Best Practice 7.3 – Understand your
organization’s identity management approach, and its application to SAP
Typical SAP workloads will consist of multiple systems and therefore multiple identities. A centralized approach for managing these users can reduce the security risk and operational complexity. Your focus should be on how to use AWS services and third-party tools in your approach to SAP security, considering such options as centralized user management, single sign-on, and multi-factor authentication.
Suggestion 7.3.1 – Determine an Identity Provider for named users
Users will be associated with an identity store, for example Active Directory. This acts as a central repository for managing identity information, such as roles, permissions, and identifiers. For each set of identities, determine if this can be associated with an Identity Provider. An identity provider enables you to off-load the authentication of users. It facilitates single sign-on (SSO) and also manages the user identity lifecycle (for example joiners, movers, leavers).
Consider exceptions for named users that are not associated with a human. This may include batch, job scheduling, integration, and monitoring users.
-
AWS Documentation: AWS Directory Service | Amazon Web Services (AWS)
-
AWS Documentation: AWS Identity Services
Suggestion 7.3.2 – Determine the authentication mechanisms
Understand the supported authentication mechanisms (for example, SAML, Kerberos, X.509, SAP Single Sign-On tickets) at each of the layers for your SAP workload. Evaluate the requirements to integrate with your application. Where possible use single sign-on to avoid the administrative and security impact of managing multiple user credentials.
-
SAP Documentation: User Authentication and single sign-on
-
AWS Documentation: Cloud applications - AWS IAM Identity Center
-
SAP on AWS Blog: Enable SAP Single Sign On with AWS IAM Identity Center Part 1: Integrate SAP NetWeaver ABAP with IAM Identity Center
-
SAP on AWS Blog: Enable SAP Single Sign On with AWS IAM Identity Center Part 2: Integrate SAP NetWeaver Java
-
SAP on AWS Blog: Enable Single Sign On for SAP Cloud Platform Foundry and SAP Cloud Platform Neo with IAM Identity Center
Suggestion 7.3.3 – Consider multi-factor authentication
Multi-Factor Authentication (MFA) is a best practice that adds an extra layer of protection on top of your logon credentials. These multiple factors provide increased security for your SAP application. Use cases include: access to SAP from an untrusted device; access to the AWS Management Console; and privileged activities such as deletion of backups or termination of EC2 instances.
-
SAP on AWS Blog: Securing SAP Fiori with MFA
-
AWS Documentation: Using MFA devices with your IAM sign-in page - AWS Identity and Access
-
AWS Documentation: Configuring MFA delete -Amazon Simple Storage Service
-
AWS Documentation: Amazon EC2: Requires MFA (GetSessionToken) for specific EC2 operations
Suggestion 7.3.4 – Determine the approach to certificate management
Client-based certificates can be used for authentication without the need for
credentials. Determine an approach which includes time-based expiration for session
management and certificate rotation for system to system communication. AWS provides a
Certificate Authority (CA) that is trusted by SAP. Certificates can be issued and managed
using AWS Certificate Manager
(ACM)
-
SAP Note: 2801396 - SAP Global Trust List
[Requires SAP Portal Access] -
SAP Note: 3040959 - How to get a CA signed server certificate in ABAP
[Requires SAP Portal Access] -
SAP Lens [Operational Excellence]: Suggestion 3.4.1 - Create specific runbooks for SAP security operations
-
SAP Lens [Operational Excellence]: Suggestion 4.1.2 - Maintain a calendar for expiring of credentials, certificates and licenses
