{"id":2340,"date":"2017-07-25T10:00:03","date_gmt":"2017-07-25T08:00:03","guid":{"rendered":"https:\/\/www.xiting.us\/?p=2340"},"modified":"2025-10-01T10:40:52","modified_gmt":"2025-10-01T08:40:52","slug":"sap-single-sign-on-insider-tips-volume-2","status":"publish","type":"post","link":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/","title":{"rendered":"SAP Single Sign-On Insider Tips \u2013 Volume #2"},"content":{"rendered":"

\u201cInsider Tips\u201d talks about some of the lesser known configuration options of SAP Single Sign-On.<\/p>\n

In volume #2 and upcoming blog articles, we will look at best practices for hardening your SAP Single Sign-On implementation. We will discuss challenges companies face when trying to enforce encryption for SAP GUI and RFC. We will also take a closer look at new profile parameters and configuration options available with the new CommonCryptoLib 8.5x, part of SAP Single Sign-On 3.0.<\/p>\n

Challenges when trying to enforce SNC encryption<\/strong><\/h2>\n

For most web applications, TLS already has become a standard. It offers an encrypted communication channel between the client and the server and enables secure authenticating, even when using basic authentication (username and password). This isn\u2019t true for most SAP applications. The SAP proprietary protocols SAP Dynamic Information and Action Gateway (SAP DIAG) and SAP Remote Function Call (SAP RFC) do not cryptographically authenticate client and server or encrypt network communication.<\/p>\n

Secure Network Communications (SNC) closes this gap and supports various authentication mechanisms as well as Single Sign-On standards. Ensuring the right QoP-level for Secure Network Communications is essential. If you connect to an SAP system using SNC you can see a lock icon on the right bottom corner of the GUI screen. Many users assume, that this is proof for an encrypted connection. Well, not necessarily!<\/p>\n

\"SAP<\/a><\/p>\n

After implementing SAP Single Sign-On and SNC, most companies do not enforce its use, and thus it is still possible to bypass the SNC layer. That can be accomplished by manually changing the SAP GUI connection settings. Often this is done to allow access to special system accounts or external users – even if there are be better solutions available.<\/p>\n

Enforce SNC on backend<\/h3>\n

You can enforce encryption by setting the profile parameter snc\/accept_insecure_gui = U<\/strong> to allow insecure logins on a user-specific basis, depending on a flag in the user master record. This is the first step in hardening an SSO deployment, but in my experience, many companies do not do it. As a result, it\u2019s easy for end-users to bypass encryption by simply changing a check box in SAP GUI.<\/p>\n

\"SAP<\/a><\/p>\n

Enforce Quality of Protocol<\/h3>\n

It should be mentioned that snc\/accept_insecure_gui<\/strong> all alone does not guarantee encrypted SNC communication, as it does not consider the so-called QoP (Quality of Protocol) in the SNC-layer. QoP specifies the level of protection for an SNC connection. In the worst case, this could be authentication only (aka level 1). From an end-user perspective, this is Single Sign-On. However, this would not take integrity protection (2) or privacy protection (3) into account. QoP has to be configured for both SNC communication partners involved in the end-to-end security mechanism.<\/p>\n

For SAP GUI, the value is either fixed or could be negotiated with the SNC peer. Setting the profile parameter snc\/data_protection\/min = 3 <\/strong>ensures every SNC connection established with the server has to be encrypted. Our recommendation is to set the QoP to level 3 in SAP GUI to enforce the best possible security:<\/p>\n

\"SAP<\/a><\/p>\n

Also, you may also want to make use of some newer profile parameters such as snc\/only_encrypted_gui<\/strong> and snc\/only_encrypted_rfc<\/strong> to control whether GUI\/RFC connections need to be encrypted (using SNC with a proper QoP) or not, so bypassing SNC is no longer possible. For more useful information see SAP Note 1690662<\/strong><\/a>: Blocking unencrypted SAP GUI\/RFC connections.<\/strong><\/p>\n

Security Audit Log<\/h3>\n

Enforcing SNC encryption for GUI\/RFC also means some work before, to make sure you do not experience any unexpected side effects. You should enable SNC for your RFCs, at least the external ones. Additionally, you should QoP level 3 as part of your client deployment. You should use the Security Audit Log (SAL) SM19\/SM20<\/strong> to filter successful logins by login type and method to get a clear picture about the current stage of SNC usage or SM04<\/strong> (technical info -> snc_count<\/strong>).<\/p>\n

You may also want to implement some custom reports to simplify reporting. Once you have enforced SNC, you can continuously monitor the encryption status. The system can also trigger a SAL event when it detects unencrypted SAP GUI or RFC communications. That way, you can inform affected users or system owners. For more information check out SAP Note 2122578<\/strong><\/a>: New: Security Audit Log event for unencrypted GUI \/ RFC connections<\/strong><\/p>\n

\"SAP<\/a><\/p>\n

By the way, even without Single Sign-On, you can use the new SNC Client Encryption 2.0<\/a> solution from SAP, available since April 2017 to protect your SAP GUI connections using SNC encryption. It integrates directly into SAP GUI 7.50 without the need to deploy any additional software on the clients. This requires the new CommonCryptoLib 8.5 on each backend and you
\nCan influence or enforce DIAG-encryption by using the new CCL profile parameter ccl\/snc\/server_partner_auth_mode <\/strong>which brings us directly to the next topic.<\/p>\n

CommonCryptoLib (CCL) special configuration parameters<\/strong><\/h2>\n

Since CommonCryptoLib 8.5.2 and newer, there are new configuration settings available. You can configure them via profile parameters. CCL gets the name of its configuration file from the environment variable SETENV_xx = CCL_PROFILE=$(DIR_PROFILE)\/DEFAULT.PFL<\/strong> which you have to set globally for <sid>adm<\/strong>. By using ccl\/snc\/*<\/strong> parameters, you can harden security by restricting CCL to use only high-security cipher suites and much more.<\/p>\n

In a recent SSO project at one of our customers, we had to configure some SAP systems to accept authentication using X.509 certificates issued by ADCS (Active Directory Certificate Services). One drawback of ADCS is that you cannot easily make changes to the makeup of the certificate subject name. There are only two options available 1) CN=<displayName><\/strong> or 2) fully distinguished name such as CN=John Doe, OU=North America, OU=Sales Dept., DC=customer, DC=domain<\/strong>. Way too complicated to make use of easy user mapping rules for SNC (SNC1<\/strong>) or HTTP based SSO via ICM (CERTRULE<\/strong>).<\/p>\n

Example<\/h3>\n

\"SAP<\/a><\/p>\n

We had the requirement to use the subject alternative name (SAN) extension instead of the default certificate subject name for user authentication. The SAN contains the UPN or the RFC 822 email address of a user in the Active Directory. In this case the UPN <sAMAccountName@DOMAIN><\/strong> was included in each user certificate. And luckily the sAMAccountName<\/strong> was matching the User ID<\/strong> in SAP.<\/p>\n

The solution was to set the parameter ccl\/snc\/server_partner_name_x509<\/strong> to the value UserPrincipalNameOrSubject<\/strong>. In this way, we configured the SAP system to use the SAN-extension and to convert the SNC name accordingly. You can then use the *OrSubject<\/strong> value as a fallback if the system cannot find the requested alternative name in the certificate. That could happen for server certificates, as this setting impacts RFC connections as well.<\/p>\n

\"SAP<\/a><\/p>\n

You don’t need that for HTTP-based access. Instead, you can use rule-based certificate mapping (CERTRULE<\/strong>) to map users to parts of the certificate’s subject or the subject alternative name. For example, using the following rule, we enabled  login with X.509 certificates for all users at one customer:<\/p>\n

\"SAP<\/a><\/p>\n

There are lots of more options available to control SNC name conversion, encoding or upper\/lower case transformations by the library. This also applies to Kerberos names which you can use with or without the REALM part. One of my favorites is ccl\/snc\/server_cipher_suites = HIGH<\/strong>. Similar to TLS, you can limit what cipher suites you want to use during the SNC client\/server handshake. That way, you can eliminate insecure cipher suites, such as 3DES or SHA1. I already blogged about Perfect Forward Secrecy (PFS<\/a>) which you can also enabled using this parameter.<\/p>\n

By using ccl\/pkix\/*<\/strong> parameters, you can manage the certificate verification such as checking for special X.509 certificate constraints or certificate policies as well as certificate revocation checking (CRL) behavior. Sounds interesting? Take a look at SAP Note <\/strong>338952<\/strong><\/a>: CommonCryptoLib 8.5: Configuration Profile Parameters<\/strong><\/p>\n

Stay tuned for volume #3 of Xiting\u2019s Insider Tips for SAP Single Sign-On!<\/p>\n

<\/div>\n","protected":false},"excerpt":{"rendered":"

\u201cInsider Tips\u201d talks about some of the lesser known configuration options of SAP Single Sign-On. In volume #2 and upcoming blog articles, we will look at best practices for hardening your SAP Single Sign-On implementation. We will discuss challenges companies face when trying to enforce encryption for SAP GUI and RFC. We will also take […]<\/p>\n","protected":false},"author":9,"featured_media":9462,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[1835],"tags":[108,142,143,151],"class_list":["post-2340","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-commoncryptolib","tag-insider-tips","tag-single-sign-on","tag-sso-en"],"acf":[],"yoast_head":"\nSAP Single Sign-On Insider Tips \u2013 Volume #2 - Xiting<\/title>\n<meta name=\"description\" content=\"In Volume #2 of SAP SSO Insider Tips we will discuss challenges companies face when trying to enforce encryption for SAP GUI and RFC and more.\" \/>\n<meta name=\"robots\" content=\"noindex, nofollow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAP Single Sign-On Insider Tips \u2013 Volume #2\" \/>\n<meta property=\"og:description\" content=\"\u201cInsider Tips\u201d talks about some of the lesser known configuration options of SAP Single Sign-On. In volume #2 and upcoming blog articles, we will look at\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiting\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/XitingAG\" \/>\n<meta property=\"article:published_time\" content=\"2017-07-25T08:00:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-01T08:40:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiting.com\/wp-content\/uploads\/2017\/10\/sap-security-blog-sso.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"964\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Carsten Olt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@jsterr@xiting.de\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Carsten Olt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/\"},\"author\":{\"name\":\"Carsten Olt\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#\\\/schema\\\/person\\\/3c32c7de1132d012e263720a9f3300a2\"},\"headline\":\"SAP Single Sign-On Insider Tips \u2013 Volume #2\",\"datePublished\":\"2017-07-25T08:00:03+00:00\",\"dateModified\":\"2025-10-01T08:40:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/\"},\"wordCount\":1325,\"publisher\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2017\\\/10\\\/sap-security-blog-sso.jpg\",\"keywords\":[\"CommonCryptoLib\",\"Insider Tips\",\"Single Sign-On\",\"SSO\"],\"articleSection\":[\"SAP Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/\",\"url\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/\",\"name\":\"SAP Single Sign-On Insider Tips \u2013 Volume #2 - Xiting\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2017\\\/10\\\/sap-security-blog-sso.jpg\",\"datePublished\":\"2017-07-25T08:00:03+00:00\",\"dateModified\":\"2025-10-01T08:40:52+00:00\",\"description\":\"In Volume #2 of SAP SSO Insider Tips we will discuss challenges companies face when trying to enforce encryption for SAP GUI and RFC and more.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/#primaryimage\",\"url\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2017\\\/10\\\/sap-security-blog-sso.jpg\",\"contentUrl\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2017\\\/10\\\/sap-security-blog-sso.jpg\",\"width\":964,\"height\":600},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/sap-single-sign-on-insider-tips-volume-2\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/xiting.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAP Single Sign-On Insider Tips \u2013 Volume #2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/xiting.com\\\/en\\\/\",\"name\":\"Xiting\",\"description\":\"Your Expert for SAP Security\",\"publisher\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/xiting.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#organization\",\"name\":\"Xiting\",\"url\":\"https:\\\/\\\/xiting.com\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/xiting-logo.svg\",\"contentUrl\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/xiting-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Xiting\"},\"image\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/XitingAG\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/1345129\\\/\",\"https:\\\/\\\/www.instagram.com\\\/xiting.global\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/xiting.com\\\/en\\\/#\\\/schema\\\/person\\\/3c32c7de1132d012e263720a9f3300a2\",\"name\":\"Carsten Olt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g\",\"caption\":\"Carsten Olt\"},\"description\":\"Carsten Olt has been working as a Managing SAP Security Consultant since 2016, responsible for Secure Authentication & SSO and SAP Cloud Security Services at Xiting in Germany. As a member of the IAM team, he is also a team leader who conveys the company's goals and strategies to employees and has organizational responsibility. With a security-minded approach, Carsten has international project and IT security experience in many industries. He has been working in IT-Security since 2001, specializing in SAP security since 2010. He is a subject matter expert for SAP Single Sign-On 3.0 and a trainer for the WDESSO course. His current focus is on supporting customers in solving authentication and security challenges within hybrid SAP landscapes, as well as designing and implementing holistic authentication concepts. Carsten is an ISACA CISA and a former MCP and RHCE with an ISP background, and he looks at security from different angles. He also translates between SAP and IT security vocabulary. Carsten has in-depth experience in multi-vendor architectures and MSFT\\\/Azure components, dealing with all the requirements concerning SAML 2.0, OAuth, OpenID Connect, SCIM, X.509 CBA & PKI, MFA, SAP SSO, and Secure Network Communications, Kerberos\\\/SPNEGO, data security and encryption, as well as digital signatures. Carsten is experienced in SAP on-premises components such as S\\\/4HANA, ABAP, and Java, as well as security solutions like SSO 3.0. Since 2019, he has focused on SAP-Cloudified environments, specifically the SAP Cloud Identity Services and SAP BTP, as well as SaaS integrations concerning IAM. He deals with hybrid SAP security in conjunction with Azure Active Directory, ADDS, ADFS, ADCS, Reverse Proxies\\\/WAF, SAP Web Dispatcher, SAP Cloud Connector, third-party products, and infrastructure components.\",\"sameAs\":[\"https:\\\/\\\/x.com\\\/jsterr@xiting.de\"],\"url\":\"https:\\\/\\\/xiting.com\\\/en\\\/author\\\/carsten-olt\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SAP Single Sign-On Insider Tips \u2013 Volume #2 - Xiting","description":"In Volume #2 of SAP SSO Insider Tips we will discuss challenges companies face when trying to enforce encryption for SAP GUI and RFC and more.","robots":{"index":"noindex","follow":"nofollow"},"og_locale":"en_US","og_type":"article","og_title":"SAP Single Sign-On Insider Tips \u2013 Volume #2","og_description":"\u201cInsider Tips\u201d talks about some of the lesser known configuration options of SAP Single Sign-On. In volume #2 and upcoming blog articles, we will look at","og_url":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/","og_site_name":"Xiting","article_publisher":"https:\/\/www.facebook.com\/XitingAG","article_published_time":"2017-07-25T08:00:03+00:00","article_modified_time":"2025-10-01T08:40:52+00:00","og_image":[{"width":964,"height":600,"url":"https:\/\/xiting.com\/wp-content\/uploads\/2017\/10\/sap-security-blog-sso.jpg","type":"image\/jpeg"}],"author":"Carsten Olt","twitter_card":"summary_large_image","twitter_creator":"@jsterr@xiting.de","twitter_misc":{"Written by":"Carsten Olt","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/#article","isPartOf":{"@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/"},"author":{"name":"Carsten Olt","@id":"https:\/\/xiting.com\/en\/#\/schema\/person\/3c32c7de1132d012e263720a9f3300a2"},"headline":"SAP Single Sign-On Insider Tips \u2013 Volume #2","datePublished":"2017-07-25T08:00:03+00:00","dateModified":"2025-10-01T08:40:52+00:00","mainEntityOfPage":{"@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/"},"wordCount":1325,"publisher":{"@id":"https:\/\/xiting.com\/en\/#organization"},"image":{"@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/#primaryimage"},"thumbnailUrl":"https:\/\/xiting.com\/wp-content\/uploads\/2017\/10\/sap-security-blog-sso.jpg","keywords":["CommonCryptoLib","Insider Tips","Single Sign-On","SSO"],"articleSection":["SAP Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/","url":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/","name":"SAP Single Sign-On Insider Tips \u2013 Volume #2 - Xiting","isPartOf":{"@id":"https:\/\/xiting.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/#primaryimage"},"image":{"@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/#primaryimage"},"thumbnailUrl":"https:\/\/xiting.com\/wp-content\/uploads\/2017\/10\/sap-security-blog-sso.jpg","datePublished":"2017-07-25T08:00:03+00:00","dateModified":"2025-10-01T08:40:52+00:00","description":"In Volume #2 of SAP SSO Insider Tips we will discuss challenges companies face when trying to enforce encryption for SAP GUI and RFC and more.","breadcrumb":{"@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/#primaryimage","url":"https:\/\/xiting.com\/wp-content\/uploads\/2017\/10\/sap-security-blog-sso.jpg","contentUrl":"https:\/\/xiting.com\/wp-content\/uploads\/2017\/10\/sap-security-blog-sso.jpg","width":964,"height":600},{"@type":"BreadcrumbList","@id":"https:\/\/xiting.com\/en\/sap-single-sign-on-insider-tips-volume-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiting.com\/en\/"},{"@type":"ListItem","position":2,"name":"SAP Single Sign-On Insider Tips \u2013 Volume #2"}]},{"@type":"WebSite","@id":"https:\/\/xiting.com\/en\/#website","url":"https:\/\/xiting.com\/en\/","name":"Xiting","description":"Your Expert for SAP Security","publisher":{"@id":"https:\/\/xiting.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiting.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiting.com\/en\/#organization","name":"Xiting","url":"https:\/\/xiting.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiting.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/xiting.com\/wp-content\/uploads\/2019\/08\/xiting-logo.svg","contentUrl":"https:\/\/xiting.com\/wp-content\/uploads\/2019\/08\/xiting-logo.svg","width":1,"height":1,"caption":"Xiting"},"image":{"@id":"https:\/\/xiting.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/XitingAG","https:\/\/www.linkedin.com\/company\/1345129\/","https:\/\/www.instagram.com\/xiting.global\/"]},{"@type":"Person","@id":"https:\/\/xiting.com\/en\/#\/schema\/person\/3c32c7de1132d012e263720a9f3300a2","name":"Carsten Olt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g","caption":"Carsten Olt"},"description":"Carsten Olt has been working as a Managing SAP Security Consultant since 2016, responsible for Secure Authentication & SSO and SAP Cloud Security Services at Xiting in Germany. As a member of the IAM team, he is also a team leader who conveys the company's goals and strategies to employees and has organizational responsibility. With a security-minded approach, Carsten has international project and IT security experience in many industries. He has been working in IT-Security since 2001, specializing in SAP security since 2010. He is a subject matter expert for SAP Single Sign-On 3.0 and a trainer for the WDESSO course. His current focus is on supporting customers in solving authentication and security challenges within hybrid SAP landscapes, as well as designing and implementing holistic authentication concepts. Carsten is an ISACA CISA and a former MCP and RHCE with an ISP background, and he looks at security from different angles. He also translates between SAP and IT security vocabulary. Carsten has in-depth experience in multi-vendor architectures and MSFT\/Azure components, dealing with all the requirements concerning SAML 2.0, OAuth, OpenID Connect, SCIM, X.509 CBA & PKI, MFA, SAP SSO, and Secure Network Communications, Kerberos\/SPNEGO, data security and encryption, as well as digital signatures. Carsten is experienced in SAP on-premises components such as S\/4HANA, ABAP, and Java, as well as security solutions like SSO 3.0. Since 2019, he has focused on SAP-Cloudified environments, specifically the SAP Cloud Identity Services and SAP BTP, as well as SaaS integrations concerning IAM. He deals with hybrid SAP security in conjunction with Azure Active Directory, ADDS, ADFS, ADCS, Reverse Proxies\/WAF, SAP Web Dispatcher, SAP Cloud Connector, third-party products, and infrastructure components.","sameAs":["https:\/\/x.com\/jsterr@xiting.de"],"url":"https:\/\/xiting.com\/en\/author\/carsten-olt\/"}]}},"_links":{"self":[{"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/posts\/2340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/comments?post=2340"}],"version-history":[{"count":1,"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/posts\/2340\/revisions"}],"predecessor-version":[{"id":9470,"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/posts\/2340\/revisions\/9470"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/media\/9462"}],"wp:attachment":[{"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/media?parent=2340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/categories?post=2340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiting.com\/en\/wp-json\/wp\/v2\/tags?post=2340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}