Harmonized Single Sign-On for SAP RISE customers in Multi-Cloud Environment
source link: https://blogs.sap.com/2023/03/22/harmonized-single-sign-on-for-sap-rise-customers-in-multi-cloud-environment/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Harmonized Single Sign-On for SAP RISE customers in Multi-Cloud Environment
updated date: 22.Mar.2023
Security is one of the top priorities for enterprise customers. For enterprise end users, having a seamless log-in process to different systems automatically without manually inputting credentials, can not only improve user experience but also increase enterprise security. With that being said, SSO plays a key role in the process.
In this article, we are addressing scenarios where RISE with SAP Private Cloud Edition customers (their SAP workloads managed by SAP on hyperscalers or SAP DC) run in multi-cloud environments, and have more than one enterprise IDP. With this setup, how they can both federate SOO within their SAP landscape with SAP IDPs and security solutions, meanwhile can also harmonize SSO and security workflow management with other third-party IDPs (like, Azure AD). Meaning that each IDP for its own purpose can keep its autonomy, and can still be federated to a certain extent on demand.
In this article, we mainly focus on direct client-to-server SSO scenarios.
A followup blog with regard to server-to-server SSO scenarios will be published soon.
Terminologies and Abbraviations
Single Sign-On (short as SSO) |
|
Identity Provider (short as IDP) |
|
Service Provider (short as SP) |
|
Identity Management (short as IDM) |
|
Identity and Access Management (short as IAM) |
|
Federated SSO |
|
Harmonized SSO [Highly Recommended] |
|
Fig. 1: SSO process roles and responsibilities
Architecture Design
In this section, we will first go through the SAP IDPs and IDMs used for SAP landscape SSO federation, and will also list the major SAP products SSO integration. Then by following, we will consider RISE with SAP Private Cloud Edition customers in multi-cloud environments, then propose the ‘Security Hub and Spoke’ concept which can do SSO harmonization in such setups.
SAP SSO Federation for SAP Workforce (SAP IDPs & IDM integration with SAP SPs):
List of SAP Identity Provider Solutions:
Identity Provider Solution | Supported Method | Deployment |
SAP Cloud Identity Services – Identity Authentication |
SAML 2.0 OpenID Connect OAuth2 SPNEGO X.509 Social Sign-On |
Cloud Subscription on BTP |
SAP Single Sign-On 3.0 |
Kerberos SPNEGO X.509 SAML 2.0 |
SAP RISE managed VM |
SAP Identity Management Solutions:
SAP IDMs provide you enterprise-level IAM workflow management, identity lifecycle management, access governance and audition.
Identity Management Solution | Deployment |
SAP Cloud Identity Services | Cloud Subscription on BTP |
SAP Cloud Identity Access Governance | Cloud Subscription on BTP |
SAP Identity Management | SAP RISE managed VM |
SAP Access Control | SAP RISE managed VM |
List of Major SAP Solutions SSO integration guide:
* Please note that the below list is not able to list all SAP products and all integration scenarios, more support could be found on SAP official documentation.
SAP SSO Harmonization with third-party SSO:
In a multi-cloud environment, there could be multiple identity providers (IDP), each IDP is designed for its own purpose with native integration with its own cluster of service providers.
As most enterprise customers use Microsoft Office 365 and might already have Azure AD in place, hence we propose the ‘Security Hub and Spoke’ architecture. We suggest using Microsoft Azure AD as the ‘hub’ for SSO harmonization, then SAP IDP and other hyperscaler IDPs will play as ‘spoke’ in the multi-cloud landscape. (see Fig. 2 – 4)
In cases where customers use Google G-Suite instead, customers can still build trust between SAP IDP and Google IDP. (see Fig. 5)
With these setups, each IDP will keep its autonomy, while still having the ‘trust’ harmonized and having the sync in place.
Integration with Azure IPD (Azure AD) (see Fig. 2) |
|
|
Integration with AWS IPD (Amazon Cognito) (see Fig. 3) |
||
Integration with GCP IPD (Google Cloud Identity) |
(see Fig. 4) | |
(see Fig. 5) |
Fig. 2: Architecture Design for RISE PCE customers doing Harmolized SSO in Multi-Cloud Environment (customer’s own hyperscaler is Azure, as an example)
Fig. 3: Architecture Design for RISE PCE customers doing Harmolized SSO in Multi-Cloud Environment (customer’s own hyperscaler is AWS & Azure, as an example)
Fig. 4: Architecture Design for RISE PCE customers doing Harmolized SSO in Multi-Cloud Environment (customer’s own hyperscaler is GCP & Azure, as an example)
Fig. 5: Architecture Design for RISE PCE customers doing Harmolized SSO in Multi-Cloud Environment (customer’s own hyperscaler is GCP, as an example)
Disclaimer:
- SAP takes no responsibility for managing and operating customers’ own data center, nor for customers’ own hyperscaler subscription
- SAP takes no responsibility for provisioning and managing customers’ SSO
- SAP product information is based on SAP official documentation online, as of this blog’s updated date of time.
- The architecture designs that appeared in this blog, have been considered with each hyperscalers’ (Azure, AWS, GCP) reference architecture from hyperscalers providers’ (Microsoft, Amazon, and Google) official documentation online, as of this blog’s updated date of time.
Acknowledgment to contributors/reviewers/advisors:
Ke Ma (a.k.a. Mark), co-author, Senior Consultant, SAP IES AI CoE / RISE Cloud Advisory RA group
Frank Gong, co-author, Digital Customer Engagement Manager, SAP ECS
Stephan Andre, SAP BTP Security, Development Manager
Tommaso Nuccio, Security Architect, SAP IES Security
Yash Karia, SAP IAM Consultant, SAP IES Platform
Sven Herzog, SAP IAM Consultant, SAP IES Platform
Kevin Flanagan, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, EMEA North
Luc DUCOIN, Cloud Architect & Advisor, RISE Cloud Advisory
Richard Traut, Cloud Architect & Advisor, RISE Cloud Advisory
Sven Bedorf, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, MEE
Samuel Grevillot, Customer Engineer, Google
Extended Reading: Join our SAP Single Sign-On community here Google Cloud Identity integration with SAP Cloud Identity Services, by SAP colleague, Alexander Zubev A SSO Guide for SAP RISE PCE customers, by SAP colleague, Matthias Kaempfer SSO with SAML 2.0: how does it work, by VMware Youtube Channel
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK