As explained in my latest post, managing Identity and Access Management (IAM) in SAP environments is more crucial than ever. Beyond simply improving user experience, effective IAM ensures secure and consistent authentication mechanisms across both cloud and on-premise systems. At the heart of this strategy lies SAP Cloud Identity Services (SCI)—the go-to solution for centralized identity management and streamlined Single Sign-On (SSO) in the SAP ecosystem.
SCI serves as the central interface for managing identity and access across SAP solutions. It plays a foundational role in enabling SSO while enforcing authentication policies uniformly across the landscape. Within the Secure Operations Map (SOM), SSO is positioned squarely in the “Authentication and Single Sign-On” domain, underlining its critical role in maintaining secure and reliable access throughout your SAP systems.
Authentication in the Context of the Secure Operations Map (SOM)
One Authentication Experience Across Web and On-Premise
A key advantage of SCI is its ability to support both cloud-based and on-premise authentication scenarios. For browser-based applications, SCI supports modern protocols such as SAML 2.0 and OpenID Connect (OIDC). These standards are widely adopted across the SAP ecosystem and allow organizations to integrate with various identity providers while benefiting from centralized policy enforcement. For those navigating protocol choices, you can explore the comparison further in this blog post.
When it comes to authentication to on-premise applications, things work differently. These clients communicate via Remote Function Calls (RFC) rather than HTTP, which means traditional SAML or OIDC-based SSO methods don’t apply. To extend SSO capabilities here, SAP recommends using Secure Login Client in combination with Secure Login Service (SLS). This setup leverages short-lived X.509 certificates that are issued based on SCI-authenticated identities. The benefit of this approach is that it allows organizations to reuse the same Multi-Factor Authentication (MFA) mechanisms you’ve implemented for web applications, ensuring a seamless and secure user experience across all access channels.
Single sign-on based on X.509 certificates – Process flow
There are other options than using short lived certificates via SLS available as well. Organizations can opt for Kerberos tokens, which are especially suitable for Windows-based environments, or deploy local short-lived client certificates.
For those seeking a more technical view of how these components interact, SAP offers a reference architecture for authentication, including SCI’s integration with both cloud and on-premise systems.
Authentication Reference Architecture
What’s Next: From Access Risks to Business Risks
With the fundamentals of access management and SSO in place, the next step is to examine broader business risks in your SAP landscape. In upcoming posts, we’ll shift focus to how these risks can be identified, analyzed, and contained using SAP Risk and Assurance Management (RAM)—a critical layer of protection beyond technical access controls.
As explained in my latest post, managing Identity and Access Management (IAM) in SAP environments is more crucial than ever. Beyond simply improving user experience, effective IAM ensures secure and consistent authentication mechanisms across both cloud and on-premise systems. At the heart of this strategy lies SAP Cloud Identity Services (SCI)—the go-to solution for centralized identity management and streamlined Single Sign-On (SSO) in the SAP ecosystem.SCI serves as the central interface for managing identity and access across SAP solutions. It plays a foundational role in enabling SSO while enforcing authentication policies uniformly across the landscape. Within the Secure Operations Map (SOM), SSO is positioned squarely in the “Authentication and Single Sign-On” domain, underlining its critical role in maintaining secure and reliable access throughout your SAP systems.Authentication in the Context of the Secure Operations Map (SOM)One Authentication Experience Across Web and On-PremiseA key advantage of SCI is its ability to support both cloud-based and on-premise authentication scenarios. For browser-based applications, SCI supports modern protocols such as SAML 2.0 and OpenID Connect (OIDC). These standards are widely adopted across the SAP ecosystem and allow organizations to integrate with various identity providers while benefiting from centralized policy enforcement. For those navigating protocol choices, you can explore the comparison further in this blog post.When it comes to authentication to on-premise applications, things work differently. These clients communicate via Remote Function Calls (RFC) rather than HTTP, which means traditional SAML or OIDC-based SSO methods don’t apply. To extend SSO capabilities here, SAP recommends using Secure Login Client in combination with Secure Login Service (SLS). This setup leverages short-lived X.509 certificates that are issued based on SCI-authenticated identities. The benefit of this approach is that it allows organizations to reuse the same Multi-Factor Authentication (MFA) mechanisms you’ve implemented for web applications, ensuring a seamless and secure user experience across all access channels.Single sign-on based on X.509 certificates – Process flowThere are other options than using short lived certificates via SLS available as well. Organizations can opt for Kerberos tokens, which are especially suitable for Windows-based environments, or deploy local short-lived client certificates.For those seeking a more technical view of how these components interact, SAP offers a reference architecture for authentication, including SCI’s integration with both cloud and on-premise systems.Authentication Reference ArchitectureWhat’s Next: From Access Risks to Business RisksWith the fundamentals of access management and SSO in place, the next step is to examine broader business risks in your SAP landscape. In upcoming posts, we’ll shift focus to how these risks can be identified, analyzed, and contained using SAP Risk and Assurance Management (RAM)—a critical layer of protection beyond technical access controls. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
