Technical Articles
Harmonized Single Sign-On for SAP RISE customers in Multi-Cloud Environment
updated date: 9.May.2023
Security is one of the top priorities for enterprise customers. For enterprise end users, having a seamless log-in process to different systems automatically without manually inputting credentials, can not only improve user experience but also increase enterprise security. With that being said, SSO plays a key role in the process.
In this article, we are addressing scenarios where RISE with SAP Private Cloud Edition customers (their SAP workloads managed by SAP on hyperscalers or SAP DC) run in multi-cloud environments, and have more than one enterprise IDP. With this setup, how they can both federate SOO within their SAP landscape with SAP IDPs and security solutions, meanwhile can also harmonize SSO and security workflow management with other third-party IDPs (like, Azure AD). Meaning that each IDP for its own purpose can keep its autonomy, and can still be federated to a certain extent on demand.
In this article, we mainly focus on direct client-to-server SSO scenarios.
A follow-up blog with regard to SSO on the server side can be found here, ‘Demystify Single Sign-On on Server Side for SAP RISE Customers‘.
Terminologies and Abbreviations
Single Sign-On (short as SSO) |
|
Identity Provider (short as IDP) |
|
Service Provider (short as SP) |
|
Identity Management (short as IDM) |
|
Identity and Access Management (short as IAM) |
|
Federated SSO |
|
Harmonized SSO [Highly Recommended] |
|
Fig. 1: SSO process roles and responsibilities
Architecture Design
In this section, we will first go through the SAP IDPs and IDMs used for SAP landscape SSO federation, and will also list the major SAP products SSO integration. Then by following, we will consider RISE with SAP Private Cloud Edition customers in multi-cloud environments, then propose the ‘Security Hub and Spoke’ concept which can do SSO harmonization in such setups.
SAP SSO Federation for SAP Workforce (SAP IDPs & IDMs integration with SAP SPs):
List of SAP Identity Provider Solutions:
Identity Provider Solution | Supported Method | Deployment |
SAP Cloud Identity Services – Identity Authentication |
SAML 2.0 OpenID Connect OAuth2 SPNEGO X.509 Social Sign-On |
Cloud Subscription on BTP |
SAP Single Sign-On 3.0 |
Kerberos SPNEGO X.509 SAML 2.0 |
SAP RISE managed VM |
SAP Identity Management Solutions:
SAP IDMs provide you enterprise-level IAM workflow management, identity lifecycle management, access governance and audition.
Identity Management Solution | Deployment |
SAP Cloud Identity Services | Cloud Subscription on BTP |
SAP Cloud Identity Access Governance | Cloud Subscription on BTP |
SAP Identity Management | SAP RISE managed VM |
SAP Access Control | SAP RISE managed VM |
List of Major SAP Solutions SSO integration guide:
* Please note that the below list is not able to list all SAP products and all integration scenarios, more support could be found on SAP official documentation.
SAP Product | SSO Method | Identity Provider |
SAP GUI | Kerberos | SAP Secure Login Service on BTP |
SAP Single Sign-On | ||
X.509 | SAP Single Sign-On | |
SAP Fiori | SAML | SAP Cloud Identity Services Fiori (for ABAP) SSO guide |
Kerberos/X.509/SAML2.0 | ||
SAP NetWeaver (web GUI) | SAML/OAuth | |
SAP Single Sign-On | ||
SAP HANA | Kerberos | |
SAML 2.0 | ||
SAP BTP (PaaS) | SAML/OAuth | BTP SSO guide |
SAP Analytics Cloud (PaaS) | SAML 2.0 | SAP Cloud Identity Services SAC SSO guide |
SAP SuccessFactors (SaaS) | SAML 2.0 | SAP Cloud Identity Services |
SAP Concur (SaaS) | SAML 2.0 / OpenID | SAP Cloud Identity Services |
SAP Ariba (SaaS) | SAML 2.0 / OpenID | SAP Cloud Identity Services |
SAP Fieldglass (SaaS) | SAML 2.0 | SAP Cloud Identity Services |
SAP C4C | SAML 2.0 / OpenID | SAP Cloud Identity Services |
SAP SSO Harmonization with third-party SSO:
In a multi-cloud environment, there could be multiple identity providers (IDP), each IDP is designed for its own purpose with native integration with its own cluster of service providers.
Enterprise customers can always directly configure trust between SAP IDP (BTP CIS) and hyperscaler IDPs. For detailed guidance or tutorials, please consult hyperscaler providers (Microsoft, Amazon, or Google). Here we do a short review based on the hyperscaler documentation from hyperscaler providers’ websites (see Fig. 2, 3, 6).
As most enterprise customers use Microsoft Office 365 and might already have Azure AD in place, hence we propose the ‘Security Hub and Spoke’ architecture. We suggest using Microsoft Azure AD as the ‘hub’ for SSO harmonization, then SAP IDP and other hyperscaler IDPs will play as ‘spoke’ in the multi-cloud landscape. (see Fig. 2, 4, 5)
In cases where customers use Google G-Suite instead, customers can still build trust between SAP IDP and Google IDP. (see Fig. 6)
With these setups, each IDP will keep its autonomy, while still having the ‘trust’ harmonized and having the sync in place.
Integration with Azure IDP (Azure AD) |
(see Fig. 2) |
|
|
Integration with AWS IDP (AWS IAM Identity Center) |
(see Fig. 3) |
|
|
(see Fig. 4) |
|
||
Integration with GCP IDP (Google Cloud Identity) |
(see Fig. 5) |
|
|
(see Fig. 6)
|
|
Fig. 2: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is Azure, as an example)
Fig. 3: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is AWS, as an example)
Fig. 4: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is AWS & Azure, as an example)
Fig. 5: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is GCP & Azure, as an example)
Fig. 6: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is GCP, as an example)
Disclaimer:
- SAP takes no responsibility for managing and operating customers’ own data center, nor for customers’ own hyperscaler subscription
- SAP takes no responsibility for provisioning and managing customers’ SSO
- SAP product information is based on SAP official documentation online, as of this blog’s updated date of time.
- The architecture designs that appeared in this blog, have been considered with each hyperscalers’ (Azure, AWS, GCP) reference architecture from hyperscalers providers’ (Microsoft, Amazon, and Google) official documentation online, as of this blog’s updated date of time.
Acknowledgment to contributors/reviewers/advisors:
Ke Ma (a.k.a. Mark), co-author, Senior Consultant, SAP IES AI CoE / RISE Cloud Advisory RA group
Frank Gong, co-author, Digital Customer Engagement Manager, SAP ECS
Stephan Andre, SAP BTP Security, Development Manager
Tommaso Nuccio, Security Architect, SAP IES Security
Yash Karia, SAP IAM Consultant, SAP IES Platform
Sven Herzog, SAP IAM Consultant, SAP IES Platform
Kevin Flanagan, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, EMEA North
Luc DUCOIN, Cloud Architect & Advisor, RISE Cloud Advisory
Richard Traut, Cloud Architect & Advisor, RISE Cloud Advisory
Sven Bedorf, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, MEE
Samuel Grevillot, Customer Engineer, Google
Ferry Mulyadi,Partner Solution Architect, Amazon Web Services
Extended Reading: Demystify Single Sign-On on Server Side for SAP RISE Customers SAP Secure Login Service for SAP GUI Now Available, by SAP colleague, Martina Join our RISE with SAP community here Join our SAP Single Sign-On community here Join our BTP Security community here Google Cloud Identity integration with SAP Cloud Identity Services, by SAP colleague, Alexander Zubev A SSO Guide for SAP RISE PCE customers, by SAP colleague, Matthias SAP Lens - AWS Well-Architected Framework, by AWS official website SSO with SAML 2.0: how does it work, by VMware Youtube Channel
Fantastical Ke Ma, one of the best SSO blogs I've ever read here in the community.
Thank you so much for sharing the knowledge down to the smallest detail.
Thank you Renan Ceguinato . I'm very glad you like it, and thank you for the compliment. There will be a deep dive blog for SSO on the server side as a follow-up for this one. Stay tuned!
Our Cloud RISE CAA RA group is doing community service by creating this blog series. More is on the way. 🙂