Navigating the Transition: A Day in the Life of an SAP SSO Migration

To be more precise, SAP Single Sign-On 3.0 to the SAP Secure Login Service for SAP GUI.

In the bustling world of SAP management, transitions and upgrades are part and parcel of maintaining a robust and secure infrastructure. Recently, we embarked on a journey to migrate from the aging SAP SSO 3.0 to the more advanced SAP Secure Login Service for SAP GUI.

Here’s a glimpse into a typical customer scenario that highlights the challenges and solutions we encountered.

The Challenge: Outdated Authentication Systems

Our client, a large organization with a complex hybrid SAP infrastructure, faced the imminent end-of-life for their SAP SSO 3.0 and SAP NetWeaver AS Java platform. The existing authentication system, heavily reliant on Kerberos and client certificates, was not only outdated but also cumbersome to maintain. The goal was to migrate to a more modern, flexible authentication system that could meet the evolving security needs.

Modern Authentication

Read more here

The driving force behind SAP's launch of the SAP Secure Login Service for SAP GUI is the shift towards modern business environments. Companies are moving beyond the traditional perimeter, meaning clients are no longer anchored in the classic Active Directory domain. To keep up with this evolution, it’s crucial to implement contemporary authentication methods that not only support SSO but also ensure device integrity and MFA, all while continuing to accommodate SAP GUI, which is here to stay for a while. Given the diverse requirements and dependencies across different companies, it’s often best to start with smaller preliminary projects and gradually roll out the new system. The goal should be to unify hybrid authentication across DIAG, RFC, and HTTP protocols, leveraging identity providers, identity federation, SAML 2.0, OpenID Connect, and security measures like device integrity checks, policies, and MFA. This way, future identity and device signals can be assessed, allowing centralized instances like Microsoft Entra ID to make authentication decisions and enforce additional security factors as needed.

Initial Steps: Setting the Stage

We kicked off with a detailed workshop involving key stakeholders. The initial focus was to provide an overview of the current authentication setup, which included over 50 on-prem SAP systems integrated with cloud services and various SaaS applications. The workshop highlighted the need for a transition to a modern authentication method like SAML 2.0, which promises enhanced security, reduced maintenance, and better user experience.

The aim of the workshop was to discuss the migration from the existing SAP SSO 3.0 solution to the new SAP Secure Login Service for SAP GUI solution. The focus was on comparing the native Kerberos authentication with the new identity federation-based solution.

The workshop clearly demonstrated that the existing Kerberos & X.509 based SSO infrastructure needs to be modernized. A phased migration to the new SAP Secure Login Service for SAP GUI solution is recommended. The proposed preliminary projects and a planned, coordinated rollout will help to ensure a smooth transition and establish a modern, flexible authentication solution.

The Migration Strategy: A Phased Approach

The recommended strategy was a phased migration, starting with preliminary projects to lay the groundwork.

1. Project 1: Migrating to SAP IAS

The first step involved transitioning the SAP Identity Provider (IDP) to the SAP Identity Authentication Service (IAS). This entailed replacing client certificates with SAML for HTTP-based applications. The move to SAML 2.0 was crucial for simplifying the authentication process and improving security.

2. Project 2: Establishing a New PKI Infrastructure

With the decommissioning of the SAP Secure Login Server, a new Public Key Infrastructure (PKI) was needed. This project involved selecting a suitable PKI solution, defining certificate request processes, and ensuring seamless integration with existing SAP systems.

Implementation: Rolling Out the New Solution

The actual migration to the SAP Secure Login Service for SAP GUI was executed in a step-by-step manner. We established a central instance of the service within a dedicated multi-cloud subaccount of the SAP Business Technology Platform (BTP). This instance was connected to the central SCI/IAS tenant to manage identity federation.

Pilot and Beyond: Testing and Scaling

A pilot group within the organization was selected to test the new SSO procedures. This pilot phase included rolling out updated SAP GUI and Secure Login Client packages, implementing the necessary PKI trusts, and adjusting SNC names in the backend systems. Based on the pilot's success, the solution was gradually rolled out to other institutions within the organization.

The Result: A Modern, Flexible Authentication Solution

Through meticulous planning, coordinated communication, and a phased rollout, we successfully transitioned the client’s authentication infrastructure. The new system not only met current security standards but also provided a flexible foundation for future enhancements.

Conclusion: The Journey Continues

The migration from SAP SSO 3.0 to SAP Secure Login Service for SAP GUI exemplifies the importance of strategic planning and phased implementation in SAP projects. As we continue to support our clients through their digital transformations, each success story like this reinforces our commitment to delivering secure, efficient, and future-proof solutions.