SAP Single Sign-On Insider Tips – Volume #3

by

Welcome to a new article of our “Insider Tips” series. If you are a loyal reader of our blog, you already know the benefits of Single Sign-On for SAP. SAP’s standard login procedures are insecure and not user-friendly. In our previous articles, we talked about how to achieve secure DIAG, RFC, and HTTP communication by using state-of-the-art end-to-end encryption. On top of that, I recommended replacing the existing authentication method with a more secure and token-based approach. That is what SSO is all about.

SSO and the coexistence of passwords… or how to increase your SAP password security

In volume #3 we talk about what SSO means for your SAP passwords, and answer the following questions: Do you still need passwords after implementing SSO? Or can you get rid of them completely? What are the best ways for handling SAP passwords after introducing Single Sign-On?

Access to IT systems must be restricted and controlled. That is the reason why we have authorization concepts. But before authorizations kick in, users have to authenticate first. That can occur against the target system, or even better, against a central trust repository. One of the issues in today’s IT landscape is identity and authentication. And chances are, it will stay like that until quantum computers, artificial intelligence, and the blockchain rule the world 🙂

Protecting your identity and credentials is more significant nowadays than it ever was. That is especially true for SAP systems. Still, more than a half of all successful data breaches are caused by weak, default, leaked or stolen passwords.

SSO often relies on a central repository, such as Active Directory, for user authentication. As a result, users enjoy transparent access to all SAP applications, after having authenticated against Active Directory as part of the login to their computer. Gone are the days, when users had to memorize dozens of passwords for different systems or change them frequently. Gone are the days when SAP passwords were transmitted over the network in clear text. Instead, both user productivity and the overall security were improved, thanks to the reduced number of passwords.

An additional benefit of hooking SSO up to a central user repository is the ability to quickly lock users out of all SAP systems, for example, if the user leaves the company.

Hint: By removing passwords as part of a SSO implementation, previously vulnerable password hashes can no longer be used by attackers to gain unauthorized access to SAP systems. Instead, attackers would have to penetrate your Active Directory infrastructure, if that is the central user repository for SAP. That is often more difficult than attacking individual SAP systems.

Seven rules of increasing your password security while using Single Sign-On

  1. SAP passwords are still present, and they are not gone. You just don’t use them with SSO. Password rules stay active. For example, regular password changes are still required, although users log on to the system using single sign-on. You can configure your SAP system to ignore password changes, caused by existing password policies. That way, users can always log in and even if the password is “initial”.
  2. The golden rule is that SSO should be mandatory for regular SAP users and thus about 95% of all SAP users.
  3. You still will need to maintain passwords for the remaining 5% of your accounts such as standard accounts or RFC users. That must happen according to your corporate password policies, even if they don’t apply for some user types in SAP.
  4. You should avoid password-based login and configure your SAP applications to allow a password based login only in cases where it is required. Examples are the use of standard users or to allow developers and testers to log in with different users for some reason. The latter use case can also be addressed with SSO. That applies to SAP GUI as well as to any SAP web application.
  5. If SSO has been implemented SAP users should no longer need to worry about passwords at all. SSO needs to be implemented consistently across all applications and frontends. Once that is done, all passwords can be deactivated. If not, you may quickly run into issues. One of the biggest mistakes is to forget applications relying on existing passwords. One example that comes to my mind is SAP BusinessObjects. It offers the BI Launchpad (web interface) which can be configured for SSO based on SPNego. Once users are authenticated at the BI platform, they have to perform actions that require access to backend systems, such as BW systems. And if SSO was not implemented across all these components, this is a hindrance to disable passwords in the backend, as users still need to enter them to access information.
  6. SAP does not store user passwords in clear text but instead, it protects them using hash functions and salted hash values. Those values are stored in several tables of the SAP database such as USR02. Once you disable the passwords and enforce the use of SSO, the password hashes – such as the feared but for hackers popular BCODE or PASSCODE values – are wiped too. This, in turn, increases the overall security.
  7. In general, don’t forget password security and system hardening. Use latest password hashing mechanisms provided by the SAP platform. This is important e. g. for standard accounts or RFC users. Once you have ensured that, you can delete old and redundant password hashes from the corresponding tables. SAP provides cleanup reports to do that.

Stay tuned for volume #4 of Xiting’s Insider Tips for SAP Single Sign-On!

Carsten Olt

Carsten is a Senior IT Security Consultant and in charge of the Governance, Risk, and Compliance business at Xiting GmbH in Germany. He has over 15 years of experience in the security industry. Before taking over this responsibility, he has been in charge of various key positions at SECUDE. Carsten’s security expertise is in the areas of PKI, Encryption, SAP Strong Authentication, Secure Network Communication and SAP Single Sign-On as well as SAP Enterprise Threat Detection.