30fe0e7b-b334-2d10-45b0-f35afb25a5bc
-
Upload
djamal-amani -
Category
Documents
-
view
225 -
download
0
Transcript of 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
![Page 1: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/1.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 1/29
Next Generation SSO for SAP Applications
with SAML 2.0
SAP TG Solution Management Security April 2010
![Page 2: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/2.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 2/29
© SAP AG 2009. All rights reserved. / Page 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in
making a purchase decision. This presentation is not subject to your license
agreement or any other agreement with SAP. SAP has no obligation to pursue any
course of business outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and SAP's strategy and
possible future developments are subject to change and may be changed by SAP at
any time for any reason without notice. This document is provided without a warranty
of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP assumes no responsibility for errors or omissions in this document, except if
such damages were caused by SAP intentionally or grossly negligent.
![Page 3: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/3.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 3/29
© SAP AG 2009. All rights reserved. / Page 3
Agenda
1. Authentication, SSO, and Identity Federation
2. SAML 2.0 for SAP: SSO and Identity Federation Agreements
3. SAML 2.0: Capabilities Bundled in the Standard
![Page 4: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/4.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 4/29
© SAP AG 2009. All rights reserved. / Page 4
Key Differentiators of User Authentication and
Single Sign-On Technologies
Direct User InvolvementMust the user interactively prove their identity with
something they know, have or are? Must an
application act on behalf of the user?
User AgentWhich type of user agent (e.g. Web Browser, Web
Service Consumer, Mobile Clients, NW BC,
SAPGUI) is supported by the SSO technology?
Cross-PlatformPlatform support by the SSO technology? Is it a
widely adopted standard in the industry or a
vendor-specific technology?
Cross-DomainUse of SSO technology within a security domain
(i.e. the corporate Intranet) or across different
domains (e.g. in a B2B scenario)?
Domain A
Domain BSSO
Platform A Platform BSSO
SSO
Private
Credentials?
![Page 5: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/5.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 5/29
© SAP AG 2009. All rights reserved. / Page 5
SSO as Means to an End for Security
Administration …
Centralizing User Access Management
Single point of access administration via SSO token issuers
Assign user rights in various applications with one keystroke based on the
propagation of user identity information between trusted systems
Use system trust configuration to designate and enforce the use of application
servers as trusted gateways into trusted system networks
Central User Identity Management
Consolidate user information in shared user stores
Avoid redundant user information
Ease identity
de-provisioning Lock or delete users
centrally
![Page 6: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/6.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 6/29
© SAP AG 2009. All rights reserved. / Page 6
User Identity Federation Defined – SSO Across
Business and Application Boundaries
![Page 7: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/7.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 7/29
© SAP AG 2009. All rights reserved. / Page 7
Identity Federation Models Outside of
Software Applications
Governments as Identity Provider
Governments are an “Identity Provider” because they issue a Passport as proof of
identification
Every country vouches for its citizens
Governments as Service Provider
When an USA citizen travels to Germany, Germany verifies the identity of the USA
citizen by checking its passport
Germany trusts the Identity Provider (USA) to “vouch” for all its citizens. It still makes its
own access control decision (to let the person in or not) based on identity data
(including attributes) that is being asserted
USA Government
(Identity Provider)
German Government
(Service Provider)Trusted Relationship
![Page 8: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/8.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 8/29© SAP AG 2009. All rights reserved. / Page 8
Web User SSO to SAP Interactive Applications
Today
Portal or SAP NetWeaverapplication server
Initial user authentication
Trusted SSO ticket issuer
SSO
Web user’s browser : Further distribution of issued SSO ticket
Initiallogon BI
CRM
Other...
ERP
Intranet
Groupware
Send SSO ticket
to user browser
SAP applications:
Pre-configured as SSO ticket acceptors
Synchronization of user information in local identity management required
SSO capabilities limited technically to DNS domains borders
Single Log-out capabilities require additional component customization
![Page 9: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/9.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 9/29© SAP AG 2009. All rights reserved. / Page 9
Web User Authentication and SSO to User
Interactive SAP Applications
1 Requires Portal or AS Java
2 SAP SAML 2 IDP planned to be licensed with SAP NetWeaver Identity Management 7.1 and requires SAP NetWeaver 7.2 Java and higher AS platform
SAP SAML 2 SP capability planned for release with SAP Business Suite 7.02e, SAP NetWeaver CE 7.2 and AS Java 7.2 Web applications
S A P N e t W
e a v e r
a p p l i c a t i o
n s
Anonymous access Named anonymous users with SAP NetWeaver Portal
Interactive user
authentication
SAP user ID / password
PKI-based
authentication
X.509 client certificates – Rule based client authentication 1
– Certificate filtering 1
– Automated certificate mapping 1
– CRL support 1
External
authentication
SPNego 1
– user authentication against a Kerberos infrastructure Header variables 1
SSO via trusted
application system
SSO Logon tickets – Principal solution for SSO in SAP landscapes
SAML 1.1 Browser Artifact 1
– Interoperable SSO from trusted non-SAP token issuers
Identity Federation,interoperable SSO
and Single Log-out
SAML 2 2
– Identity Provider (IDP) for centralized user authentication andSAML 2 SSO token issuing authority
– Service Provider (SP) for accepting SAML 2 SSO token to grant
user access to Web enabled content
Custom
authentication
JAAS Login Module 1
– Standardized extensions to out-of-the-box authentication
mechanisms
W e b b r o w s e r
![Page 10: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/10.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 10/29© SAP AG 2009. All rights reserved. / Page 10
SAP GUI User SSO to SAP Interactive
Applications
Uses SNC components and external security product – both specific toSAP GUI as user access channel
SAP makes available:
NTLM SSO library for Windows OS environments (gssntlm.dll) Kerberos SSO library for Windows 2000 OS environments (gsskrb5.dll)
SAP certification available for partner SNC products
SAP GUI for Windows
External SNC
security product
More Information :
SNC User Guide in SAP Help Portal (http://help.sap.com)
AS ABAP Installation and Configuration Guide in SAP Service Marketplace (http://service.sap.com)
External SNC
security product
![Page 11: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/11.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 11/29© SAP AG 2009. All rights reserved. / Page 11
User Client
Functionality
integration
Service and protocol specific service enabling components
Shares some trust and identity management infrastructure with Web and
GUI user access channels
Run over various low level communication protocols
Except Web services, low level protocols service protocols offer
limited interoperability and security configuration scalability
Service Provider
Content
display
Service Consumer
Authenticates user
Issues SSO token on
their behalf
Evaluates credentials
from Service
Consumer
SSO Options for System-Centric Service
Applications Today
![Page 12: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/12.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 12/29© SAP AG 2009. All rights reserved. / Page 12
Options for Service Authentication and SSO in
SAP’s Service-Centric Applications
Authentication and SSO information exchanged via:
SOAP Protocol for secure interoperability and authentication/SSO in cross-vendor
Web service-based enterprise applications
Transport Protocol for performance, backward compatibility and security in SAP centric
service-enabled enterprise applications
S e r v i c e C o n s u m e r
A p p l i c a t i o n
( e . g . P o r t a l ,
C E , P I , B P M , B u s i n
e s s
S
u i t e , n o n - S A P )
WSS Username Token Profile *
User ID and Password Authenticate service user
WSS X.509 Certificate Token Profile *
X.509 client certificate
Securely authenticate
consumer application
WSS SAML Token Profiles 1.0 *
SSO tickets
Propagate authenticated
user identity
* supported for WS Protocols only
![Page 13: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/13.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 13/29© SAP AG 2009. All rights reserved. / Page 13
SAP’s Next Generation Support for Web User
SSO and Identity Federation
TrustRelationship
SAP Applications3rd Party
Applications
SSO
Federation
SOA SSO
Federation
This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAPat any time for any reason without notice. This document is provided without a warranty of any kind, either express or implie d,including but not l imited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement
SAP NetWeaver IdentityManagement
with SAML 2 Identity Provider (IDP) andSecurity Token Service (STS)*
Standardized SAML 2 SSO and Single Log-out
Shared infrastructure in user interactive andservice applications on the Web
Identity management Trust management
Efficient user productivity enablement of securecross-business scenarios
Application Service Providers
(SPs)
* SAML 2 IDP planned for release with a SAP NetWeaver IDM 7.1
license, STS support planned for later SAP NetWeaver IDM releases
![Page 14: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/14.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 14/29© SAP AG 2009. All rights reserved. / Page 14
Agenda
1. Authentication, SSO, and Identity Federation
2. SAML 2.0 for SAP: SSO and Identity Federation Agreements
3. SAML 2.0: Capabilities Bundled in the Industry Standard
![Page 15: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/15.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 15/29© SAP AG 2009. All rights reserved. / Page 15
SAML 2 in a B2B Application Scenario
HRA ITeIO
Must do:
Manage employees’ full
range of user identityinformation in compliance
with data privacy legislation
Enable access to partner
applications in compliance
with the partner’s access and
security policy
Must do:
Define access policy
requirements Maintain application
authorizations for segregation
of duty and least privilege
Offer self-service options to
HRA partner employees, using
ITeIO services (shuttles,lunch, etc.)
Enable user access andproductivity at
reasonable costs
![Page 16: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/16.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 16/29© SAP AG 2009. All rights reserved. / Page 16
SSO Agreement Under Aligned User Logon
Identifiers with SAML 2
HRA as IDP ITeIO as SP
Identifier source:
Logon Id
Logon Alias
Profile attribute
Identifier source:
Logon Id
Logon Alias
Profile attribute
Adam Bufford
User identity management
prerequisites:
– Logon id formats and values
aligned
– User authorizations aligned
abufford abufford
![Page 17: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/17.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 17/29© SAP AG 2009. All rights reserved. / Page 17
Linking User Accounts with Misaligned User
Identifiers for SAML 2 SSO
HRA as IDP ITeIO as SP
abufford adam.bufford
User identifiermaintained in
KPN
Windows name
X.509 Subject Name
user profile attribute
To enable SSO, matchinguser profile attribute must
be provisioned in e-mail
KPN
Windows name
X.509 Subject Name
user profile attribute
Adam Bufford
User identity management
prerequisites:
– Logon id formats and values
aligned
– User authorizations aligned
![Page 18: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/18.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 18/29© SAP AG 2009. All rights reserved. / Page 18
Linking Federated SSO Accounts with
Persistent Federation
HRA as IDP ITeIO as SP
abufford
Logon id alignmentbundled in the SAML 2
federated SSO
Agreement to federatedSSO established:
with interactive user
agreement
triggered by admin with
identity provisioning
Logon id alignmentbundled in the SAML 2federated SSO
Consent to federated SSOestablished:
with interactive user
agreement
triggered by admin with
identity provisioning
automatic new user account
creationAdam Bufford
User identity managementprerequisite:
– User authorizations aligned
adam.bufford
![Page 19: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/19.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 19/29© SAP AG 2009. All rights reserved. / Page 19
S
e r v i c e P r o v i d e r
Authorization Element Count
I d en t i t y
P r ovi d e
r
Count Authorization Element
Structuring User Authorization Profiles Under the
SAML 2 SSO Agreements, Discussed up to This Point…
Permissions
Actions/App
Roles
User Roles
User Groups
SAP User IDs
p
r
m
l
k
Permissions
Actions/App
Roles
User Roles
User Groups
SAP User IDs
(misaligned)
x
v
t
s
k
1:1 record relationSPs and IDP have to
manage an overallequivalent number of
federated user accounts
1 1
![Page 20: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/20.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 20/29© SAP AG 2009. All rights reserved. / Page 20
Federated SSO with User Attribute Information
HRA as IDP ITeIO as SP
abuffordemployee@IDP
Issued SAML 2assertion containsonly attributesdescribing user
User profile for applicationaccess determined from userattribute values in assertion
Contractual prerequisite:
– Agree on user attributes to
exchange
![Page 21: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/21.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 21/29© SAP AG 2009. All rights reserved. / Page 21
S e
r v i c e P r o v i d e r
Authorization Element Count
Structuring of User Authorization Profiles with
Transient Federation Agreements
Permissions
Actions/App
Roles
User Role /
Group
User ID
x
v
t
t1
I d en t i t y
P r ovi d er
Count Authorization Element
Permissions
Actions/App
Roles
User Roles
User Groups
SAP User IDs
p
r
m
l
kn
N:1 record relation
SP manages 1account per multiple
IDP user records.Only IDP must
manage full userattribute profile
![Page 22: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/22.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 22/29© SAP AG 2009. All rights reserved. / Page 22
Identity Federation and B2B SSO –
The Small Script
Contracts must define what can be shared to technically enable a
federation agreement
Contract provides a skeleton about the information that can/must be
shared:
not all identity information may be shared due to business or compliance reasons .
Contract may include special agreements per target applicationsystem or target application system group:
facilitate trust established indirectly via intermediary identity provider “brokers”
For data protection and privacy reasons, users (administrative or
end) can: agree to sharing the requested data by the accessed via federation resource (SP) from
the federation authority (IdP)
enforce contractual agreement, with deployment of integrity and confidentiality
protection
assign and audit policies for different trust relationships
![Page 23: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/23.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 23/29© SAP AG 2009. All rights reserved. / Page 23
Agenda
1. Authentication, SSO, and Identity Federation
2. SAML 2.0 for SAP: SSO and Identity Federation Agreements
3. SAML 2.0: Capabilities Bundled in the Standard
![Page 24: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/24.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 24/29© SAP AG 2009. All rights reserved. / Page 24
SAML 2.0 – Overview
Industry standard for cross-vendor SSO and SLO with wide
adoption
XML-based framework for marshaling security and identityinformation and exchanging it across administrative and technicaldomain boundaries
SAML profiles describe a variety of end use cases for framework
SAML Core technology:
Assertions (or claims) about end user subjects
Contain statements: authentication, attribute, authorization
Issued from a trusted system provider: an active element of a computer/network
system
Securely identify a principal: an user whose identity can be authenticated
Contain a subject: an accountable principal in the context of a secured application
![Page 25: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/25.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 25/29© SAP AG 2009. All rights reserved. / Page 25
SAML 2.0 deliverables for interactive Web user federation
ProfilesCombinations of assertions, protocols and
bindings to support a specific use case
BindingsMappings of the SAML Protocol messages
onto standard messaging and communication
protocols
ProtocolsRequests and Responses for obtaining
assertions and managing user identifiers
Assertions Authentication, Attribute and entitlement
information
Authentication ContextEnables Service providers to
require a type and strength of
initial authentication at IDP
MetadataSupports automated
configuration data import and
discovery for Identity and Service
providers
WSS SAML TokenProfile
Place a SAML 2.0 Assertion
in a SOAP Envelope
WS Security deliverables for federation with Web servicesWS Policy
Declare and propagate
requirement for a SAML 2.0
Assertion in a SOAP Envelope
WS Trustdefines mechanisms to negotiate
keys and issue, cancel, renew and
amend security tokens
SAML 2.0 in a Nutshell
![Page 26: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/26.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 26/29
© SAP AG 2009. All rights reserved. / Page 26
Lite Protocol Interoperability Matrix from Libertyhttp://www.projectliberty.org/liberty/liberty_interoperable
Feature IDP IDP-Lite SP SP-Lite
Web SSO, <AuthnRequest>, HTTP redirect MUST MUST MUST MUSTWeb SSO, <Response>, HTTP POST MUST MUST MUST MUST
Web SSO, <Response>, HTTP POST MUST MUST MUST MUST
Artifact Resolution, SOAP MUST MUST MUST MUST
Enhanced Client/Proxy SSO, PAOS MUST MUST MUST MUST
Name Identifier Management, HTTP redirect
(IDP-initiated)
MUST MUST NOT MUST MUST NOT
Name Identifier Management, SOAP
(IDP-initiated)
MUST MUST NOT OPTIONAL MUST NOT
Name Identifier Management, HTTP redirect MUST MUST NOT MUST MUST NOT
Name Identifier Management, SOAP
(SP-initiated)
MUST MUST NOT OPTIONAL MUST NOT
Single Logout (IDP-initiated), HTTP redirect MUST MUST MUST MUST
Single Logout (IDP-initiated) , SOAP MUST OPTIONAL MUST OPTIONAL
Single Logout (SP-initiated) , HTTP redirect MUST MUST MUST MUST
Single Logout (SP-initiated) , SOAP MUST OPTIONAL MUST OPTIONAL
Identity Provider Discovery (cookie) MUST MUST OPTIONAL OPTIONAL
![Page 27: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/27.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 27/29
© SAP AG 2009. All rights reserved. / Page 27
Thank You!
![Page 28: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/28.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 28/29
© SAP AG 2009. All rights reserved. / Page 28
Further Information
Related SAP Education and Certification Opportunities
http://www.sap.com/education/
SAP Public Web:
SAP Developer Network (SDN): www.sdn.sap.comBusiness Process Expert (BPX) Community: www.bpx.sap.com
![Page 29: 30fe0e7b-b334-2d10-45b0-f35afb25a5bc](https://reader035.fdocuments.in/reader035/viewer/2022062413/577ce0ef1a28ab9e78b46d96/html5/thumbnails/29.jpg)
7/29/2019 30fe0e7b-b334-2d10-45b0-f35afb25a5bc
http://slidepdf.com/reader/full/30fe0e7b-b334-2d10-45b0-f35afb25a5bc 29/29
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained hereinmay be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries,eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+,POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only,without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construedas constituting an additional warrant.
Copyright 2009 SAP AG
All Rights Reserved