updated date: 15.Jul.2023

Security is one of the top priorities for enterprise customers. For enterprise end users, having a seamless log-in process to different systems automatically without manually inputting credentials, can not only improve user experience but also increase enterprise security. With that being said, SSO plays a key role in the process.

In this article, we are addressing scenarios where RISE with SAP Private Cloud Edition customers (their SAP workloads managed by SAP on hyperscalers or SAP DC) run in multi-cloud environments, and have more than one enterprise IDP. With this setup, how they can both federate SOO within their SAP landscape with SAP IDPs and security solutions, meanwhile can also harmonize SSO and security workflow management with other third-party IDPs (like, Azure AD). Meaning that each IDP for its own purpose can keep its autonomy, and can still be federated to a certain extent on demand.

In this article, we mainly focus on direct client-to-server SSO scenarios.

A follow-up blog with regard to SSO on the server side can be found here, ‘Demystify Single Sign-On on Server Side for SAP RISE Customers‘.

Terminologies and Abbreviations

Fig. 1: SSO process roles and responsibilities

Architecture Design

In this section, we will first go through the SAP IDPs and IDMs used for SAP landscape SSO federation, and will also list the major SAP products SSO integration. Then by following, we will consider RISE with SAP Private Cloud Edition customers in multi-cloud environments, then propose the ‘Security Hub and Spoke’ concept which can do SSO harmonization in such setups.

SAP SSO Federation for SAP Workforce (SAP IDPs & IDMs integration with SAP SPs):

List of SAP Identity Provider Solutions:

SAP Identity Management Solutions:

SAP IDMs provide you enterprise-level IAM workflow management, identity lifecycle management, access governance and audition.

List of Major SAP Solutions SSO integration guide:

* Please note that the below list is not able to list all SAP products and all integration scenarios, more support could be found on SAP official documentation.

SAP SSO Harmonization with third-party SSO:

In a multi-cloud environment, there could be multiple identity providers (IDP), each IDP is designed for its own purpose with native integration with its own cluster of service providers.

Enterprise customers can always directly configure trust between SAP IDP (BTP CIS) and hyperscaler IDPs. For detailed guidance or tutorials, please consult hyperscaler providers (Microsoft, Amazon, or Google). Here we do a short review based on the hyperscaler documentation from hyperscaler providers’ websites (see Fig. 2, 3, 6).

As most enterprise customers use Microsoft Office 365 and might already have Azure AD in place, hence we propose the ‘Security Hub and Spoke’ architecture. We suggest using Microsoft Azure AD as the ‘hub’ for SSO harmonization, then SAP IDP and other hyperscaler IDPs will play as ‘spoke’ in the multi-cloud landscape. (see Fig. 2, 4, 5)

In cases where customers use Google G-Suite instead, customers can still build trust between SAP IDP and Google IDP. (see Fig. 6)

With these setups, each IDP will keep its autonomy, while still having the ‘trust’ harmonized and having the sync in place.

Fig. 2: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is Azure, as an example)

Fig. 3: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is AWS, as an example)

Fig. 4: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is AWS & Azure, as an example)

Fig. 5: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is GCP & Azure, as an example)

Fig. 6: Architecture Design for RISE PCE customers doing Harmonized SSO in Multi-Cloud Environment (customer’s own hyperscaler is GCP, as an example)

Disclaimer:

• SAP takes no responsibility for managing and operating customers’ own data center, nor for customers’ own hyperscaler subscription
• SAP takes no responsibility for provisioning and managing customers’ SSO
• SAP product information is based on SAP official documentation online, as of this blog’s updated date of time.
• The architecture designs that appeared in this blog, have been considered with each hyperscalers’ (Azure, AWS, GCP) reference architecture from hyperscalers providers’ (Microsoft, Amazon, and Google) official documentation online, as of this blog’s updated date of time.

Acknowledgment to contributors/reviewers/advisors:

Ke Ma (a.k.a. Mark), co-author, Senior Consultant, SAP IES AI CoE / RISE Cloud Advisory RA group

Frank Gong, co-author, Digital Customer Engagement Manager, SAP ECS

Stephan Andre, SAP BTP Security, Development Manager

Tommaso Nuccio, Security Architect, SAP IES Security

Yash Karia, SAP IAM Consultant, SAP IES Platform

Sven Herzog, SAP IAM Consultant, SAP IES Platform

Kevin Flanagan, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, EMEA North

Luc DUCOIN, Cloud Architect & Advisor, RISE Cloud Advisory

Richard Traut, Cloud Architect & Advisor, RISE Cloud Advisory

Sven Bedorf, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, MEE

Extended Reading:
Demystify Single Sign-On on Server Side for SAP RISE Customers
SAP Secure Login Service for SAP GUI Now Available, by SAP colleague, Martina
Join our RISE with SAP community here
Join our SAP Single Sign-On community here
Join our BTP Security community here
Google Cloud Identity integration with SAP Cloud Identity Services, by SAP colleague,
Alexander Zubev
A SSO Guide for SAP RISE PCE customers, by SAP colleague, Matthias
SAP Lens - AWS Well-Architected Framework, by AWS official website
SSO with SAML 2.0: how does it work, by VMware Youtube Channel