on 03-20-2019 8:12 AM
Hi All,
I would like to implement SAP SSO on hybrid landscape (on premise & cloud systems).
We have below system landscape (as attached) and client want to achieve SSO for both On premise & cloud systems. I have drafted below high level design based on SAP documentation..
Requirement: achieve SSO for Fiori apps for both S/4HANA & Cloud systems.
I have implemented SSO for my previous projects but with Microsoft Active Directory as Identity Provider.
Client already purchased SSO3.0 license, so AD as identity provider is not an option for us.
I need technical guidance on setting up SAP SSO3.0 server on premise and what is SAP best practice ?
My assumptions: SAP SSO3.0 (on premise- SAP NW java system) act as primary solution for SSO for both On-premise & cloud systems.
Questions:
1. SSO for On premise system:
For ex. if user want to access S4HANA system (with SSO) using SAML, SAP SSO3.0 server act as Identity provider. But how SSO3.0 on premise system should have user store (setup) to authenticate users identity?
So SSO3.0 should be integrated with MS AD and some regular sync jobs should be run from AD to SSO3.0 ?? Or what is other option? SAP IDM8.0 on premise will pass users to SSO3.0 and all users will be stored into SSO3.0 ? Please provide suggestions here, I dont see any documentation for this.
2. SSO for Cloud system:
Scenario 1: User access cloud system from home (outside office network), what is flow to authenticate users? IAS will read users store from on premise system (AD or SSO3.0) ?
Scenario 2: User access cloud system from office (corporate network), what is flow to authenticate users? what is role of IAS ?
Appreciate if you can provide your inputs and document links etc..
Hi Imran!
First of all, please don't mind, but this picture is really confusing 😉 descriptions and shown auth-flow do not match, but I can imagine what is meant. In particular, the presentation of the component SAP SSO 3.0 suggests that it is a "box", which is not the case. It is a suite consisting of multiple solution components. The SAP Identity Provider is one part of it.
Besides SAP SSO 3.0 with regards to the other components in the area of SAP Identity Mangement (on-prem IDM and cloud IPS) I recommend in any case to start the project with a proper workshop due to the overall complexity. Since your request does probably not cover all your concrete technical requirements, I can only guess and hope my explanation helps.
Lets start..
To answer your question 1: In general, either ADFS, SAP’s IdP or any other IdP can always be used for any SP no matter where it is operated. This is the basic principle of SAML where it does not matter where IdP or SP are located. Integrating web services running outside the own network or domain (Partners, Extranet, Cloud) Cross-Platform and Cross-Domain scenarios as well as Identity Federation scenarios, all possible with the SAP IdP. The SAP IdP running on AS Java does support various user data sources such as the database, LDAP servers, and AS ABAP, basically whatever UME allows you to connect. So you don't „store“ users or sync them implicitly in the Box 😉 instead you connect your IdP directly to AD via LDAP. You may also connect SAP IDM to your IdP to provision accounts e.g. for externals such as business partners or the likes.
As the IdP itself supports authentication methods provided by the NetWeaver AS Java your corporate users will experience SSO when accessing both on-premise or cloud web applications. SPNEGO/Kerberos, X.509 and other mechanisms are supported for initial user authentication at the IdP.
BTW: Nearly all is possible with IAS as well
For Question 2… Scenario 1: The question already includes the statement that two IdPs should be used (one in the cloud and one on-premise) at least it seems so. Wherever, the SAML flow mostly used is Front-Channel and SP-initiated flow. Here the user is accessing the SP and then gets forwarded to the IdP. The decision making (discovery or selection of the right IdP) depends and can be configured differently. Same for the authentication methods, how a user external or internal (working from Home) should be authenticated. In such case you use the Cloud IdP (IAS), it can be connected to your on-premise Userstore (AD) via Cloud Connector, all possible. Access Policies based IP range, time, Role Membership, etc. are possible as well.
Scenario 2: same, why use IAS AND on-prem IdP? Makes less sense. In such case use either IAS or on-prem IdP. Flow is the same, but authentication normally is transparent (SSO to IdP) compared to scenario 1.
SAP offers two products SAP Single Sign-On and SAP Cloud Platform Identity Authentication. Both can be combined. In such case, a recommendation is to use SAP Cloud Platform Identity Authentication for browser applications, on-premise, and cloud and use SAP Single Sign-On with X.509 certificates or Kerberos for desktop clients on-premise (of course also to support non-web applications such as SAP GUI etc.) For access from on-premise desktop to cloud services, automate authentication to SAP Cloud Platform Identity Authentication by using Kerberos or X.509 certificates.
Cheers
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Carsten for detailed explanation, really appreciated.
I agree, authentication flow is not exactly right in diagram :-). I just illustrated high level diagram to show SAP components which are in scope for the project.
As suggested, i will setup proper workshop during project to finalize the solution with proper flow & components.
Thanks again !!
User | Count |
---|---|
74 | |
26 | |
10 | |
10 | |
7 | |
6 | |
4 | |
4 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.