Single Sign-On – SAP Business Technology Platform (BTP) and Amazon IAM Identity Center Use Amazon services to enhance security in RISE with SAP

Security

SAP manages the security in Amazon Web Services account managed by SAP. You can implement additional security mechanisms in your own Amazon Web Services account.

Topics

Single Sign-On – SAP Business Technology Platform (BTP) and Amazon IAM Identity Center
Use Amazon services to enhance security in RISE with SAP

Single Sign-On – SAP Business Technology Platform (BTP) and Amazon IAM Identity Center

In RISE with SAP, you can integrate your own Identity Provided (IdP), such as Amazon IAM, Okta, Ping, Microsoft Windows Azure Active Directory, and others using Identity Authentication of SAP BTP.

For more information about Amazon IAM Identity Center, see What is IAM Identity Center?
For more information about Identity Authentication, see SAP Cloud Identity Services - Identity Authentication on SAP Help Portal.

The following image shows the integration between Identity Authentication from SAP BTP and Amazon IAM Identity Center.

Integrating SAP BTP IAS and IAM Identity Center

Authentication flow

User accesses SAP Fiori via an Internet browser.
Identity Authentication intercepts and routes request to IAM Identity Center.
Access to SAP S/4HANA in RISE with SAP VPC is enabled on successful authentication.

Use Amazon services to enhance security in RISE with SAP

Integrate RISE with SAP VPC with Amazon VPC in your own Amazon Web Services account that is not managed by SAP at the network layer to implement security mechanisms. For more information, see VPC to VPC connectivity.

The network traffic can be routed through Amazon services that strengthen security and operate on a network layer, coming in and out of the RISE with SAP VPC. For more information, see Infrastructure OU – Network account.

You can use the following Amazon services to enhance RISE with SAP security.

Amazon Shield to mitigate risks against denial of service (DDoS) attacks.
Amazon Network Firewall to implement intrusion detection and prevention.
Amazon WAF to protect web applications such as, SAP Fiori, against attacks.
Amazon Certificate Manager to handle management of public SSL certificates.
Amazon CloudFront (including Amazon Shield, and optionally Amazon WAF) to implement security at edge for protecting SAP workloads.
Amazon Partner Solutions on Amazon Web Services Marketplace for more advanced security requirements.

The following image shows RISE with SAP security enhancement with Amazon services.

Traffic flow

User accesses SAP Fiori via an Internet browser.
The traffic is routed through the inbound VPC managed by you. The entire traffic flow is via Amazon Transit Gateway.
The traffic is routed to the firewall VPC managed by you. Based on your company's security policies, the traffic may be filtered by a Network Firewall.
The traffic is now passed to an Amazon EC2 instance running in Amazon Web Services account managed by SAP.
Amazon EC2 instance response is routed back to customer managed firewall VPC.
The response traffic is now passed on to the outbound VPC managed by you.
The response traffic reaches the user.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Connectivity

Reliability