Companies look to web and mobile solutions to meet their business needs — and not just for promoting and selling products and services. These solutions are also compelling for managing internal business processes, allowing employees to work from home or at a client site, for instance, or to post vacation requests and approve orders while on a business trip.
On-demand cloud technology enables organizations to support these dynamic business requirements in a flexible, easy, and cost-effective manner, and the cloud’s role in business operations is likely to only continue to grow.1 However, as cloud-based applications, user identities, and passwords see exponential growth, traditional approaches to security are no longer enough to secure your data.
How do you provide easy, secure, reliable access to business processes that incorporate solutions and users that reside outside of your company’s boundaries? SAP provides a range of products to meet critical business security needs, and now offers a solution based on proven security standards that simplifies and secures access to business data in landscapes that include both cloud and on-premise applications — the new SAP Cloud Identity service.2
The Benefits — and Challenges — of On-Demand Cloud Solutions
On-demand cloud solutions offer a range of benefits to help companies stay competitive and meet customer needs:
- Anytime, anywhere access. Cloud solutions are located outside of corporate networks, making access from anywhere and from any device easily possible.
- Easy implementation. Cloud solutions are maintained and hosted by a vendor. No client/server installations or upgrades are required onsite. Only the solution setup is needed, which is usually simple and quick.
- Low cost. Customers pay for the solution as a service from a vendor. There is no need to devote resources to onsite IT infrastructure and support staff.
- Tight security. Data centers and on-demand software apply many different security standards — such as ISO 27001, ISO 22301, ISAE 3402, and SSAE 16 — to ensure the highest levels of security for the data they store and transmit for the businesses that rely on them.
For many organizations, incorporating cloud-based solutions into a landscape with on-premise solutions is not without its challenges. It often means adding another environment to an already complicated IT infrastructure, and facing a new set of security issues caused by a heterogeneous landscape. For instance, companies need to secure the authentication to both the on-demand and on-premise solutions, from outside and from inside the corporate network (see Figure 1). They also have to provide authentication from different devices, manage identities across the on-premise and on-demand landscape, offer authentication to external users, and enable identity federation and social login functionality, just to name a few.
SAP helps its customers address these challenges with the new SAP Cloud Identity service.
Introducing the SAP Cloud Identity Service
Released in September 2014, the SAP Cloud Identity service is a software-as-a-service (SaaS) solution that simplifies the user experience in the cloud by providing single sign-on capabilities for SAP and non-SAP cloud-based and on-premise applications. Employees, partners, and customers log in just once — from anywhere and on any device — to enable access to their authorized cloud and on-premise applications (see Figure 2).
The SAP Cloud Identity service is hosted and maintained by SAP and relies on secure SAP data centers to provide 24/7 support, high availability, data privacy, and low cost of ownership. Offered as part of SAP HANA Cloud Platform, the SAP Cloud Identity service is based on trusted security standards, such as the Security Assertion Markup Language (SAML) and OAuth, and can be easily integrated with both SAP and non-SAP cloud and on-premise applications that support the SAML 2.0 standard. The integration with on-premise systems is facilitated through a SAML-based identity provider proxy scenario. This scenario, enabled by integrating the SAP Cloud Identity service with an on-premise identity provider such as SAP Single Sign-On, is particularly useful for customers that do not want to expose their employee IDs to the cloud, but still want to offer their users single sign-on to cloud applications.
This new SAP service offers identity lifecycle management for cloud-based and on-premise applications. In addition to authentication, single sign-on, and on-premise integration services, it provides self-services such as registration and password reset for employees, partners, and consumers. For administrators, the SAP Cloud Identity service provides features for user lifecycle management and application configuration, including customizable branding features to enable a unified corporate look and feel for both internal and external users. Let’s take a closer look at the usage scenarios for the SAP Cloud Identity service, and how the offering brings agility, simplicity, and security to any business process running in the cloud or in a heterogeneous landscape.
Usage Scenarios for the SAP Cloud Identity Service
The SAP Cloud Identity service supports the three most common business scenarios: business-to-employee (B2E) scenarios to support employees; business-to-consumer (B2C) scenarios to support consumers; and business-to-business (B2B) scenarios to support partners.
From accountants, to managers, to production line engineers, all employees need simplicity in their daily work to achieve effectiveness. Achieving effectiveness is challenging, however, when employees have to interact with many different on-demand and on-premise applications, and not only remember credentials for all of them, but also authenticate several times a day. Not to mention corporate security policies that require increasingly complicated passwords that must be frequently changed. At the same time, employees want the ability to be more flexible — to be able to work outside the office using mobile devices.
The SAP Cloud Identity service enables organizations to provide this efficiency and flexibility for employees with simple and secure single sign-on, from anywhere and on any device, to all on-premise and on-demand applications used to complete daily business activities. Employees authenticate once and gain access to all the business resources for which they have been granted authorizations. They have to remember only one password that is long and complicated enough to comply with the strongest password policies.
Business-to-Consumer and Business-to-Business Scenarios
Business process automation across corporate borders is a valuable tool for containing costs, and web and mobile technologies — cloud and on-demand solutions in particular — make it increasingly possible for organizations to take advantage of its benefits by quickly reaching consumers and partners. Making business process automation easy and secure for everyone, however, is still a challenge.
The SAP Cloud Identity service is designed to meet these needs in cross-border integration scenarios. It offers secure authentication and identity management for external users, with single sign-on access on any device from outside the corporate network to dedicated applications, including support for identity federation and social login capabilities. It also enables companies to provide an enhanced user experience for consumers and partners with secure self-service registration features for consumers, invitation functionality for onboarding new consumers and partners, templates for email notifications and agreement documents, and branding capabilities for customizing the look and feel of different authentication screens.
How the SAP Cloud Identity Service Works
When a user wants to use a resource from a service provider — for example, an on-demand SAP solution, such as SuccessFactors Performance Management — the web browser redirects the request to the SAP Cloud Identity service. As the central component for authentication, the SAP Cloud Identity service will first check if there is an active session for this user.
If an active user session does not yet exist, the SAP Cloud Identity service will check for valid credentials (such as an X.509 client certificate) or will request authentication via a user ID and password. If valid credentials are provided, the SAP Cloud Identity service will issue a SAML assertion and a user session will be established.
If an active user session already exists, the SAP Cloud Identity service will respond with a SAML assertion, and the user’s web browser will again redirect the request to the target resource of the service provider with the SAML assertion included. The service provider will then grant access and provide the requested resource to the user securely.
Let’s take a look behind the scenes to see how administrators configure the SAP Cloud Identity service to make authentication features available for usage scenarios, and what this looks like from the user’s perspective.
The Administration Console
The SAP Cloud Identity service is provided to customers via their own tenants, which separate and secure customer data, including identities, customizing data, and transactional authentication data. To obtain a tenant, you must have a customer or partner account for SAP HANA Cloud Platform.
The tenant is maintained using the administration console for the SAP Cloud Identity service, which is an SAP Fiori-based user interface that is accessed only by administrators. The list of administrators for the customer tenant must be submitted to the SAP Cloud Identity service support team at SAP as part of the tenant creation request, or as a separate support request afterward.
The administration console is the central entry point for configuring the authentication and user management processes for all cloud-based applications connected to the SAP Cloud Identity service. It is used for configuring the features for various usage scenarios, including setting corporate branding, using email templates, maintaining policy and agreement documents, enforcing password policies for various applications, and enabling and disabling application settings such as self-registration service and social login functionality.
Let’s walk through an example configuration using the SAP Cloud Identity service administration console. To enable self-registration for an application, for instance, the administrator opens the administration console and selects the “Applications” tile on the home page, which opens the application setup menu. The administrator selects the menu tab “Authentication and Access” and then clicks on “User Application Access,” which displays the options “Public,” “Internal,” and “Private.” Selecting the “Public” option enables self-registration for the application. Clicking on “Save” will change the default login screen provided by the SAP Cloud Identity service by adding a registration button that will open a customizable registration form delivered by the SAP Cloud Identity service. Figure 3 shows the example login screen with a registration button added, along with some additional branding features, such as a logo and an altered color scheme.
On-demand solutions are an agile, efficient, and cost-effective way to manage business processes, and their role in business landscapes continues to grow. The SAP Cloud Identity service supports organizations on this path by providing security and enabling the integration of these solutions into heterogeneous landscapes. It empowers users to log in just once — from anywhere, on any device — and gain access to all authorized applications. It controls and monitors user access based on trusted security standards, and relies on secure SAP data centers to provide 24/7 support, high availability, data privacy, and low cost of ownership.
With the SAP Cloud Identity service, you can provide your employees, customers, and partners with simple and secure cloud-based access to the business processes, applications, and data they need, when they need it.
Visit http://scn.sap.com/community/security to learn more.
1 “Cloud Underpins Majority of Tech Trends for 2015, Gartner Analysts Find” by James Bourne (Cloud Tech, October 9, 2014; www.cloudcomputing-news.net/news/2014/oct/09/cloud-underpins-majority-tech-trends-2015-gartner-analysts-find/). [back]
2 For an overview of the latest enhancements to SAP’s security solutions, including an introduction to the new SAP Cloud Identity service, see the article “A Safe Harbor in a Rising Tide of Threats” by Gerlinde Zibulski and Gert Schroeter in the October-December 2014 issue of SAPinsider. [back]