With two-factor authentication you can implement a strong form of authentication for access to corporate resources – for example, for especially critical systems or securing access from outside the company. Authentication is based on two means of identification: knowledge of a password and possession of a physical device, such as a mobile phone. SAP Single Sign-On supports two-factor authentication via time-based one-time passwords (TOTP) generated by the SAP Authenticator mobile app. Alternatively, out-of-band transport of tokens, including one-time passwords sent via SMS or email or RSA/RADIUS, are supported.
SAP Single Sign-On offers risk-based authentication. This means that an authentication process can dynamically adapt to the context of an individual authentication request based on custom-defined access policies. First, you check the context information of an authentication attempt. This could be the IP address of the client, location, date/time, device information, or user attributes such as groups, for example. Secondly, based on this context information you then make a dynamic decision on whether you accept or deny access, or alternatively enforce two-factor authentication in case the context indicates a higher risk. You could even reduce the privileges of the person accessing the backend system, thus limiting the business functionality available to this user.
For scenarios where users need quick access to a system to perform short tasks, you can use fast user identification via radio-frequency identification (RFID). The user is identified via an RFID token, such as a company batch card. RFID authentication is ideally suited to warehouse and production scenarios with dedicated kiosk PCs for authentication.
In addition, SAP Single Sign-On 3.0 now also offers a mobile SSO solution for shared mobile devices. The solution is currently available via the SAP Authenticator app for Android and is based on NFC reader technology.
Digital signatures uniquely identify the signer, protect the integrity of the data, and provide the means for a binding signature that cannot be denied afterwards. SAP Single Sign-On supports digital signing using the Secure Store and Forward (SSF) interface. The Secure Login Client for SAP GUI can use X.509 certificates for digital signatures in an SAP environment. Server-side digital signatures are supported by the SAP Common Cryptographic Library. In addition, SAP Single Sign-On includes support for server-side digital signatures via hardware security modules, offering increased security and performance.
Network Edge Authentication
The network edge authentication feature, based on SAP’s web dispatcher and SAP Single Sign-On, provides integrated, simple, and secure web access control for SAP solutions by controlling access to on-premise systems from untrusted networks. The feature intercepts all incoming requests and checks if they belong to an already authenticated session. If not, then the request is forwarded to the authentication service of SAP Single Sign-On. Only when the session has been successfully authenticated will the web dispatcher allow it to access systems in the internal network, such as the SAP ERP system or other business applications. This significantly reduces the attack surface of internal systems while still making them available to legitimate users, even from outside the corporate network.
Certificate Lifecycle Management for ABAP Application Servers
SAP Single Sign-On 2.0 (since SP6) supports automated renewal of X.509 certificates for SAP NetWeaver Application Server ABAP using Secure Login Server.
SAP Single Sign-On 3.0 introduces even more efficient management of the certificate lifecycle. The Secure Login Server administration console helps administrators manage the lifecycle of certificates by automating renewals for server components in your landscape. This significantly reduces manual effort, eliminates the risks of human errors, and prevents costly system downtime.
An automated central roll-out of trusted root certificates facilitates the transition from self-signed certificates to a PKI-based approach. In addition, the Secure Login Server can act as Registration Authority of an existing enterprise PKI.