Eliminating Authentication Pop- Ups in SAP...

SAP TechEd ‘03 Basel

© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 1

Eliminating Authentication Pop-Ups in SAP LandscapesCristina Buchholz, Patrick HildenbrandProduct Security, SAP

SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 2

Learning Objectives

As a result of this workshop, you will be able to:

Understand Authentication and Single Sign-On options with or without the Enterprise PortalUnderstand Authentication Delegation via Pluggable Authentication Service




Agenda

Introduction

Why use single sign-on?

Single sign-on with SAPWithout Enterprise PortalWith Enterprise Portal

Outlook

Summary


SAP NetWeaver: Introduction

Integration Broker

Business Process Management

Portal

Collaboration

Multi-channel Access

Enable the Enterprise Services Architecture

BusinessIntelligence

Knowledge Management

Master Data Management

SAP NetWeaver is the application and integration platformto unify and align people information and processes across technologies and organizations.




SAP NetWeaver™

DB and OS Abstraction.NET WebSphere

People IntegrationC

ompo

site

App

licat

ion

Fram

ewor

k

Process IntegrationIntegration

BrokerBusiness Process

Management

Information Integration

BusinessIntelligence

KnowledgeManagement

Life Cycle M

anagement

Portal Collaboration

J2EE ABAP

Application Platform

Multi-Channel Access

SAP NetWeaverSAP NetWeaver™™

DB and OS Abstraction

Master Data Management

……


Agenda

Introduction



Outlook

Summary




Single Sign-On

OpenInternet

standards

Enterprise boundary Market-place

3.1H

R/3 4.6FIFI

LOLOHRHR

CRMCRMKWKW

BBPBBPSEMSEM

APOAPO

BWBW

CFMCFM

mySAP components

R/2R/2

non mySAP.com3rdparty

Partner

SAPSAP

Inside

Outside

mySAP Internet servicesVarious Internet services

Different ERP

systems

Single Sign-On


Why Use Single Sign-On?

Complex system landscapes with many user IDs and different passwords -> Procedures for each system to roll-out, reset and change new/existing passwords

⇒ High administration cost and effort

⇒ Users find continuous password changing for many systems annoying

⇒ Users write passwords down and store them where they can easily be found -> security risk

Solution: Single Sign-On

Users only have to remember one password to gain access to every system

Administration costs and effort are drastically reduced




Agenda

Introduction



Outlook

Summary


Single Sign-On mechanisms available for SAP systems

SNC

SSL and X.509 client certificates

SAP Logon Tickets

Pluggable Authentication Services

What authentication mechanisms are possible?

Single Sign-On




Single Sign-On Variants Depending on GUI

When using partner, additional costs

PAS (+ Partner)

SAP proprietaryNo additional costs

Logon tickets

Based on standardsAvailable in Internet scenariosConfiguration of SSL necessary

X.509 client certificates

SAP GUI for HTML

SAP proprietaryInitial access via ITS

Logon tickets in SAP Shortcuts

No additional costsMicrosoft-only environment

SNC: Microsoft NTLM or Kerberos

Additional costsSNC: Partner Product

SAP GUI for Windows


Two Worlds: SAP GUI for Windows and Web

SAP GUI for HTMLSAP GUI for HTML

Web

SAP GUI for WindowsSAP GUI for Windows

TraditionalSecure Network Communications (SNC)

X.509 client certificate

Logon ticket

Pluggable Authentication Service (PAS)Use external authentication mechanisms




Single Sign-On for SAP GUI for Windows

Use SNC and external security productAuthentication takes place outside of SAP system

Use SAP-certified SNC product

Also available:Windows NTLM (gssntlm.dll)Windows 2000 Kerberos (gsskrb5.dll)

SAP GUI for Windows

SAP GUI for Windows

External security product

External security product


SAP Logon Tickets – SSO Process

Any otherWeb page

Internet

SAP Logon Ticket

Externalsystem

Intranet

SAP System

Initial logon




Verifying the SAP Logon Ticket: SAP Systems

Component system

Step 2: Logon using the user ID which is stored in the SAP Logon

Ticket. No additional authentication using password or certificate

necessary.

Step 1: Verification of the digital signature provided with the SAP

Logon Ticket.

SAP

Server’s public-key certificate

SAP Logon Ticket


SAP Logon Ticket

Alice / ******Alice / ******

Alice

Alice

Alice

Initial authentication (user ID / password) on ticket-issuing system

System issues user logon ticket

Digitally signed by ticket-issuing serverProvides for integrity and authenticity protection

Accepting systems check logon ticket for validity




Issuing Logon Tickets

Alice / ******Alice / ******

Alice

Set up one system as ticket issuer

System must be >= Release 4.6D

System must possess public and private key pair

Stored in system PSE

system

System PSE


system

Verifying Logon Tickets

Alice / ******Alice / ******

Alice

Alice

Alice

Step 1: Verify digital signature

Step 2: Check access control list

Step 3: Log user on to system

1

SSO Access Control List

Ticket-Issuing Server <SID> <client>

system

System PSE

2

3




Configuring the Use of Logon Tickets

Step 1: Configure the ticket-issuing system: application server

Step 2: Configure the ticket-issuing system: ITS

Step 3: Configure accepting system: application server

Step 4: Configure accepting system: ITS

Step 5: Test the connection


Step 1: Configure the Ticket-Issuing System

.

.

.

# SAP logon ticket parameters

login/create_sso2_ticket = 1

login/accept_sso2_ticket = 1

login/ticket_expiration_time = 60

.

.

.

ProfileApplication Server

Set profile parameters

Restart application server




Step 2: Configure the Ticket-Issuing System

~login

~password

~cookies 1

.

.

.

.

.

.

~mysapcomgetsso2cookie 1

~mysapcomusesso2cookie 1

~mysapcomnosso1cookie 1

~mysapcomnoits 1

.

.

.

ITS

Global service file parameters

Individual service file parameters

global.srvc

systeminfo.srvc


Step 3: Configure the Accepting Systems

Activate!

Application Server

Also applies to ticket-issuing system

Profile parameter: login/accept_sso2_ticket

Access Control List TWPSSO2ACLContains entry for ticket-issuing system

Certificate ListContains ticket-issuing system‘s public-key certificate (if login/create_sso2_ticket = 2 on ticket-issuing system)

Maintenance transaction SSO2




Step 4: Configure the Accepting Systems

~login

~password

~mysapcomusesso2cookie 1

.

.

.

ITS

Service file parameters


Step 5: Test the Configuration

Set Web browser to prompt for cookies

Access ticket-issuing application server using service (for example, systeminfo)

Logon ticket is cookie named MYSAPSSO2




Web AS

Web AS

X.509 Client Certificates

Authentication occurs using SSL with mutual authentication

User possesses a private and public key pair and public-key certificate

Access to Web-based SAP systems, for example, the SAP Web AS or non-SAP systems that support SSL

SSL

SSL

non-SAP

SSL


Pluggable Authentication Service (PAS)

~~~~~~~~

Authentication using an external authentication service

Windows NTLM ProtocolWindows user ID / password checking using the domain controllerLDAP bindRadius / SecureIDHTTP header variables......

After authentication the user is issued a Logon Ticket for use with SAP services




Pluggable Authentication Service

External Authentication Mechanisms

Examples:Windows NT LAN Manager (NTLM)Verifying user ID and password on the Windows domain controllerLDAP bindSSL and X.509 client certificatesArbitrary mechanism on the Web server that sets HTTP header variableArbitrary mechanisms provided by a partner


Pluggable Authentication Service: AGate

User ID

User IDSAP

System User ID

SAP System User ID

User External ID Mapping Table (USREXTID)

Authentication(User ID and Password)

Verifying user ID and password on the Windows domain controller

LDAP bind

Arbitrary mechanisms provided by a partner

AGateWeb

serverWGate

ExternalAuth.Mech.

sapextauthAlice Alice




Pluggable Authentication Service: WGate

Windows NT LAN Manager (NTLM)


Arbitrary mechanism on the Web server that sets HTTP header variable

User ID

User IDSAP

System User ID

SAP System User ID



AGateWeb

serverWGate

ExternalAuth.Mech.



Pluggable Authentication Service: SNC

SNC

Required between AGate and ticket-issuing application server

Recommended between AGate and accepting systems

If authentication mechanism occurs on the Web server, then also recommended between the AGate and the WGate

User ID

User IDSAP

System User ID

SAP System User ID



AGateWeb

serverWGate

ExternalAuth.Mech.


SNC




Pluggable Authentication Service: Process

SNC

User ID

User IDSAP

System User ID

SAP System User ID



AGateWeb

serverWGate

ExternalAuth.Mech.


SNC

The user enters the URL for the PAS service.

1

https://host1.mycompany.com/scripts/wgate/<service>/!



SNC

User ID

User IDSAP

System User ID

SAP System User ID



AGateWeb

serverWGate

ExternalAuth.Mech.


SNC

2The user provides authentication information (user ID and password)





SNC

User ID

User IDSAP

System User ID

SAP System User ID



AGateWeb

serverWGate

ExternalAuth.Mech.


SNC

3The external authentication mechanism verifies the user’s information.



SNC

User ID

User IDSAP

System User ID

SAP System User ID



AGateWeb

serverWGate

ExternalAuth.Mech.


SNC

4 The ticket-issuing system maps the external user ID to the SAP user ID.





SNC

User ID

User IDSAP

System User ID

SAP System User ID



AGateWeb

serverWGate

ExternalAuth.Mech.


SNC

5 The user is issued a logon ticket.



User ID

User IDSAP

System User ID

SAP System User ID



AGateWeb

serverWGate

ExternalAuth.Mech.


6 The AGate redirects the user to the initially desired service (myservice).

https://host1.mycompany.com/scripts/wgate/myservice/!




Configuring Pluggable Authentication Services

Step 1: Install PAS module

Step 2: Set service file parameters

Step 3: Maintain user mapping


Step 1: Install PAS Module

Program Files

D:

SAPITS

2.0<SID>

AGate

services

templates

login.htmlextautherror.htmlredirect.html

sapntauth.srvc

sapntauth99

Copy and rename if necessary (for example, sapntpasswd, sapldap, saphttp, etc.

PAS package ntauth.sar

Attached to SAP Note 493107Contains sample service files and template filesInstall in \services and \templates directories




Step 2: Set the Service File Parameters

~xgateway sapextauth

~extauthtype NTLM

~extid_type NT

~mysapcomgetsso2cookie 1

~dont_recreate_ticket 1

~redirectHost host1

~redirectPath /scripts/wgate/webgui/!

~redirectQS ~client=000&~language=en

~redirectHttps 1

~login_to_upcase 1


Step 3: Maintain The User Mapping

External IDMYDOMAIN/ALICE ALICE

User Activ.

TypeNT

000Seq. No.

01/01/2002

Min.date

User’s external ID must correspond to an SAP system user IDMaintain in table USREXTID (Report RSUSREXTID)

Type = ITS parameter

~extid_type

User’s external ID

User’s SAP sytem ID




Pluggable Authentication Service: Digital Certificates


User ID

User IDSAP

system user ID

SAP system user ID

User external ID mappingtable (USREXTID)

Authentication

AGateWeb

serverWGate

Optional revocation

Third Party



Obtaining a Digital Certificate

Digital certificates must be X.509v3 compliant

Various options possible:Using SAP Trust Center Service

For SAP users onlyFree of chargePortal server acts as Registration Authority (RA)

Setting up internal PKI systemBuy software from CA product vendor

Using external PKI systemContract with Trust Center Service




Log on using SAP user ID and password and initiate the SAP Passport request1

Specify naming convention and trigger key generation

2

Webbrowser

PortalServer

SAP Trust Center Service: Enrollment Process

Log on using the SAP Passport6

Web browser generates key pair and sends the SAP Passport request

3

SAP Trust CenterService

Send approved certificaterequest4Verifies naming conventions

and issues certificate

5


Combining the Two Worlds

SAP GUI for WindowsSAP GUI for Windows

SAP GUI for HTMLSAP GUI for HTML

Web




SSO From Web to Traditional

Using logon tickets, ITS, and SAP ShortcutsLogon ticket is passed to SAP Shortcut using ITS service wngui

AGateWeb

serverWGate

sapextauth

Alice

https://host1.mycompany.com/scripts/wgate/wngui/!?~transaction=SU01

Alice

Start SAP Shortcut

SAPGUI for HTML

SAPGUI for HTML

SAPGUI for Windows

SAPGUI for Windows

Alice

Alice


Logon Ticket: Non-SAP Systems

The Logon Ticket contains public information only:User IDValidity periodIssuing systemDigital signature

Therefore we can offer a library which can be linked to other systems. These systems can verify the user’s Logon Ticket and use the stored information for their own logon.




SSO to Non-SAP Components Using Logon Tickets

Non-SAP Web-based application

Ticket Web server

Ticket Verification LibrarySAPSSOEXT

Security product (SAPSECULIB)

Public address book(if not SAPSECULIB)

Access Control List

Workplace server <SID> <client>

Applicationuser ID

1

2

3

4

5

mySAP.com user ID

Legend

ticket Digitally-signed mySAP.com Logon Ticket

Workplace server’s public key if not issued by the SAP CA

Workplace server’s public-key certificate issued by the SAP CA

Services/objects to be provided by application

Services/objects provided by SAP

Ticket


Agenda

Introduction



Outlook

Summary




Authentication – Initial Logon Procedure

Verification of the user’s identity

Initial logon procedure to authenticate user

Various authentication methodsUser ID / passwordX.509 digital certificatesThird-party authentication

Windows authenticationWeb Access Management (WAM) productsOthers through JAAS interface(pluggable JAAS login modules)

Anonymous user concept


Authentication Process

User ID / PW User ID / PW

verification

SSL

User ID mapping

PortalServer

Portal Database

User Persistence

Store

SAP Logon Ticket

SSL

SAP Logon Ticket User ID mapping

PortalServer

Portal Database

User Persistence

Store

X.509Certificate

Comparison

X.509Certificate

SSLSSL




Two alternatives:

SSO to Non-SAP Components Using SAP Logon Tickets

Non-SAP component

system

1

Portal Server’s public-key certificate

2

HTTP header field:

Application user ID

Filte

r

Web Server Filter

Webserver

SAP Logon Ticket

Application Programming Interface (API)

Ticket verificationlibrary(DLL)

1

Portal Server’s public-key certificate

2

3

Applicationuser ID

Non-SAP component

system

SAP Logon Ticket


SSO – Account Aggregation

If the external system does not support SAP logon tickets

Portal components connect to the external system with the user’scredentials (user ID and password)

User mapping and credentials are stored in the Portal Database

Administrator maps user using administration iView

User maps own credentials using portal personalization function

Portal User: SAP User: Siebel UserID/Password:Michael_Schumacher d040011 903845233, {yu323ab}___Anna_Kournikova i052340 230982029, {34u0nap}___Tiger_Woods i043536 324098211, {wq9itxm1}__Cathy Freeman i048347 202377724, {12onxc85}__




Agenda

Introduction



Outlook

Summary


Outlook

JAAS logon modules

SAML tickets




Agenda

Introduction



Outlook

Summary


Authentication Mechanisms

• NTLM• LDAP bind• Radius• ....

Applications

External authentication

Pluggable authentication

adapterWeb accessmanagement

products

SAP Enterprise Portal

•User ID / password• X.509 certificates‘•Logon Tickets

•Jaas login module• HTTP header variables




Summary

You have learned to understand authentication and single sign-on options for SAP solutions with and without the Enterprise Portal


Further Information

Public Web:www.sap.com/netweaver Key Capabilities Security SAP Customer Services Network: www.sap.com/services/

Related SAP Education Training Opportunitieshttp://www.sap.com/usa/education/ADM960 Security in SAP System Environment

Consulting ContactFrank Rambo, NetWeaver Security Consulting ([email protected])




Q&A

Questions?


Please complete your session evaluation anddrop it in the box on your way out.

Feedback

Thank You !

The SAP TechEd ’03 Basel Team




No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.

ORACLE® is a registered trademark of ORACLE Corporation.

UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.

Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

JAVA® is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well astheir respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.

Copyright 2003 SAP AG. All Rights Reserved

Eliminating Authentication Pop- Ups in SAP...

Documents

Transcript of Eliminating Authentication Pop- Ups in SAP...