30fe0e7b-b334-2d10-45b0-f35afb25a5bc

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc

http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 1/29

Next Generation SSO for SAP Applications

with SAML 2.0

SAP TG Solution Management Security April 2010

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


© SAP AG 2009. All rights reserved. /

Disclaimer

This presentation outlines our general product direction and should not be relied on in

making a purchase decision. This presentation is not subject to your license

agreement or any other agreement with SAP. SAP has no obligation to pursue any

course of business outlined in this presentation or to develop or release any

functionality mentioned in this presentation. This presentation and SAP's strategy and

possible future developments are subject to change and may be changed by SAP at

any time for any reason without notice. This document is provided without a warranty

of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP assumes no responsibility for errors or omissions in this document, except if

such damages were caused by SAP intentionally or grossly negligent.

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc



Agenda

1. Authentication, SSO, and Identity Federation

2. SAML 2.0 for SAP: SSO and Identity Federation Agreements

3. SAML 2.0: Capabilities Bundled in the Standard

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc



Key Differentiators of User Authentication and

Single Sign-On Technologies

Direct User InvolvementMust the user interactively prove their identity with

something they know, have or are? Must an

application act on behalf of the user?

User AgentWhich type of user agent (e.g. Web Browser, Web

Service Consumer, Mobile Clients, NW BC,

SAPGUI) is supported by the SSO technology?

Cross-PlatformPlatform support by the SSO technology? Is it a

widely adopted standard in the industry or a

vendor-specific technology?

Cross-DomainUse of SSO technology within a security domain

(i.e. the corporate Intranet) or across different

domains (e.g. in a B2B scenario)?

Domain A

Domain BSSO

Platform A Platform BSSO

SSO

Private

Credentials?

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc



SSO as Means to an End for Security

Administration …

Centralizing User Access Management

Single point of access administration via SSO token issuers

Assign user rights in various applications with one keystroke based on the

propagation of user identity information between trusted systems

Use system trust configuration to designate and enforce the use of application

servers as trusted gateways into trusted system networks

Central User Identity Management

Consolidate user information in shared user stores

Avoid redundant user information

Ease identity

de-provisioning Lock or delete users

centrally

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc



User Identity Federation Defined – SSO Across

Business and Application Boundaries

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc



Identity Federation Models Outside of

Software Applications

Governments as Identity Provider

Governments are an “Identity Provider” because they issue a Passport as proof of

identification

Every country vouches for its citizens

Governments as Service Provider

When an USA citizen travels to Germany, Germany verifies the identity of the USA

citizen by checking its passport

Germany trusts the Identity Provider (USA) to “vouch” for all its citizens. It still makes its

own access control decision (to let the person in or not) based on identity data

(including attributes) that is being asserted

USA Government

(Identity Provider)

German Government

(Service Provider)Trusted Relationship

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc

http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 8/29© SAP AG 2009. All rights reserved. /

Web User SSO to SAP Interactive Applications

Today

Portal or SAP NetWeaverapplication server

Initial user authentication

Trusted SSO ticket issuer

SSO

Web user’s browser : Further distribution of issued SSO ticket

Initiallogon BI

CRM

Other...

ERP

Intranet

Groupware

Send SSO ticket

to user browser

SAP applications:

Pre-configured as SSO ticket acceptors

Synchronization of user information in local identity management required

SSO capabilities limited technically to DNS domains borders

Single Log-out capabilities require additional component customization

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


Web User Authentication and SSO to User

Interactive SAP Applications

1 Requires Portal or AS Java

2 SAP SAML 2 IDP planned to be licensed with SAP NetWeaver Identity Management 7.1 and requires SAP NetWeaver 7.2 Java and higher AS platform

SAP SAML 2 SP capability planned for release with SAP Business Suite 7.02e, SAP NetWeaver CE 7.2 and AS Java 7.2 Web applications

S A P N e t W

e a v e r

a p p l i c a t i o

n s

Anonymous access Named anonymous users with SAP NetWeaver Portal

Interactive user

authentication

SAP user ID / password

PKI-based

authentication

X.509 client certificates – Rule based client authentication 1

– Certificate filtering 1

– Automated certificate mapping 1

– CRL support 1

External

authentication

SPNego 1

– user authentication against a Kerberos infrastructure Header variables 1

SSO via trusted

application system

SSO Logon tickets – Principal solution for SSO in SAP landscapes

SAML 1.1 Browser Artifact 1

– Interoperable SSO from trusted non-SAP token issuers

Identity Federation,interoperable SSO

and Single Log-out

SAML 2 2

– Identity Provider (IDP) for centralized user authentication andSAML 2 SSO token issuing authority

– Service Provider (SP) for accepting SAML 2 SSO token to grant

user access to Web enabled content

Custom

authentication

JAAS Login Module 1

– Standardized extensions to out-of-the-box authentication

mechanisms

W e b b r o w s e r

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


SAP GUI User SSO to SAP Interactive

Applications

Uses SNC components and external security product – both specific toSAP GUI as user access channel

SAP makes available:

NTLM SSO library for Windows OS environments (gssntlm.dll) Kerberos SSO library for Windows 2000 OS environments (gsskrb5.dll)

SAP certification available for partner SNC products

SAP GUI for Windows

External SNC

security product

More Information :

SNC User Guide in SAP Help Portal (http://help.sap.com)

AS ABAP Installation and Configuration Guide in SAP Service Marketplace (http://service.sap.com)

External SNC

security product

http://help.sap.com/saphelp_nw70/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htm

http://help.sap.com/saphelp_nw70/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htm

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


User Client

Functionality

integration

Service and protocol specific service enabling components

Shares some trust and identity management infrastructure with Web and

GUI user access channels

Run over various low level communication protocols

Except Web services, low level protocols service protocols offer

limited interoperability and security configuration scalability

Service Provider

Content

display

Service Consumer

Authenticates user

Issues SSO token on

their behalf

Evaluates credentials

from Service

Consumer

SSO Options for System-Centric Service

Applications Today

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


Options for Service Authentication and SSO in

SAP’s Service-Centric Applications

Authentication and SSO information exchanged via:

SOAP Protocol for secure interoperability and authentication/SSO in cross-vendor

Web service-based enterprise applications

Transport Protocol for performance, backward compatibility and security in SAP centric

service-enabled enterprise applications

S e r v i c e C o n s u m e r

A p p l i c a t i o n

( e . g . P o r t a l ,

C E , P I , B P M , B u s i n

e s s

S

u i t e , n o n - S A P )

WSS Username Token Profile *

User ID and Password Authenticate service user

WSS X.509 Certificate Token Profile *

X.509 client certificate

Securely authenticate

consumer application

WSS SAML Token Profiles 1.0 *

SSO tickets

Propagate authenticated

user identity

* supported for WS Protocols only

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


SAP’s Next Generation Support for Web User

SSO and Identity Federation

TrustRelationship

SAP Applications3rd Party

Applications

SSO

Federation

SOA SSO

Federation

This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAPat any time for any reason without notice. This document is provided without a warranty of any kind, either express or implie d,including but not l imited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement

SAP NetWeaver IdentityManagement

with SAML 2 Identity Provider (IDP) andSecurity Token Service (STS)*

Standardized SAML 2 SSO and Single Log-out

Shared infrastructure in user interactive andservice applications on the Web

Identity management Trust management

Efficient user productivity enablement of securecross-business scenarios

Application Service Providers

(SPs)

* SAML 2 IDP planned for release with a SAP NetWeaver IDM 7.1

license, STS support planned for later SAP NetWeaver IDM releases

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


Agenda



3. SAML 2.0: Capabilities Bundled in the Industry Standard

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


SAML 2 in a B2B Application Scenario

HRA ITeIO

Must do:

Manage employees’ full

range of user identityinformation in compliance

with data privacy legislation

Enable access to partner

applications in compliance

with the partner’s access and

security policy

Must do:

Define access policy

requirements Maintain application

authorizations for segregation

of duty and least privilege

Offer self-service options to

HRA partner employees, using

ITeIO services (shuttles,lunch, etc.)

Enable user access andproductivity at

reasonable costs

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


SSO Agreement Under Aligned User Logon

Identifiers with SAML 2

HRA as IDP ITeIO as SP

Identifier source:

Logon Id

Logon Alias

Profile attribute

Identifier source:

Logon Id

Logon Alias

Profile attribute

Adam Bufford

User identity management

prerequisites:

– Logon id formats and values

aligned

– User authorizations aligned

abufford abufford

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


Linking User Accounts with Misaligned User

Identifiers for SAML 2 SSO


abufford adam.bufford

User identifiermaintained in

e-mail

KPN

Windows name

X.509 Subject Name

user profile attribute

To enable SSO, matchinguser profile attribute must

be provisioned in e-mail

KPN

Windows name

X.509 Subject Name

user profile attribute

Adam Bufford

User identity management

prerequisites:

– Logon id formats and values

aligned


7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


Linking Federated SSO Accounts with

Persistent Federation


abufford

Logon id alignmentbundled in the SAML 2

federated SSO

Agreement to federatedSSO established:

with interactive user

agreement

triggered by admin with

identity provisioning

Logon id alignmentbundled in the SAML 2federated SSO

Consent to federated SSOestablished:

with interactive user

agreement

triggered by admin with

identity provisioning

automatic new user account

creationAdam Bufford

User identity managementprerequisite:


adam.bufford

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


S

e r v i c e P r o v i d e r

Authorization Element Count

I d en t i t y

P r ovi d e

r

Count Authorization Element

Structuring User Authorization Profiles Under the

SAML 2 SSO Agreements, Discussed up to This Point…

Permissions

Actions/App

Roles

User Roles

User Groups

SAP User IDs

p

r

m

l

k

Permissions

Actions/App

Roles

User Roles

User Groups

SAP User IDs

(misaligned)

x

v

t

s

k

1:1 record relationSPs and IDP have to

manage an overallequivalent number of

federated user accounts

1 1

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


Federated SSO with User Attribute Information


abuffordemployee@IDP

Issued SAML 2assertion containsonly attributesdescribing user

User profile for applicationaccess determined from userattribute values in assertion

Contractual prerequisite:

– Agree on user attributes to

exchange

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


S e

r v i c e P r o v i d e r

Authorization Element Count

Structuring of User Authorization Profiles with

Transient Federation Agreements

Permissions

Actions/App

Roles

User Role /

Group

User ID

x

v

t

t1

I d en t i t y

P r ovi d er

Count Authorization Element

Permissions

Actions/App

Roles

User Roles

User Groups

SAP User IDs

p

r

m

l

kn

N:1 record relation

SP manages 1account per multiple

IDP user records.Only IDP must

manage full userattribute profile

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


Identity Federation and B2B SSO –

The Small Script

Contracts must define what can be shared to technically enable a

federation agreement

Contract provides a skeleton about the information that can/must be

shared:

not all identity information may be shared due to business or compliance reasons .

Contract may include special agreements per target applicationsystem or target application system group:

facilitate trust established indirectly via intermediary identity provider “brokers”

For data protection and privacy reasons, users (administrative or

end) can: agree to sharing the requested data by the accessed via federation resource (SP) from

the federation authority (IdP)

enforce contractual agreement, with deployment of integrity and confidentiality

protection

assign and audit policies for different trust relationships

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


Agenda



3. SAML 2.0: Capabilities Bundled in the Standard

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


SAML 2.0 – Overview

Industry standard for cross-vendor SSO and SLO with wide

adoption

XML-based framework for marshaling security and identityinformation and exchanging it across administrative and technicaldomain boundaries

SAML profiles describe a variety of end use cases for framework

SAML Core technology:

Assertions (or claims) about end user subjects

Contain statements: authentication, attribute, authorization

Issued from a trusted system provider: an active element of a computer/network

system

Securely identify a principal: an user whose identity can be authenticated

Contain a subject: an accountable principal in the context of a secured application

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


SAML 2.0 deliverables for interactive Web user federation

ProfilesCombinations of assertions, protocols and

bindings to support a specific use case

BindingsMappings of the SAML Protocol messages

onto standard messaging and communication

protocols

ProtocolsRequests and Responses for obtaining

assertions and managing user identifiers

Assertions Authentication, Attribute and entitlement

information

Authentication ContextEnables Service providers to

require a type and strength of

initial authentication at IDP

MetadataSupports automated

configuration data import and

discovery for Identity and Service

providers

WSS SAML TokenProfile

Place a SAML 2.0 Assertion

in a SOAP Envelope

WS Security deliverables for federation with Web servicesWS Policy

Declare and propagate

requirement for a SAML 2.0

Assertion in a SOAP Envelope

WS Trustdefines mechanisms to negotiate

keys and issue, cancel, renew and

amend security tokens

SAML 2.0 in a Nutshell

http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf


http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf


http://www.w3.org/Submission/WS-Policy/

http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html

http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html

http://www.w3.org/Submission/WS-Policy/



http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf






http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc



Lite Protocol Interoperability Matrix from Libertyhttp://www.projectliberty.org/liberty/liberty_interoperable

Feature IDP IDP-Lite SP SP-Lite

Web SSO, <AuthnRequest>, HTTP redirect MUST MUST MUST MUSTWeb SSO, <Response>, HTTP POST MUST MUST MUST MUST

Web SSO, <Response>, HTTP POST MUST MUST MUST MUST

Artifact Resolution, SOAP MUST MUST MUST MUST

Enhanced Client/Proxy SSO, PAOS MUST MUST MUST MUST

Name Identifier Management, HTTP redirect

(IDP-initiated)

MUST MUST NOT MUST MUST NOT

Name Identifier Management, SOAP

(IDP-initiated)

MUST MUST NOT OPTIONAL MUST NOT

Name Identifier Management, HTTP redirect MUST MUST NOT MUST MUST NOT

Name Identifier Management, SOAP

(SP-initiated)

MUST MUST NOT OPTIONAL MUST NOT

Single Logout (IDP-initiated), HTTP redirect MUST MUST MUST MUST

Single Logout (IDP-initiated) , SOAP MUST OPTIONAL MUST OPTIONAL

Single Logout (SP-initiated) , HTTP redirect MUST MUST MUST MUST

Single Logout (SP-initiated) , SOAP MUST OPTIONAL MUST OPTIONAL

Identity Provider Discovery (cookie) MUST MUST OPTIONAL OPTIONAL

http://www.projectliberty.org/liberty/liberty_interoperable

http://www.projectliberty.org/liberty/liberty_interoperable

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc



Thank You!

7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc



Further Information

Related SAP Education and Certification Opportunities

http://www.sap.com/education/

SAP Public Web:

SAP Developer Network (SDN): www.sdn.sap.comBusiness Process Expert (BPX) Community: www.bpx.sap.com


http://www.sdn.sap.com/

http://www.bpx.sap.com/

http://www.bpx.sap.com/

http://www.sdn.sap.com/


7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained hereinmay be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries,eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+,POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only,without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construedas constituting an additional warrant.

Copyright 2009 SAP AG

All Rights Reserved

30fe0e7b-b334-2d10-45b0-f35afb25a5bc

Documents

Transcript of 30fe0e7b-b334-2d10-45b0-f35afb25a5bc