscription on BTP
SAP Single Sign-On 3.0

Kerberos

SPNEGO

X.509

SAML 2.0

SAP RISE managed VM

SAP Identity Management Solutions:

SAP IDMs provide you enterprise-level IAM workflow management, identity lifecycle management, access governance and audition.

Identity Management Solution Deployment
SAP Cloud Identity Services

Identity Provisioning

Cloud Subscription on BTP
SAP Cloud Identity Access Governance Cloud Subscription on BTP
SAP Identity Management SAP RISE managed VM
SAP Access Control SAP RISE managed VM

List of Major SAP Solutions SSO integration guide:

* Please note that the below list is not able to list all SAP products and all integration scenarios, more support could be found on SAP official documentation.

SAP Product SSO Method Identity Provider
SAP GUI Kerberos SAP Secure Login Service on BTP
SAP Single Sign-On
X.509 SAP Single Sign-On
SAP Fiori SAML SAP Cloud Identity Services
Fiori (for ABAP) SSO guide
Kerberos/X.509/SAML2.0

SAP Single Sign-On

Fiori SSO guide

SAP NetWeaver (web GUI) SAML/OAuth

SAP Cloud Identity Services

Web-based SSO configuration

SAP Single Sign-On
SAP HANA Kerberos

SAP Single Sign-On

HANA Keberos SSO guide

SAML 2.0

SAP Cloud Identity Services

HANA SAML 2.0 SSO guide

SAP BTP (PaaS) SAML/OAuth BTP SSO guide
SAP Analytics Cloud (PaaS) SAML 2.0 SAP Cloud Identity Services
SAC SSO guide
SAP SuccessFactors (SaaS) SAML 2.0 SAP Cloud Identity Services
SAP Concur (SaaS) SAML 2.0 / OpenID SAP Cloud Identity Services
SAP Ariba (SaaS) SAML 2.0 / OpenID SAP Cloud Identity Services
SAP Fieldglass (SaaS) SAML 2.0 SAP Cloud Identity Services
SAP C4C SAML 2.0 / OpenID SAP Cloud Identity Services

SAP SSO Harmonization with third-party SSO:

In a multi-cloud environment, there could be multiple identity providers (IDP), each IDP is designed for its own purpose with native integration with its own cluster of service providers.

Enterprise customers can always directly configure trust between SAP IDP (BTP CIS) and hyperscaler IDPs. For detailed guidance or tutorials, please consult hyperscaler providers (Microsoft, Amazon, or Google). Here we do a short review based on the hyperscaler documentation from hyperscaler providers’ websites (see Fig. 2, 3, 6).

As most enterprise customers use Microsoft Office 365 and might already have Azure AD in place, hence we propose the ‘Security Hub and Spoke’ architecture. We suggest using Microsoft Azure AD as the ‘hub’ for SSO harmonization, then SAP IDP and other hyperscaler IDPs will play as ‘spoke’ in the multi-cloud landscape. (see Fig. 2, 4, 5)

In cases where customers use Google G-Suite instead, customers can still build trust between SAP IDP and Google IDP. (see Fig. 6)

With these setups, each IDP will keep its autonomy, while still having the ‘trust’ harmonized and having the sync in place.

Integration with Azure IDP
(Microsoft Entra, previously, Azure AD)
(see Fig. 2)
  • Microsoft Entra (previously, Azure Active Directory) (native built for Microsoft Office 365, Azure native services) as an example
  • Microsoft Entra (previously, Azure Active Directory) (Microsoft guide) integration with SAP Cloud Identity Services (SAP guide)
Integration with AWS IDP
(AWS IAM Identity Center)
(see Fig. 3)
(see Fig. 4)
  • Microsoft Entra (previously, Azure AD) integration with AWS IAM Identity Center (AWS guide)
  • Microsoft Entra (previously, Azure AD) integration with Microsoft AD (Microsoft guide)
Integration with GCP IDP
(Google Cloud Identity)
(see Fig. 5)
  • Microsoft Entra (previously, Azure AD) integration with Microsoft AD (Microsoft guide)
  • Microsoft Entra (previously, Azure AD) integration with Google Cloud Identity (Google guide)
(see Fig. 6)
  • Google Cloud Identity integration with SAP Cloud Identity Services (tutorial)
  • Google Cloud Identity integration with Microsoft AD (Google guide)

Fig. 2: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is Azure, as an example)

Fig. 3: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is AWS, as an example)

Fig. 4: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is AWS & Azure, as an example)

Fig. 5: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is GCP & Azure, as an example)

Fig. 6: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is GCP, as an example)

Disclaimer:

  • SAP takes no responsibility for managing and operating customers’ own data center, nor for customers’ own hyperscaler subscription
  • SAP takes no responsibility for provisioning and managing customers’ SSO
  • SAP product information is based on SAP official documentation online, as of this blog’s updated date of time.
  • The architecture designs that appeared in this blog, have been considered with each hyperscalers’ (Azure, AWS, GCP) reference architecture from hyperscalers providers’ (Microsoft, Amazon, and Google) official documentation online, as of this blog’s updated date of time.

Acknowledgment to contributors/reviewers/advisors:

Ke Ma (a.k.a. Mark), co-author, Senior Consultant, SAP IES AI CoE / RISE Cloud Advisory RA group

Frank Gong, co-author, Digital Customer Engagement Manager, SAP ECS

Stephan Andre, SAP BTP Security, Development Manager

Tommaso Nuccio, Security Architect, SAP IES Security

Yash Karia, SAP IAM Consultant, SAP IES Platform

Sven Herzog, SAP IAM Consultant, SAP IES Platform

Kevin Flanagan, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, EMEA North

Luc DUCOIN, Cloud Architect & Advisor, RISE Cloud Advisory

Richard Traut, Cloud Architect & Advisor, RISE Cloud Advisory

Sven Bedorf, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, MEE

Samuel Grevillot, Customer Engineer, Google

Ferry Mulyadi,Partner Solution Architect, Amazon Web Services

Extended Reading:
Demystify Single Sign-On on Server Side for SAP RISE Customers
SAP Secure Login Service for SAP GUI Now Available, by SAP colleague, Martina
Join our RISE with SAP community here
Join our SAP Single Sign-On community here
Join our BTP Security community here
Google Cloud Identity integration with SAP Cloud Identity Services, by SAP colleague,
Alexander Zubev
A SSO Guide for SAP RISE PCE customers, by SAP colleague, Matthias
SAP Lens - AWS Well-Architected Framework, by AWS official website
SSO with SAML 2.0: how does it work, by VMware Youtube Channel

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Renan Ceguinato
      Renan Ceguinato

      Fantastical Ke Ma, one of the best SSO blogs I've ever read here in the community.

      Thank you so much for sharing the knowledge down to the smallest detail.

      Author's profile photo Ke Ma
      Ke Ma
      Blog Post Author

      Thank you Renan Ceguinato . I'm very glad you like it, and thank you for the compliment. There will be a deep dive blog for SSO on the server side as a follow-up for this one. Stay tuned!
      Our Cloud RISE CAA RA group is doing community service by creating this blog series. More is on the way.  🙂