Many companies have standardized on Microsoft Active Directory user authentication (Kerberos) for Windows workstation logon as well as for application authentication and single sign-on (SSO). For example, SAP GUI SSO is often implemented using a Kerberos SNC library. In recent years, Microsoft has made enhancements to its products so that customers can gradually remove their dependency on Kerberos and Active Directory, and use Entra ID instead. The challenge has been how to support thick client applications (e.g., SAP GUI) when Kerberos is no longer available. Often SAML is used with web-based applications, but this doesn’t work with thick client applications. In this session, SecurityBridge will explain how recent innovations in their popular TrustBroker product now allow it to provide SSO and MFA using OpenID Connect (OIDC), without requiring any BTP service or additional infrastructure.

You will:

• Learn how to address the challenge of seamlessly moving away from Microsoft Active Directory authentication to Entra ID with thick client applications such as SAP GUI. 

• Understand how MFA can be enforced during (and after) logon based on a per-SAP system policy. 

• Discover how risk based and context aware authentication can be implemented; e.g. MFA might be enforced when a user tries to log on and that user has previously been identified conducting suspicious activity on that system.