SAP Business Technology Platform

Security
Allan van Lelyveld, SAP

PUBLIC
Housekeeping rules

This session is being recorded.

The audio and video functionality for the

attendees has been turned off for privacy
reasons.

Attendees can use the Q&A panel to ask

questions.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC

About the speaker

Allan van Lelyveld

Solution Advisor Expert | SAP
Business Technoloy Platform

Allan is a lead in the security focus program in the

P&T team in the Intelligent Adoption & Consumption
Center. Allan has deep expertise in the security
topics relating to SAP Business Technology Platform
in hybrid landscapes.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC

 You know the challenge – breaches are increasing
World’s largest data breaches and hacks

2009 – 2014 2015 – 2019

2014 Latest

2019

2013

2018
2012

2017
2011

2016
2010

2015
2009

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Security Operations Map

Organization Awareness Security Governance Risk Management

Regulatory Process
Process Data Privacy & Protection Audit & Fraud Management
Compliance

User & Identity Authentication &

Application Roles & Authorizations Custom Code Security
Management Single Sign-On

Security Monitoring &

System Security Hardening Secure SAP Code
Forensics

Operating System & Database

Environment Network Security
Security
Client Security

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

SAP Governance, Risk, Compliance (GRC) and Security Solutions

Enterprise Risk Identity & Access Cybersecurity, Data International Trade

& Compliance Governance Protection & Privacy Management
▪ Manage risks, controls, ▪ Manage access for enterprise ▪ Manage cyber risk with greater ▪ Manage import and export
and regulatory requirements applications – cloud or on-premise alignment to information security compliance as well as free
in business operations ▪ Manage identities, authorized standards trade agreements in global supply
▪ Screen third parties and detect information access, and data use ▪ Identify potential cyber threats chains
anomalies and fraud ▪ Eliminate excessive logins and vulnerabilities in applications
▪ Provide independent assurance of with single sign-on ▪ Secure files and data using
risk and compliance standards transportable policies and
encryption

▪ SAP Process Control ▪ SAP Access Control ▪ SAP Enterprise Threat Detection ▪ SAP Global Trade Services
▪ SAP Risk Management ▪ SAP Cloud Identity Access ▪ SAP Privacy Governance ▪ SAP S/4HANA for international
▪ SAP Audit Management Governance ▪ SAP Customer Data Cloud trade
▪ SAP Single Sign On ▪ SAP Data Custodian ▪ SAP Watch List Screening
▪ SAP Cloud Identity Services – ▪ UI masking for SAP
Identity Authentication
▪ SAP Identity Management
▪ SAP Cloud Identity Services –
Identity Provisioning

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

SAP Identity & Access Governance Traditional vs Cloud

Where are we Coming From?

Private Cloud
On-Premise /

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7

SAP Identity & Access Governance Traditional vs Cloud

Where Are We Today?

Public Cloud
Private Cloud
On-Premise /

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8

Cloud Security Strategy Things to Consider

Identify Personas Security End to End Role Authentication and

Requirements for Design from Cloud to Access Flows
each personas on-premise
▪ Employees ▪ Seamless Authentication ▪ Role Based access ▪ Identity Store
▪ Partners ▪ Multi Factor Authentication ▪ Role Mapping – ▪ User’s authentication
▪ Customers ▪ Geo Access Limitation Cloud & On-premise Journey
▪ Contractors ▪ Access Control ▪ Automated Hire to
Retire process

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

Enterprise Security Services
Security for the Cloud Age

Hybrid Identity and Access Management

Insight • SAP Data Custodian
• SAP Trust Center
SAP Access Control | SAP Single Sign-On | SAP Identity

Risk & Compliance SAP Business Technology • SAP Cloud Identity Access and

Security Partners
Platform Governance
❑ Data Retention Manager • SAP Customer Data Cloud
Management

Secure Development Services SAP Business Technology • Cloud Application Programming

Platform Model (CAP)
❑ Authorization • SAP Audit Log
❑ Custom Domain • SAP Cloud Connector
❑ Credential Store
❑ Connectivity and
Destination Service
❑ Malware Scanning Service

Cloud Identity Services SAP Cloud Identity Services

❑ Identity Authentication
❑ Identity Provisioning

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10

Secure Development Services
SAP Business Technology Platform
Authorization

Authorization Service is the central service in SAP INTERNET

Business Technology Platform for authorization. It allows Business Technology Platform
you to confine access to eligible persons or system users.
Primary use cases are the authorization of business users Business App Your
User Router Application
and system to system authorization and authentication.
Authorization Service is also known as XSUAA
(eXtended Service UAA).

Key capabilities
▪ Authorization of business users Authorization Service
▪ Authentication and Authorization of system to system
communication SAP Cloud Identity Services
XSUAA
▪ Use of standards like SAML, Oauth, JWT tokens
IAS
Benefits
▪ Integration with SAML Identity Provider (IDP) from SAP (IAS) or
non-SAP

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

SAP Business Technology Platform
Authorization & User Management

Key capabilities Role Collection

▪ Authorization management support for platform and business users within
our different environments
▪ Configurable authorization assignments to users defined within the
SAP Business Technology Platform cockpit or assigned during runtime
with identity federation supported by the SAML 2.0 standard
▪ Structured authorization assignments with support of role collections Assigned to Assigned to
(static or federated (static
assignment) assignment)

Benefits
▪ Flexible authorization management
▪ Fast implementation of authorization management

Assigned to
(static assignment)

User Role

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

SAP Business Technology Platform
Federated Role Assignment

Users in Department “Sales” Role Collection “Sales”

Assigned by
mapping rule Role “Manager” Role “AccountExec”
“Groups”

Role Collection “Finance”

Assigned by
mapping rule Role “Controller”
“Groups”

Users in Department “Controlling” Business Technology Platform

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

SAP Cloud Connector
Business Technology Platform
The SAP Cloud Connector establishes a secure VPN connection
between the SAP Business Technology Platform and on-premise
systems. application

Key capabilities
▪ Fine grained access control lists of allowed cloud and on-premise resources Connectivity
service
▪ Fine grained audit logging for traceability
▪ Principal propagation from cloud to on-premise Cloud
▪ Trust relation with on-premise system based on X.509 certificates
Corporate network
Benefits

▪ No change in the existing corporate firewall configuration is needed.

▪ Initiates encrypted connections to cloud application from inside the on- SAP Cloud
premise network to the cloud Connector
▪ Firewall and DMZ remain unchanged
application

Blog: Cloud Connector Setup

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15

SAP Business Technology Platform
Connectivity and Destination Service
User

SAP Business Technology Platform Connectivity allows

cloud applications running on the SAP BTP to access remote services Business Technology Platform
securely that run on the Internet or on-premise.
Web
Key capabilities Apps

▪ Consume APIs and data from APIs and data provided by any Internet service
via HTTP(s) using destinations
▪ Consume APIs, data and users provided by on-premise systems via HTTP,
RFC, or even with TCP using destinations and the Cloud Connector
Destination 1 Destination 2
Benefits
▪ Separation of concerns
▪ Security
▪ Reusability
▪ Access via Tools Connectivity

Internet service 1 Internet service 2

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16
SAP Business Technology Platform
Principal propagation

Principal propagation allows the seamless access to

resources without needing to provide the identity every
time. Users can be verified against the called system
using principal propagation. The called system can be
other cloud or on-premise solutions. Depending on the BTP Subaccount BTP Subaccount
solution different scenarios are used.

Scenarios
▪ CF app to CF app
▪ CF app to on premise SAP system
▪ CF app to 3rd party cloud app
▪ CF app to SAP Cloud solution

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 17

SAP Business Technology Platform
Credential Store

SAP Business Technology Platform Credential Store service

provides a secure repository for credentials (passwords, Business Technology Platform
keys) to the applications hosted on SAP BTP. Customers can
SAP BTP subaccount
use them in various cryptographic operations such as signing
and verifying of digital signatures, encrypting and decrypting Your
Application
messages, and performing SSL communication.

Key capabilities Credential Store Service

▪ Secure storage of data objects ensuring confidentiality and integrity Credential Key Management
SCP Cockpit Store backend Service
▪ Secure key management, such as storage, exchange, use and
deletion
▪ Audit logs are written in the customer subaccount
Space
Developer

Benefits
▪ Compliance to several standards can be achieved Service Broker
CLI
▪ Keys can be shared between interconnected applications

Read more: http://bit.ly/CredentialStore

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18
SAP Business Technology Platform
Malware Scanning

SAP BTP Malware Scanning Service provides the

possibility to scan unstructured data before storage in the
SAP BTP Platform environment.

Key capabilities
▪ Internal service used by various SAP applications Business Technology Platform
▪ Scanning of documents
▪ Scans are limited to the tenants they serve

Benefits
▪ Secure SAP Applications, like the SAP Documents Center, on
the SAP BTP
▪ Nearly no performance impact for the SAP BTP landscape

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 19

SAP Audit Log

SAP Business Technology Platform Audit Log Service records security-related system information such as user
record changes and unsuccessful logon attempts. Records that are considered as relevant for auditing can be
retrieved by the customer SIEM* system via the audit log retrieval API.

Key capabilities Business Technology Platform

▪ Protected against unwanted access

▪ Keeps a record of security-related activities
▪ Provides a REST-based retrieval API
▪ Audit Log Viewer for platform and customer auditors

Benefits
▪ Recording of audit relevant activities
▪ Providing a higher level of transparency
▪ Enables the reconstruction of a series of events

*SIEM = Security Information and Event Management

Audit Log Retrieval API

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20

 SAP Cloud Application Programming Model

SAP Cloud Application Programming Model (CAP) is an integrated framework of

tools, languages, and libraries for building extension applications in a full-stack
development approach.
Build multi-tenant enabled extensions using CAP and be guided by best
practices so you can focus on your domain expertise.

Benefits
• Efficient and rapid development
• Minimal complexity of models and code
• No lock-in to specific language, DB and tools
• Full-stack development from persistence to UI
• Cloud native platform services integration
• 1st-class support for S/4HANA extension scenario
• Built-in security qualities

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

SAP Business Technology Platform
Encryption at Rest - Persistent Storage on Cloud Foundry
SAP Business Technology Platform Service Stack
SAP BTP uses the storage encryption of persistence services
used from the IaaS layer underlying the SAP BTP. This is Scope of service providing
Applications SAP or other
configured in the respective IaaS accounts used by SAP BTP. organisation
Keys are managed by the IaaS layer and protected by their
means. Scope of SAP certifications
App services
and attestations
Encryption can be added by SAP BTP services using the
DB services • Service Fabrik with
persistence services. Encrypted backups are stored in a services MongoDB,
SAP
persistence using a strong encryption algorithm. PostgreSQL,
OS management RabbitMQ, Redis
All these keys are stored in a key management service
• Object Store service
provided by the underlying IaaS layer. Orchestration and
account configuration

Administration platform Scope of IaaS provider

▪ AWS encryption & API management certifications & attestations

▪ Azure encryption • Block Store

Provide HW incl. setup IaaS Provider
• Blob Store
▪ GCP encryption
on AWS, Azure, GCP
Provide DC facility
Data Encryption Strategy (help.sap.com)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 22

SAP Business Technology Platform
Encryption in Transit - Transport Layer Security (TLS) Connectivity Support

SAP Business Technology Platform uses encrypted

communication channels based on HTTPS/TLS.

All platform regions launched before the 1st of July 2018 support
all three versions of the TLS protocol: 1.0, 1.1, and 1.2.
See Regions. TLS

Following July 2018, future platform regions will support only the
more secure TLS version 1.2.
Business Technology Platform

Applications

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23

Insight
SAP Cloud Trust Center

5 of 5

The SAP Cloud Trust Center is a public-facing

website on sap.com, designed to provide unified and
easy access to cloud trust-related content where
users can initiate requests, engage with SAP, and
collect all the assets and information they need.
▪ Delivers transparency on SAP cloud-related processes

▪ Trusted source, where users can initiate requests and engage with SAP

▪ Easy access to SAP cloud-related documents, certificates, and contracts

www.sap.com/cloud-trust-center

Cloud Service Status Security Data Center Data Protection and Compliance Agreements
Availability data of our cloud Measures to ensure SAP Cloud Virtually and physically Privacy Shows the vast variety of Overview of the building blocks
services showing the current security protected data with state-of-the- SAP respects and protects the ISO/BS, as well as certificates of a SAP Cloud contract
live status art technologies rights of individuals

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25

SAP Cloud Identity Services
Identity Authentication and Identity Provisioning
SAP Identity Management and Access Governance Solutions
Overview

Identity Governance, Risk Authentication

Management & Compliance & Single Sign-on

Identity Provisioning SAP Cloud Identity Access Governance Identity Authentication

SAP Identity Management SAP Access Control SAP Single Sign-On

Setting the stage Accessing the applications

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27

 SAP Cloud Identity Services
Overview

SAP Cloud Identity Services SAP Cloud Business Applications

Authentication &
Single Sign-On
SAP S/4HANA

End User SAP BTP

Identity Identity Lifecycle
Authentication Management
SAP C/4HANA
Identity SAP SuccessFactors
Provisioning
…

Delegated
Authentication

Corporate
Identity Provider User Store

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28

SAP Cloud Identity Services - Identity Authentication
Identity provider for SAP’s cloud-based business applications

SAP Cloud Identity Services - Identity Authentication enables single sign-on for SAP’s cloud-
based business applications, with two usage options

1. As IdP proxy for a seamless, flexible integration with customers’ existing IAM infrastructure
▪ Simple central configuration
▪ Flexible configuration options

2. As the landscape-wide identity provider

▪ Secure authentication with multiple factors
▪ User management and self-services
▪ Pre-configured trust configuration

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 29

SAP Cloud Identity Services
Identity Authentication

SAP Cloud Identity Services SAP and non-SAP

Business Applications

Identity Authentication
Username/password
X.509
Authentication
SAML /
Kerberos / SPNEGO OpenID Connect
Business
2FA (TOTP, WebAuthn, RSA, SMS)
User Identity Federation
Corporate user store

Cloud
SAML Connector

Corporate Identity Provider On-Premise User Store

Microsoft
3rd party IdP AS ABAP MS Active Directory LDAP
ADFS / Azure

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 30

Based on open security standards

Cloud Applications
Interoperable
SAML
or
OIDC
with all applications supporting SAML* 2.0
standard
Cloud Applications
User Identity
or OpenID Connect (OIDC) Authentication

SAML
On-premise
Applications

User Corporate
Identity Provider
*SAML = Security Assertion Markup Language
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 31
Delegated authentication
Identity Authentication as a proxy to a corporate identity provider (IdP)

Identity provider proxy

▪ Authentication is delegated to corporate
Applications
identity provider login
Identity
▪ Reuse of existing single sign-on Authentication
infrastructure
▪ Easy and secure authentication for SAML
employee scenarios
▪ Federation based on the SAML 2.0
standard
▪ System applications supported as well
User Corporate
Identity Provider

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 32

Delegated authentication
Federation, proxy or both?
SAML
User: John
Groups: Admin
Enriching the assertion
▪ Original assertion from the corporate
Applications
identity provider is enriched with additional
Identity
attributes Authentication
▪ Mix of attribute values coming from the
SAML
corporate IdP and the local user store
User: John
▪ Users don’t need to exist in local user
store
▪ Enables hybrid scenarios such as
authenticate via corporate IdP but manage
groups via Identity Authentication User Corporate
Identity Provider

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 33

Delegated authentication
Authentication with an on-premise user store

On-premise user store

▪ Users credentials from:
Applications
• Active Directory (through LDAP) User
Identity
• AS ABAP (through SCIM*) Authentication

▪ No user replication to the cloud required

▪ Internal network ports do not need to be Cloud Connector

exposed to the Internet

▪ In addition: usual Identity Authentication LDAP
product features can be used:
▪ UI configuration, policies, two-factor authentication
Active
Directory

* requires AS Java + SAP Single Sign-On (which enables SCIM interface)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 34

Delegated authentication
Re-use of Windows Domain Authentication (SPNEGO)

SPNEGO* authentication
▪ Users authenticated with
Microsoft Active Directory enjoy single
sign-on to cloud applications without Applications
re-authentication Identity
Authentication
▪ Reuse of existing corporate identity
SPNEGO
infrastructure
▪ Secure authentication and SSO for cloud
and on-premise web applications
Active
Directory
User Kerberos
Token

*SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 35

 Delegated authentication towards multiple identity providers
Conditional authentication

Member of
User Group Partner Identity Providers

Partners
IP-Address
Range

Externals Identity
Email Authentication
Domain

User
Corporate Identity Provider
Type

Employees

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 36

Delegated authentication towards multiple identity providers
IdP-initiated authentication

Identity Authentication as a proxy to

multiple IdPs

▪ Secure your business network and

******
allow partner users to login via their Logon

corporate IdP IdP 1

▪ Authentication is initiated by the Application
corporate IdP
Identity
▪ Upon successful authentication, a ****** Authentication
Logon
check for correct user group
assignment can be configured IdP 2
(optional)
• Sync of users from IdPs to groups in
Identity Authentication is required

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 37

Identity Authentication: Configuration characteristics
Proxy IdP - Influencing ultimate result of authentication process

In the proxy relationship, the proxy IdP can have an influence over the ultimate result of
authentication process.

For example, in an Identity Federation set-up, SAML response may contain attributes not just from
the Corporate IdP, but also the proxy IdP.
The proxy IdP may have the final word on whether authentication process ultimately succeeds or
fails.

There are several levels of identity federation configuration ( next slide).

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 38

Identity Authentication: Configuration characteristics

Proxy IdP - Identity Federation

There are three IAS configuration settings to consider when

integrating Corporate IdP – these are defined on the Identity Provider
level and affect all Service Providers associated with the given
Corporate IdP:
▪ Use Identity Authentication Store:
• User attributes can be taken from the corporate IdP assertion or from
Identity Authentication user store.

▪ Allow Identity Authentication users only

• When enabled, only the users that exist in IAS can access the
application.

▪ Apply Application Configurations

• When enabled, the custom application configurations for authentication
and access policies are applied. This is required to utilise Risk-Based
Authentication.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 39

Identity Authentication patterns

Authentication patterns:

IAS as Proxy only IAS as Proxy with Federation

IAS as Proxy with Federation IAS as an IdP
(No local users) (Local users only)

IAS acting purely as Identity IAS as an Identity Provider proxy, • IAS acting as Identity Provider IAS acting as ultimate Identity
Provider proxy, with Corporate with Corporate IDP as ultimate proxy, with Corporate IDP as Provider, based on user record
authentication authority. ultimate authentication authority.
IDP as ultimate authentication attributes in IAS.
authority. • However, all users have user
However, certain user attributes record in IAS local user store. Risk-Based Authentication (RBA) is
(within SAML assertion response) • With this configuration, Risk-Based also possible in this case.
are sourced from IAS user record Authentication (RBA) can be used
(where available). - based on user record attributes in
IAS

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 40

Delegated authentication
Benefits of Identity Authentication Service in proxy mode

Central SSO endpoint for all SAP cloud applications

▪ Single trust configuration to customer’s corporate identity provider
▪ Easy to set up for customers
▪ Pre-configured or semi-automated trust configuration for SAP cloud applications
▪ Choice between SAML and OpenID Connect, incl. protocol conversion towards SAP applications
▪ One SSO session for all SAP cloud applications with the option to enforce separate access control policies
▪ Single audit log for authentication/SSO for all SAP cloud applications
Extended configuration and security settings
▪ Service provider specific attribute mapping/rewriting and assertion enrichment without the need to adjust
the corporate identity provider
▪ Easy separation mechanism for multiple user stores (internal, external users, employees)
▪ Flexible configuration where to validate user’s credentials
▪ Risk-based authentication with the option to enforce stronger means of authentication
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 41
Authentication options

Basic authentication
▪ User ID / email and password
****** Code
Logon
Client certificates 631 951
▪ X.509

Re-use of Windows Domain logon

▪ Use of Kerberos token for single sign-on

Two-factor authentication
▪ Second factor via soft-tokens
▪ Second factor via Web Authentication Applications
▪ Second factor via Radius* User Identity
▪ Second factor via SMS** Authentication

Delegated logon
▪ Social IdPs
▪ Corporate IdP
*Radius support enabled upon request
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC **SMS requires the license of SAP Authentication 365 42
Custom password policy configuration

Custom password policies can be

configured

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 43

Two-factor authentication options

Authentication with one-time passwords (OTP)

▪ Provide two means of identification
▪ OTP required for login in addition to password or security token
▪ Second factor for high security scenarios

Via soft tokens Via SMS Via Radius

▪ OTP (6-digit) created on mobile ▪ OTP sent as a message to the ▪ Code generated via Radius-
device
mobile phone of a user supported devices
▪ SAP Authenticator – Available for
iOS, Android, and Windows ▪ Requires SAP Authentication ▪ Activation upon request
▪ RFC 6238 compatible 365
(compatible with Authenticator
apps from Google and Microsoft)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 44

Control access to the application – risk-based authentication

Member of
User Group
Authentication
Method

IP-Address
Range
Allow

User 2-factor
Type Authentication Application

User Identity Deny

Authentication
Assignment
to Application

Self- Email
registered? verified?

Supports both local authentication and IdP proxy

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 45
Control access to the application

Member of
User Group
Authentication
Method

IP-Address
Range

User Allow
Type Application
“employee”
User Identity
Authentication
Assignment
to Application

Self- Email
registered? verified?

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 46

Control access to the application

Member of
User Group
Authentication “Admin”
Method

IP-Address
Range
“10.55.0.0/16”

User 2-factor
Type Authentication Application

User Identity
Authentication
Assignment
to Application

Self- Email
registered? verified?

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 47

Protecting self-registration with Google reCAPTCHA / phone verification

Access protection for applications

▪ Protect the registration to applications
from spam and abuse
▪ Prevent bots from automated fake user
registrations to your websites
▪ Further information
• Google reCAPTCHA
• Phone verification

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 48

Branding and customization

Customization features
▪ Company logo
▪ Application name and logo
▪ Color style
▪ Full customization via CSS
▪ Terms of use & privacy policy, incl. IdP proxy
▪ Adjust UI texts via API
▪ Email templates

Product features
▪ Responsive UIs
▪ Multi-language support

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 49

Logon overlays in customer applications

Logon screen as an overlay

(compared to a browser redirect to
navigate away from application)

▪ Can programmatically be
integrated by the application

▪ Out-of-the-box integration for

SAP Cloud Portal

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 50

SAP Cloud Identity Services - Identity Authentication
Value proposition for customers with existing IdP

Authentication Integrating SAP applications

▪ All SAP Cloud applications can offer their users the ▪ Common identity for users
same authentication mechanisms
▪ Unified way for user management
▪ Identity Authentication acts as authentication broker
▪ easy separation mechanism for multiple user stores
▪ Support for Zones
structure & protect a customer’s cloud landscape
▪ flexible configuration where to validate user’s credentials
▪ Risk-based authentication: configurable MFA ▪ Data across applications can be correlated
enforcement (precondition for central kernel services)
▪ Security Token Service for service based SSO
Single Sign-on (future scope)
▪ Central SSO endpoint for all SAP Cloud applications ▪ Authorization management (future scope)
▪ Choice between SAML and OpenID Connect
Compliance
▪ Service provider specific attribute mapping/rewriting
and enrichment of assertions by corporate IdP ▪ Single audit log for authentication/SSO for all SAP
▪ Pre-configured or semi-automated trust configuration Cloud applications

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 51

SAP Cloud Identity Services - Identity Provisioning
Employee lifecycle management in the cloud

On-boarding Position change Promotion Off-boarding

Create user
account Update De-provision
Update user and
Assign authorizations authorizations authorizations
authorizations

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 52

SAP Cloud Identity Services - Identity Provisioning
Value Proposition

Identity and Access Management for the cloud and hybrid

▪ Identity lifecycle management for cloud-based business
applications
▪ Integrated with SAP Identity Management for hybrid landscapes
and for non-SAP IDM solutions using the SCIM* standard Provision/Deprovision
User attributes

Simple and agile solution with short time-to-value

▪ Developed with cloud qualities in mind Retrieve
User attributes
▪ Simple and agile on-boarding of users and applications
Identity
Provisioning
Openness and support of multi-vendor scenarios
▪ Support of industry standard protocol SCIM* Corporate
User Store
▪ Dedicated connectors for important 3rd party cloud platforms

*SCIM = System for Cross-domain Identity Management

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 53
SAP Cloud Identity Services - Identity Provisioning
Management of identities & authorizations

User Store SAP Cloud Identity Services SaaS Business Applications

Cloud/On-premise Source Systems* Identity Provisioning Cloud Target/Proxy Systems

User Repository Source Identity Lifecycle Target / User Repository

System Management Proxy
Connector System
User Manage Connector User
Management Groups & Roles Management
API Assignments API

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 54

SAP Cloud Identity Services - Identity Provisioning
Capabilities of the transformation engine

Policy-based assignments
▪ Define rules for assignments based on the input data
Source System
▪ Take for example the value of an identity’s organizational unit to decide
on the required roles

Mapping between identity models

▪ Map between attributes in different models, for example surname to
family name Identity Provisioning

▪ Adjust the data format, for example for time- or number-formats

Filtering
▪ Decide in detail which objects shall be read or written Target System

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 55

SAP Cloud Identity Services - Identity Provisioning
Identity Directory capabilities

Merging identities from multiple sources

▪ Read identity from one source, then add attributes from other sources
before writing to target systems Source System

▪ Configurable identifier to map corresponding records, with userName

as the default Identity
Directory

Directory with SCIM API access

▪ Identity Directory is an integrated capability of the Identity Provisioning Identity Provisioning
Service
▪ Identity Directory can be configured to store and aggregate identity data
in the cloud
▪ A SCIM 2.0 API allows you to programmatically access the identities
inside the directory Target System

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 56

SAP Cloud Identity Services - Identity Provisioning
Connector Types

Identity Provisioning Connector Types

▪ Source System Connectors
▪ Target System Connectors Provision/Deprovision
User attributes
▪ Proxy System Connectors
▪ Refer Documentation for list of Supported IPS
System Connectors Retrieve
User attributes

Identity
Provisioning

Corporate
User Store

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 57

SAP Cloud Identity Services - Identity Provisioning
Hybrid scenario: Extend SAP Identity Management using IPS

SAP Cloud Business Applications

Identity Provisioning
SAP C/4HANA SAP SuccessFactors
IPS System
Provision
Connectors
Users/Groups
SAP S/4HANA SAP BTP
…
Provision Users/ Business Role/User
Groups Attribute Update
CLOUD

ON-PREMISE

On-Premise Applications
SAP Identity Management
Manage and IDM System SAP NetWeaver 3rd Party
Provision
Users/Groups Connectors
Manage Business
Roles SAP S/4HANA ...

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 58

SAP Cloud Identity Services - Identity Provisioning
Integration scenario: Extend 3rd Party IDM using IPS

SAP Cloud Business Applications

Identity Provisioning
SAP C/4HANA SAP SuccessFactors
IPS System
Provision Connectors
Users/Groups SAP S/4HANA SAP BTP
…

Provision Users/ Business Role/User

Groups Attribute Update

SAP and non-SAP Business Applications

IAM Solution
Manage and
Provision IAM System
Users/Groups
Connectors
Manage Business
Roles

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 59

Putting it all Together
Example Landscape

Role Collection Commerce Role SuccessFactors Role

mapped to Users mapped to Users mapped to Users
Principal Propagation

User Sync

Identity Management
Business Roles

SAP Business Suite SAP NetWeaver

(ABAP) Java
User/Role Provisioning
User Authentication

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 62

Key Offerings

▪ Join the SAP Security Community

https://community.sap.com/topics/cloud-identity-services

▪ SAP Security Products Newsletter

Subscribe

▪ SAP Trust Center

https://www.sap.com/about/trust-center.html

▪ SAP Consulting Service: Cybersecurity and compliance Services

• Architecture and planning service (security architecture advisory)
• Execution and implementation service

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 63

Q&A
Follow us

www.sap.com/contactsap

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/trademark for additional trademark information and notices.
SAP folgen auf

www.sap.com/germany/contactsap

© 2021 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer,
ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet.
In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP SE oder deren
Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Produkte
können länderspezifische Unterschiede aufweisen.
Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich
zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler
oder Unvollständigkeiten in dieser Publikation. Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und
Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich
geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.
Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer
zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu
veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte
und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit
und ohne Angabe von Gründen unangekündigt geändert werden. Die in dieser Publikation enthaltenen Informationen stellen keine
Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche
vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von
den Erwartungen abweichen können. Dem Leser wird empfohlen, diesen vorausschauenden Aussagen kein übertriebenes Vertrauen
zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen.
SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken
oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen
Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen.
Zusätzliche Informationen zur Marke und Vermerke finden Sie auf der Seite www.sap.com/trademark