SSO英文全稱Single Sign On，單點登入。SSO是在多個應用系統中，使用者只需要登入一次就可以訪問所有相互信任的應用系統。它包括可以將這次主要的登入對映到其他應用中用於同一個使用者的登入的機制。認證系統的主要功能是將使用者的登入資訊和使用者資訊庫相比較，對使用者進行登入認證；認證成功後，認證系統應該生成統一的認證標誌（ticket），返還給使用者。它是比較流行的企業業務整合的解決方案之一。
      企業應用整合（EAI, Enterprise Application Integration）。企業應用整合可以在不同層面上進行：例如在資料儲存層面上的“資料大集中”，在傳輸層面上的“通用資料交換平臺”，在應用層面上的“業務流程整合”，和使用者介面上的“通用企業門戶”等等。事實上，還有一個層面上的整合變得越來越重要，那就是“身份認證”的整合，也就是“單點登入。
      在資訊保安管理中，訪問控制(Access Controls)環繞四個過程：Identification；Authentication；Authorization；Accountability。單點登入（Single Sign On）屬於Authorization授權系統，除單點登入外還包括：Lightweight Directory Access Protocol 和 Authorization ticket。

我們介紹一下 SAP SSO Single Sign-On 單點登入

SAP portfolio

SAP Single Sign-On provides simple, secure access to IT applications for business users. It offers advanced security
capabilities to protect your company data and business applications.

Simple and secure access
Ÿ Single sign-on for native SAP clients and web applications
Ÿ Single sign-on for mobile devices
Ÿ Support for cloud and on-premise landscapes
Secure data communication

Ÿ Encryption of data communication for SAP GUI
Ÿ Digital signatures
Ÿ FIPS 140-2 certification of security functions
Advanced security capabilities
Ÿ Two-factor authentication
Ÿ Risk-based authentication using access policies
Ÿ RFID-based authentication
Ÿ Hardware security module support

Two-Factor Authentication

With two-factor authentication you can implement a strong form of authentication for access to corporate resources – for example, for especially critical systems or securing access from outside the company. SAP Single Sign-On 2.0 supports two-factor authentication via time-based one-time passwords (TOTP) generated by the SAP Authenticator mobile app. Alternatively, out-of-band transport of tokens, including one-time passwords sent via SMS or email or RSA/RADIUS, are supported.

Risk-Based Authentication

SAP Single Sign-On 2.0 (since SP5) offers risk-based authentication. This means that an authentication process can dynamically adapt to the context of an individual authentication request based on custom-defined access policies. First, you check the context information of an authentication attempt. This could be the IP address of the client, location, date/time, device information, or user attributes such as groups, for example. Secondly, based on this context information you then make a dynamic decision on whether you accept or deny access, or alternatively enforce two-factor authentication in case the context indicates a higher risk. You could even reduce the privileges of the person accessing the backend system, thus limiting the business functionality available to this user.

RFID-Based Identification

For scenarios where users need quick access to a system to perform short tasks, you can use fast user identification via radio-frequency identification (RFID). The user is identified via an RFID token, such as a company batch card. RFID authentication is ideally suited to warehouse and production scenarios with dedicated kiosk PCs for authentication.

Digital Signatures

Digital signatures uniquely identify the signer, protect the integrity of the data, and provide the means for a binding signature that cannot be denied afterwards. SAP Single Sign-On supports digital signing using the Secure Store and Forward (SSF) interface. The Secure Login Client for SAP GUI can use X.509 certificates for digital signatures in an SAP environment. Server-side digital signatures are supported by the SAP Common Cryptographic Library. In addition, SAP Single Sign-On includes support for server-side digital signatures via hardware security modules, offering increased security and performance.

Certificate Lifecycle Management for ABAP Application Servers

SAP Single Sign-On 2.0 (since SP6) supports automated renewal of X.509 certificates for SAP NetWeaver Application Server ABAP using Secure Login Server. This reduces manual efforts and prevents downtime.

Mobile SSO with SAP Single Sign-On

The SAP Single Sign-On solution brings simplicity for your end-users by eliminating the need for multiple passwords and user IDs. In addition, you can lower the risks of unsecured login information, reduce help desk calls, and help ensure the confidentiality and security of personal and company data. In order to meet evolving security demands, you can extend your single sign-on solution even further and offer your end-users “mobile single sign-on”. Your mobile users will have only one password to remember, less typing of complicated user IDs and passwords, and more time for actual work!

SAP Single Sign-On 2.0 (since SP4) supports single sign-on from mobile devices, offering both a simple and secure solution for mobile access to your corporate business processes. The solution is based on time-based one-time passwords (TOTP) generated by the SAP Authenticator mobile app. The SAP Authenticator mobile app is available for both iOS and Android, and supports the IETF standard RFC 6238.

We assume that the user already started the SAP Authenticator application earlier in same day and now he wants to start using one of his bookmarked web applications, for example SAP Mobile Portal.

When the user clicks on the Mobile Portal bookmark, the SAP Authenticator generates a new passcode and creates a URL (for example https://portal_host/irj/portal?j_username=[username]&j_passcode=[passcode]), providing in the URL the UserName and the Passcode necessary for authentication. Then SAP Authenticator sends the URL to the browser and the browser opens the requested resource. The user sees only the authentication result when the requested resource appears.

Significant performance increase on all major platforms
• RSA, AES, SHA-2
• Perfect Forward Secrecy for TLS
• Ephemeral key agreement
• Elliptic curve Diffie-Hellman key exchange
• Elliptic curves P-224, P-256, P-384, P-521
• TLS 1.2 cipher suites in Galois Counter Mode (GCM)
• New command “sapgenpse tlsinfo” to help configure
cipher suite profile parameters for TLS

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

如有想了解更多軟體研發 , 系統 IT整合 , 企業資訊化，專案管理，企業管理 等資訊，請關注我的微信訂閱號：

作者：Petter Liu
出處：http://www.cnblogs.com/wintersun/
本文版權歸作者和部落格園共有，歡迎轉載，但未經作者同意必須保留此段宣告，且在文章頁面明顯位置給出原文連線，否則保留追究法律責任的權利。
該文章也同時釋出在我的獨立部落格中-Petter Liu Blog。