With two-factor authentication you can implement a strong form of authentication for access to corporate resources – for example, for especially critical systems or securing access from outside the company. Authentication is based on two means of identification: knowledge of a password and possession of a physical device, such as a mobile phone. SAP Single Sign-On supports two-factor authentication via time-based one-time passwords (TOTP) generated by the SAP Authenticator mobile app. Alternatively, out-of-band transport of tokens, including one-time passwords sent via SMS or email or RSA/RADIUS, are supported.
For scenarios where users need quick access to a system to perform short tasks, you can use fast user identification via radio-frequency identification (RFID). The user is identified via an RFID token, such as a company batch card. RFID authentication is ideally suited to warehouse and production scenarios with dedicated kiosk PCs for authentication.
In addition, SAP Single Sign-On 3.0 now also offers a mobile SSO solution for shared mobile devices. The solution is currently available via the SAP Authenticator app for Android and is based on NFC reader technology.
Digital signatures uniquely identify the signer, protect the integrity of the data, and provide the means for a binding signature that cannot be denied afterwards. SAP Single Sign-On supports digital signing using the Secure Store and Forward (SSF) interface. The Secure Login Client for SAP GUI can use X.509 certificates for digital signatures in an SAP environment. Server-side digital signatures are supported by the SAP Common Cryptographic Library. In addition, SAP Single Sign-On includes support for server-side digital signatures via hardware security modules, offering increased security and performance.
Network Edge Authentication
The network edge authentication feature, based on SAP’s web dispatcher and SAP Single Sign-On, provides integrated, simple, and secure web access control for SAP solutions by controlling access to on-premise systems from untrusted networks. The feature intercepts all incoming requests and checks if they belong to an already authenticated session. If not, then the request is forwarded to the authentication service of SAP Single Sign-On. Only when the session has been successfully authenticated will the web dispatcher allow it to access systems in the internal network, such as the SAP ERP system or other business applications. This significantly reduces the attack surface of internal systems while still making them available to legitimate users, even from outside the corporate network.
Certificate Lifecycle Management for SAP NetWeaver Application Servers
SAP Single Sign-On supports automated renewal of X.509 certificates for SAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java, using Secure Login Server. This significantly reduces manual effort, eliminates the risks of human errors, and prevents costly system downtime.
An automated central roll-out of trusted root certificates facilitates the transition from self-signed certificates to a PKI-based approach. In addition, the Secure Login Server can act as Registration Authority of an existing enterprise PKI.