Episode #240
Introduction
In episode 240 of our SAP on Azure video podcast we talk about the improvements in Principal propgation.
Almost 2 years ago, in 2023, Microsoft kicked off the Secure Future Initiative. This meant that litterally all the services within Microsoft went through a security review and were hardend. While this certainly improved security, it also made a lot of scenario much more complicated. Where in the past you could connect to a service using basic authentication or with a simple certificate, that is no longer possible. Martin – always looking at the positive side – recently talked about how the “Secure Future Initiative” blocker became a differentiator for SAP with Microsoft – and I love this. With the work that Martin and the team did we now have a really cool, secure and much easier to maintain solution to do principal propagation.
I am glad that we have Martin back on our show to explain a little more about the magic that he did.
Find all the links mentioned here: https://www.saponazurepodcast.de/episode240
Reach out to us for any feedback / questions:
- Robert Boban: https://www.linkedin.com/in/rboban/
- Goran Condric: https://www.linkedin.com/in/gorancondric/
- Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/
#Microsoft #SAP #Azure #SAPonAzure #Security #SFI #PrincipalPropagation #SSO
Summary created by AI
- Secure Future Initiative:
- Holger and Martin discussed the Secure Future initiative by Microsoft, which involved a comprehensive security review and hardening of all services. This initiative, while improving security, also complicated many scenarios, particularly those involving basic authentication or simple certificates.
- Initiative Overview: Holger introduced the Secure Future initiative, which started in 2023, aiming to enhance the security of all Microsoft services. This initiative required a comprehensive security review and hardening of services, making previously simple authentication methods, like basic authentication and simple certificates, more complex.
- Impact on Scenarios: Holger explained that while the initiative improved security, it also complicated many scenarios. For instance, connections that previously used basic authentication or simple certificates were no longer possible, necessitating more secure and complex methods.
- Principal Propagation Solution:
- Holger and Martin explained the new secure and easier-to-maintain solution for principal propagation developed by Martin and his team. This solution leverages managed identities, making it more secure and simpler to maintain compared to previous methods.
- Solution Development: Martin described the development of the new principal propagation solution, which leverages managed identities. This approach was driven by the need to comply with the Secure Future initiative and to provide a more secure and maintainable solution for customers.
- Managed Identities: Martin highlighted that the new solution uses managed identities, which eliminates the need for client secrets. This change reduces the burden of managing expiry dates and rotations of keys or shared credentials, making the solution easier to maintain.
- Importance of Principal Propagation:
- Holger emphasized the importance of principal propagation for customers using both Microsoft and SAP systems. This integration is crucial for server-to-server and client-to-server communications, enabling single sign-on and secure user credential propagation.
- Integration Significance: Holger stressed the critical role of principal propagation in integrating Microsoft and SAP systems. This integration is essential for both server-to-server and client-to-server communications, ensuring seamless and secure interactions between the systems.
- Single Sign-On: Holger explained that principal propagation enables single sign-on (SSO), allowing users to authenticate once and have their credentials securely propagated to the SAP system. This is particularly important for applications like Copilot, Teams, Excel, and PowerApps.
- Updated Principal Propagation Flow:
- Holger and Martin discussed the updated principal propagation flow, which now includes managed identities. This update aligns with Microsoft’s internal security policies and offers customers a more secure and maintainable solution.
- Flow Update: Martin detailed the updates made to the principal propagation flow, incorporating managed identities. This update aligns with Microsoft’s internal security policies, enhancing security and maintainability for customers.
- Security Alignment: Holger noted that the updated flow, which includes managed identities, is in line with Microsoft’s internal security policies. This ensures that the solution is not only secure but also adheres to the best practices established by Microsoft.
- Managed Identities Implementation:
- Martin detailed the implementation of managed identities in the principal propagation flow. He explained how this approach eliminates the need for client secrets, reducing the burden of managing expiry dates and rotations of keys or shared credentials.
- Implementation Details: Martin provided a detailed explanation of how managed identities are implemented in the principal propagation flow. This approach eliminates the need for client secrets, simplifying the management of security credentials.
- Benefits: Martin highlighted the benefits of using managed identities, including the elimination of client secrets, which reduces the administrative burden of managing expiry dates and rotations of keys or shared credentials. This makes the solution more secure and easier to maintain.
- Policy and Token Exchange:
- Martin explained the policy supporting both client credentials grant with shared secrets and managed identities. He highlighted the changes made to the token exchange process, including the use of federated credentials and managed identities.
- Policy Explanation: Martin explained the policy that supports both client credentials grant with shared secrets and managed identities. This policy allows for flexibility in how tokens are managed and exchanged.
- Token Exchange Changes: Martin detailed the changes made to the token exchange process, including the introduction of federated credentials and the use of managed identities. These changes enhance security and simplify the management of tokens.
- Testing and Troubleshooting:
- Holger and Martin discussed the importance of testing and troubleshooting the new principal propagation flow. They recommended starting with client secrets for simpler testing and then transitioning to managed identities once the initial setup is verified.
- Testing Recommendations: Holger and Martin recommended starting with client secrets for initial testing and troubleshooting. This approach simplifies the process and allows for easier identification of configuration errors.
- Transition to Managed Identities: Once the initial setup is verified with client secrets, Holger and Martin suggested transitioning to managed identities. This step ensures that the final implementation is secure and maintainable.
- Customer Adoption and Feedback:
- Holger and Martin highlighted the increasing adoption of the principal propagation policy by customers. They emphasized the importance of customer feedback in improving the documentation, tooling, and overall implementation of the solution.
- Adoption Trends: Holger and Martin discussed the growing adoption of the principal propagation policy by customers. They noted that many customers have successfully implemented the solution, indicating its effectiveness and relevance.
- Feedback Importance: Holger and Martin emphasized the importance of customer feedback in refining the solution. They encouraged customers to provide feedback to help improve the documentation, tooling, and overall implementation of the principal propagation policy.