S4H101 – Overview: Identity and Access Management

for On-Premise and Cloud Scenarios

EXTERNAL
Speakers 2017

Las Vegas Bangalore Barcelona

September 25 - 29 October 25 - 27 November 14 - 16

Mariyan Dichev Udit Singh Alexander Zubev

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 2

Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP.
Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any other service
or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or any related
document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms directions and
functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this
presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This presentation is provided
without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. This presentation is for informational purposes and may not be incorporated into a contract. SAP
assumes no responsibility for errors or omissions in this presentation, except if such damages were caused by SAP’s intentional or gross
negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,
and they should not be relied upon in making purchasing decisions.

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 3

Agenda

IAM Evolution

IAM Use-cases

SAP IAM – Capabilities

 Workforce to SaaS
 Consumer IAM
 Traditional/Legacy Workforce

Demo

SAP IAM – Way Forward

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 4

IAM Evolution
 IAM: transformation into the digital age

IAM is shifting to become an continuous program that delivers intelligence, meets compliance
requirements, adds value differentiation, and unloads the organization

Traditional View Modern View

Technical requirements of IDM and WAM IDM, WAM, IGA, PIM, Federation, Intelligence, etc.

IAM as a Tool of Policy Enforcement IAM as a Tool of Compliance and Intelligence

IAM as a Project IAM as a Program

IAM as a Cost of Doing Business IAM as a Business Differentiator

IAM Infrastructure and Expertise On-Premise IAM in the Cloud

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 6

IAM challenge – Expanding ecosystem of identities and assets

Partners and
Channels Suppliers Vendors Resellers

Social Sites SaaS, PaaS,

and Identities and IaaS

Identity Access
Management Management

People Assets

Mobile Devices,
On-Premise
Apps, and Identities
Applications

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 7

IAM Use-cases
IAM as a Service – use cases

Workforce to SaaS Traditional/Legacy Workforce

Extend basic IAM and serve employees Functional depth in IGA and access
accessing SaaS apps management to on-premise apps
• SaaS аpps integration • Legacy (non-web-architected) on-premise
• Authentication/SSO capabilities apps integration
• Employee self-services • Access Certification
• Mobile SSO • Employee self-services

Consumer IAM (B2C) Secure Digital Identity

IAM to on-premise and cloud-based Protect resources across a hybrid
web apps for consumers environment in a digital world
• Social identity integration • Identity intelligence (security user behavior
• Personalization – profile and password analytics)
management • IAM for IoT
• Authentication capabilities • Behavioral biometrics

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 9

SAP IAM Capabilities
The SAP security portfolio

Secure access
SAP Single Sign-On
SAP Cloud Platform Identity Authentication

Secure code Detect attacks

SAP NetWeaver AS, add-on SAP Enterprise
for code vulnerability analysis Threat Detection

Manage users and permissions

SAP Identity Management SAP Cloud Platform Identity Provisioning
SAP Access Control SAP Cloud Identity Access Governance

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 11

Secure access

Preventing unauthorized Secure access

access to your business SAP Single Sign-On
systems is crucial for SAP Cloud Platform Identity Authentication
security. Single sign-on
solutions offer secure,
convenient single login
for all business
applications, on premise
as well as in the cloud.

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 12

Manage users and permissions

Handling users and Secure access

permissions can be a
SAP Single Sign-On
challenge in
SAP Cloud Platform Identity Authentication
heterogeneous and
hybrid landscapes.
Centralized solutions
help you implement a
compliant identity
management approach.

Manage users and permissions

SAP Identity Management SAP Cloud Platform Identity Provisioning
SAP Access Control SAP Cloud Identity Access Governance

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 13

Secure code

How can you protect Secure access

custom ABAP code in
SAP Single Sign-On
your on-premise
SAP Cloud Platform Identity Authentication
landscape? Code
vulnerability analysis
tools enable you to fix
security loopholes.

Secure code
SAP NetWeaver AS,
add-on for code
vulnerability analysis

Manage users and permissions

SAP Identity Management SAP Cloud Platform Identity Provisioning
SAP Access Control SAP Cloud Identity Access Governance

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 14

Detect attacks

Internal and external Secure access

cyber attacks are on SAP Single Sign-On
the rise. SAP SAP Cloud Platform Identity Authentication
Enterprise Threat
Detection lets you
monitor your system
landscape in real time. Detect attacks
SAP Enterprise
Threat Detection

Secure code
SAP NetWeaver AS, add-on
for code vulnerability analysis

Manage users and permissions

SAP Identity Management SAP Cloud Platform Identity Provisioning
SAP Access Control SAP Cloud Identity Access Governance

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 15

Identity and Access Management as a Service from SAP
Solution overview

A complete cloud identity suite that enables organizations to easily manage user on-boarding and helps users to
easily access their applications

SAP Cloud Platform Identity Provisioning

• Automatically sets up user accounts and
authorizations
• Optimized for SAP cloud applications
• Re-using existing on-premise and cloud user stores
• Jointly working with the SAP Identity Management
product

SAP Cloud Platform Identity Authentication

• Simple and secure access to web based applications
• Enterprise features like password policies and multi-
factor and risk-based authentication
• On-premise user store integration
• Easy consumer and partner on-boarding via self-
services

This is the current state of planning and may be changed by SAP at any time.
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 16
SAP IAM Workforce to SaaS
SAP IAM – Workforce to SaaS CPL167

Identity Authentication
 Single Sign-On across SAP applications out-of-the-box and by default
 Pre-integrated SAP applications
 Decrease TCO – connect once
 Delegated authentication
 Enforcing additional security

Identity Provisioning
 Simplified user on-boarding
 SCIM* gateway ******
Logon

Corporate Identity Application

Identity Provider Authentication

*System for Cross-domain Identity Management, formerly also known as “Simple Cloud Identity Management”
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 18
Business-to-employee scenario (B2E)

Identity Authentication for B2E:

Employee  Single Sign-On from anywhere and on any
Central
device
 User self-service for password reset
Identity  User Interface in company look & feel
Authentication
 Administration services
– Corporate branding
– User management
– Application on-boarding
Firewall
– Template configuration
 Authentication based on common standards
like SAML
Central  Password policy enforcement on application
User level
Store

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 19

Identity authentication service as a proxy to a corporate IdP
Delegated authentication

IdP proxy via the SAML standard – easy to establish

Identity provider proxy

SAML  Authentication is delegated to
Identity Authentication corporate identity provider login
 Reuse of existing single sign-on
Applications SAML infrastructure
 Easy and secure authentication for
****** business-to-employee (B2E) scenarios
Logon

 Federation based on the SAML 2.0

standard
3rd party Cloud Corporate
Identity
Provider

Corporate Network
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 20
Authentication with on-premise user store
Delegated authentication

Integrate with an on-premise user store via a secure tunnel

******
On-premise user store
Logon
 Users credentials from:
Identity Authentication  Microsoft Active Directory
 3rd. party user store
Applications
 No user replication to the cloud required
 Internal network ports do not need to be
exposed to the internet

SAP Cloud
 In addition usual product features can
Connector
be used: UI configuration, policies, two-
SAP
LDAP NW JAVA factor authentication
+ SAP SSO AS ABAP
SAP NetWeaver
Corporate Network
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 21
SAP Cloud Platform Identity Provisioning service
Product description

Identity Provisioning offers a comprehensive, low cost approach to identity lifecycle management in the cloud
Solution overview
 Manage user accounts and authorizations in a
cloud-based service Retrieve cloud users and their attributes
 Provision identities from user stores in the cloud
and on-premise
 Enable business applications to quickly support
Create accounts and
single sign-on with Identity Authentication assign authorizations

Key value proposition

 Fast and efficient administration of user
on-boarding
 Centralized end-to-end lifecycle management Identity
Corporate network
of corporate identities in the cloud Provisioning

 Automated provisioning of existing on-premise

identities to cloud applications

Retrieve on–premise users and their attributes

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 22
SAP Cloud Platform Identity Provisioning
Easy on-boarding for your cloud applications

Covering a broad range of source and target systems, both in the cloud and on-premise

Source Systems Target Systems

On-premise:  SAP Cloud Platform
 SAP NetWeaver Application SCIM  SAP Cloud Platform Identity Authentication
Server for ABAP  SAP Hybris Cloud for Customer
 Microsoft Active Directory  SAP Jam
Cloud:  SAP Concur
 SAP SuccessFactors  Google G Suite
 SAP Cloud Platform Identity Identity  Microsoft Azure Active Directory
Authentication Provisioning
 SCIM-enabled solution
 Microsoft Azure Active Directory
 Cloud Foundry User Account and
Generic: Authentication Server
 SCIM-enabled solution
 LDAP Server

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 23

SAP Cloud Platform Identity Provisioning CPL168
Provisioning to Google (G Suite)

On Google
 Connect to Google Developer Console
(https://console.developers.google.com)
 Create and configure a service account
 Note down clientID and private key

On SAP Cloud Platform

 Create a target system of type “Google G
Suite”
 Configure the source system that holds the
identities
 Optionally update the transformation
 Run the provisioning job

See our blog and our documentation for more details

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 24
SAP Cloud Platform Identity Provisioning
Policy-based authorization management

Assign authorizations to cloud applications by mapping attributes in the corporate user store to those in the cloud

Authorization policy management

 Simple and flexible policy definition
 Reuses existing corporate identity store data
– Microsoft Active Directory user attributes and
groups
– SAP AS ABAP user attributes and roles
– SAP Cloud Platform Identity Authentication
attributes and groups
 Easily comprehensible authorization assignment
 Up-to-date provisioning
– Reflect changes in the user’s attribute assignments
– Apply policy definition changes

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 25

SAP Cloud Platform Identity Provisioning
Data transformation modeling

Integrate identity data models of different applications by defining rules for data transformation

 Apply a filter to decide which identities are read

SCIM
from the source system and written to the target

 Map attributes between the source and target

systems’ data models to handle differences in the
models Identity
Provisioning
 Modify the format of the data taken from the
source system to make it compatible with the
target system

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 26

SAP IAM Consumer IAM
SAP IAM – Consumer IAM

 Capabilities required for B2C and B2B use-cases – registration, social login, self-services, etc.
 Scalable solution, used already by SAP and Customers for millions of users
 One Solution for B2E and B2C

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 28

Business-to-Customer (B2C) and Business-to-Business (B2B) scenario

Identity Authentication for B2C and B2B:

 Self-registration with e-mail confirmation
 Invitation flow
 On-behalf registration
customer
Identity partner  Single Sign-On
Authentication
 Access on any device from outside
corporate network
 Password reset self-service
Firewall  Corporate branding
 Authentication based on trusted standards
 Password policies enforcement on
application level

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 29

User self-services

User self services reduce TCO especially for B2C and B2B scenarios
Convenient user self-services
 Configurable self-registration
 Account confirmation via email
 Forgot password

User profile
 Edit details & change password
 Mobile device activation (for two-factor
authentication)
 (Un-)Link social accounts

Product features
 Responsive UIs
 Multilanguage support

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 30

SAP IAM Legacy Systems
Identity Lifecycle Management
Customer needs and the value propositions
Cover all use cases of the full identity lifecycle

How long does it take for

new employees to receive
all permissions and become How can you remove
productive in their new job? permissions
automatically if
employees change their
position?

Are permissions
automatically adjusted if
someone is promoted to
a new position?

Who has adequate

How long does it take to remove permissions to fill in for
ALL permissions of an a co-worker?
employee? And how can you
ensure that they were properly
removed?
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 32
SAP Cloud Platform Identity Provisioning S4H261
Integration with SAP Identity Management

Existing customers of SAP Identity Management (IdM) can extend their identity lifecycle management to also
cover cloud-based scenarios using Identity Provisioning and Identity Authentication

 For on-premise landscapes, SAP Identity Management remains

the recommended solution as it covers the on-premise
expectations with respect to customization and performance

 For cloud systems, Identity Provisioning service is

recommended. Its deployment model and simplicity better match
the characteristics of cloud-based business applications. While
SAP IdM includes a small set of connectors for cloud
applications, Identity Provisioning is the platform for broad cloud SAP Cloud Platform
integration allowing customers to efficiently on-board new Identity Provisioning &
Identity Authentication
applications
Cloud

On-premise
 In hybrid cloud / on-premise scenarios, integrating SAP IdM
with Identity Provisioning is the recommended solution.
Only this allows customers to gain the maximum benefits from
both worlds SAP Identity Management
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 33
Demo

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 34

SAP IAM Way Forward
Identity and Access Management
A central service for SAP and non-SAP applications

SAP Integrated
Business Planning SAP Asset
Intelligence
Network

SAP S/4 HANA

Cloud
Microsoft
Office 365

SAP
Innovation
Management SAP Document
Center

SAP
Networked
SAP Cloud Platform Logistics
SAP Portal service sites Hub

Health for Patient

Engagement SAP Cloud Platform

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 36

IAM for Digital Safety
PERSONALIZATION
Dynamically react to
individual needs and
offer tailored
PROTECTION SEAMLESSNESS
experience
CORE Safe and protected Safe and secure
NEEDS experience both experience without
online and offline complicated
TRUST SUPPORT processes
Build trusted Ongoing assistance
foundation of and support and
privacy and optimized
CONTROL
security experience
FLEXIBILITY
Greater oversight
and supervision of Tools offering
personal security freedom and
and tools to manage mobility
privacy

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 37

SAP TechEd Online / Community

Access replays of
 Keynotes
 SAP TechEd live interviews
 Select lecture sessions

http://sapteched.com/online

Continue your SAP TechEd discussion after the

event within the SAP TechEd Community!
 Read and reply to blogposts
 Ask your questions
 Join conversations

sap.com/community
See all SAP TechEd Blogposts

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 38

Further information

Related SAP TechEd sessions

S4H827 – Roadmap: SAP Identity Management
CPL842 – Roadmap: SAP Cloud Platform Identity Authentication
CPL834 – Roadmap: SAP Cloud Platform Identity Provisioning

CPL167 – Hands-on: End-to-End Cloud Identity and Access Management

CPL168 – Hands-on: Identity and Access Management Across SAP and Google in SAP Cloud Platform
S4H261 – Hands-on: Compliant Identity Management in Hybrid System Environments

CPL715 – Code Review: Configure Clickjacking Protection for Your Customized Login Screen
CPL716 – Code Review: Adjusting User Provisioning Rules in SAP Cloud Platform

SAP Public Web

www.sap.com/community/topic/security.html
cloudplatform.sap.com/capabilities/security.html

Watch SAP TechEd Online

www.sapteched.com/online

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 39

Thanks for attending this session.

Feedback

Please complete your session

evaluation for S4H101.

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ EXTERNAL 40

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.