The Identity Blog

1Trooper’s SAP Identity Authentication Features

This blog is an outline of security-relevant information which applies to SAP Identity Authentication. It also details suggestions for the administrators to secure it.

Identity Authentication must be used by the administrators and specialists in a secure manner. Based on the usage, integrations, applicability, and regulations, there are various elements to be considered.

1Trooper’s SAP Identity Authentication features are described below.

  1. Communication protocol

Being a full web browser-based application, Identity Authentication has all the access over HTTPS. Presently, each page of this application is being delivered through Transport Layer Security (TLS). By using 256-bit TLS encryption the access to Identity Authentication is encrypted in transit over HTTPS.

  1. Password security

The plain text passwords are not stored in the database. Identity Authentication only stores their repeated random-salted secure hash values. The random salt is different for each password and is a minimum of 512 bits. Only the generic hash functions are used with at least 512 bits of key length. The default passwords are not delivered, used, or accepted.

For user authentication, this application uses passwords from on-premise systems. Identity authentication does not store these passwords. Using the Transport Layer Security (TLS) connection it sends the user ID and password to the on-premise system for authentication. These passwords are managed depending on the integrated on-premise system which supports them like Microsoft Active Directory.

It supports 3 levels of password security. One can use the highest level of security which will match the requirements of the application. Based on password policy rules, the passwords are managed.

  1. Session security

The Transport Layer Security (TLS) along with the Secure and HttpOnly attributes protect the session cookies in Identity Authentication. Thus making additional configurations for Identity Authentication is not necessary.

  1. Network and communication security

Separated from the SAP internal network, Identity Authentication is set up in a fenced network. The customer applications generally run in a shared environment. The business data is isolated from one another. SAP and BTP services use shared respective infrastructure. Firewalls control internal traffic. The SAP administrative access is done through a terminal service. It requires strong authentication. TLS protects all communication channels. The cloud application must be configured to use TLS and also to check the SAML 2.0 signature.

  1. Data storage security

It is all about how the Identity Authentication application protects its database. The data storage security is generally ensured by the isolated tenant which every customer receives. The tenant’s database can be accessed by tenant-specific requests only. A tenant service performs these requests. It works with a dependency injection framework and ensures that all the services such as the mail service, persistence service, etc are injected with the instances that are dedicated to the tenant.

  1. Security-relevant logging and tracing

Downloading a CSV file with a history of operations that were performed by the administrators is possible. Retrieving the statistics on the total number of user login requests per month can be done. The number is usually counted on every single authentication that is managed via Identity Authentication.

Write a comment