Identity management and authentication for SAP

Introduction

In episode 275 of our SAP on Azure video podcast we talk about Identity Managment and authentication for SAP. We have covered several times already identity and authetnication topics with Martin Raepple in the past. Together with Cameron Gardiner we take another look at Identity Management, especially in the context of the end of life for SAP IDM.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode275

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #Security #Authentication #SSO #IdentityManagement

Summary created by AI

• SAP Identity Management End of Life and Migration to Microsoft Entra:
• Martin, Cameron, and Goran discussed the end of life for SAP Identity Management, the joint recommendation for customers to migrate to Microsoft Entra, and the comprehensive guidance and resources available to support this transition.
  • End of Life Announcement: Martin explained that SAP announced the end of life for SAP Identity Management at the beginning of 2024, with official support ending in 2027 and extended maintenance available until 2030, after which no further support will be provided.
  • Migration Guidance: Cameron and Martin highlighted the availability of a comprehensive migration guide in the official Microsoft product documentation, recommending that affected customers start with this document and then consult the detailed blog series for step-by-step implementation guidance.
  • Customer Feedback and Demand: Martin described significant demand from customer communities, particularly after the end of life announcement, for clear, step-by-step migration tutorials, which led to the creation of a detailed blog series and additional hands-on sessions at industry events.
  • Recommended Migration Path: The team emphasized the joint recommendation for customers to migrate from SAP Identity Management to Microsoft Entra, with reference architectures and best practices developed collaboratively by SAP and Microsoft to guide customers through the available options.
• Comprehensive Identity and Authentication Options for SAP on Azure:
• Cameron, with input from Martin and Goran, presented a new document consolidating identity and authentication options for SAP on Azure, addressing the complexity and variety of available solutions and providing customers with clear guidance.
  • Motivation for Documentation: Cameron explained that the motivation behind the new document was to centralize information on identity and authentication options, as customers faced confusion due to the multitude of available solutions and recent changes in SAP’s product landscape.
  • Content Structure: The document is organized to present multiple authentication and identity management options, including both legacy and modern approaches, and references Martin’s three-part blog series as mandatory pre-reading for customers seeking clarity.
  • Reference Architectures: Martin noted that the documentation includes reference architectures and recommendations, developed jointly by SAP and Microsoft, to help customers navigate the various options and select the most suitable approach for their scenarios.
• Technical Migration Scenarios and Integration Approaches:
• Martin and Cameron detailed technical migration scenarios, including the use of Microsoft Entra, Cloud Identity Services, and industry standards like SCIM, to support complex SAP landscapes and ensure seamless integration across on-premises and cloud environments.
  • Entitlement Management Migration: Martin described how entitlement management logic, previously implemented in SAP Identity Management, should be migrated to Microsoft Entra, with workflows and approval processes adapted to the new platform while maintaining role and authorization management in existing SAP systems.
  • Integration with Cloud Identity Services: The integration between Microsoft Entra and SAP Cloud Identity Services is facilitated by industry standards such as SCIM, enabling lifecycle operations and interoperability across different systems in the SAP landscape.
  • Inbound Provisioning from SuccessFactors: Martin explained the recommended approach for HR-driven provisioning, where new employee onboarding events in SuccessFactors are captured and identities are provisioned through connectors to Active Directory, Entra, and Cloud Identity Services, using pre-built connectors that can be customized as needed.
  • Attribute Synchronization Enhancements: A recent feature allows not only user entities but also groups and group memberships to be synchronized between Entra and Cloud Identity Services, ensuring that role assignments and authorizations are accurately reflected in SAP back-end systems.
• Authentication Methods and Security Best Practices for SAP Clients:
• Cameron, Martin, and Goran reviewed authentication methods for various SAP clients, emphasizing the importance of single sign-on (SSO), multi-factor authentication (MFA), and secure protocols for both legacy and modern access scenarios.
  • SAP GUI Authentication: The team discussed the continued prevalence of SAP GUI, the use of X.509 certificates and Kerberos for single sign-on, and the introduction of SAP Secure Login Service on BTP as a modern method for issuing short-lived certificates.
  • Multi-Factor Authentication for SAP GUI: Martin described how Microsoft’s Entra Global Secure Access, specifically the private access sub-service, can be used to implement multi-factor authentication for SAP GUI, aligning with current security standards.
  • Zero Trust and Continuous Access Evaluation: Martin explained the application of zero trust principles and continuous access evaluation in SAP GUI scenarios, where session access can be dynamically revoked based on risk assessments or administrative actions, independent of session state.
  • Browser-Based and Other Client Authentication: Cameron noted the shift to browser-based access for SAP Fiori and other clients, the documentation of authentication options for Power Platform and Microsoft BI, and the challenges of implementing MFA for legacy clients like Business Explorer.
• Customer Guidance, Resources, and Implementation Recommendations:
• Cameron, Martin, and Goran provided practical recommendations for customers, highlighting available resources, the importance of early migration planning, and the need to adopt secure authentication practices for SAP applications.
  • Recommended Reading and Resources: Cameron advised customers to begin with the official migration documentation and Martin’s blog series, which offer comprehensive and tutorial-style guidance for planning and implementing migration from SAP Identity Management.
  • Early Migration Planning: The team stressed the importance of starting migration efforts early, given the approaching end of support for SAP Identity Management and the need for customers to familiarize themselves with new technologies and processes.
  • Adoption of SSO and MFA: Cameron recommended that all customers move to single sign-on, ideally with multi-factor authentication, for any SAP application, and to avoid reliance on username and password authentication at the application layer.
  • Customization of Reference Diagrams: Cameron suggested that customers use the diagrams provided in the documentation and blog series as templates, customizing them to fit their specific environments and circulating them among stakeholders for implementation planning.

• Identity management and authentication for SAP

• 0:00 Intro
• 1:35 Intro Cameron and Martin
• 5:15 Documentation - Security Identity Management and Authentication
• 6:10 Blog posts from Martin
• 8:45 Identity management
• 10:25 Conceptional idea to migrate from SAP IDM to Entra
• 14:00 Authentication and Single Sign-On
• 18:20 Authentication with Power Platform
• 19:20 Additional clients
• 20:30 Reference architecture for inbound provisioning
• 24:20 Automatic synchronization of authorization attributes
• 26:50 SSO with SAP GUI using Global Secure Access
• 30:30 SAP products approaching end of support
• 34:25 Recommendation for SAP SSO