IDM 7.2 Presentation

SAP NetWeaver Identity ManagementTechnical Overview Presentation

SAP AGWalldorf, December 2010

HomeHome

© SAP AG 2010. All rights reserved. /

Disclaimer

This presentation outlines our general product direction and should not be relied on inmaking a purchase decision. This presentation is not subject to your license agreementor any other agreement with SAP. SAP has no obligation to pursue any course ofbusiness outlined in this presentation or to develop or release any functionalitymentioned in this presentation. This presentation and SAP's strategy and possiblefuture developments are subject to change and may be changed by SAP at any timefor any reason without notice. This document is provided without a warranty of anykind, either express or implied, including but not limited to, the implied warranties ofmerchantability, fitness for a particular purpose, or non-infringement. SAP assumes noresponsibility for errors or omissions in this document, except if such damages werecaused by SAP intentionally or grossly negligent.

HomeHome


1. Introduction to Identity Management2. SAP NetWeaver Identity Management Solution in Detail

2.1 Role Management and Workflows2.2 Business-Driven Identity Management2.3 Compliance, Reporting, and Auditing2.4 Password Management2.5 Identity Virtualization2.6 Connectivity and Services2.7 Identity Federation and Web-Based Single Sign-On

3. SAP NetWeaver Identity Management Architecture4. Summary & Additional Information Sources

Agenda

HomeHome





Agenda Home

HomeHome


Enables the efficient, secure and compliantexecution of business processes

By ensuring that the right users have theright access to the right systems at theright time

Consistent with their roles across all systemsand applications

Identity Management Definition

SAP NetWeaver Identity Management

HomeHome


Typical User Lifecycle

Challenges:Long time to become productiveEnormous costs and effortsSecurity leaks if employee leaves

Hire date

Available:Temporaryaccounts

Chuck Brownjoins company

3 weeks later

Available:E-MailPortalInternetAccounting

Chuck Brown isable to work in

accounting

1 year later

Available:E-MailPortalInternetAccountingCRM (west)Marketingdata (west)

Chuck Browntransfersto sales

7 years later

Available:E-MailPortalInternetAccountingCRM (global)Marketingdata (global)

Chuck Brownis promoted:

Vice PresidentSales

8 years later

Chuck Brownresigns

All knownaccounts of

Chuck Brownare deactivated

10 years later

Available:AccountingMarketingdata (global)

Chuck Brownstill has accessto the system

HomeHome


ComplianceRequirements

IncreasingOperationalCosts

Business Drivers for Identity Management

Maintenance of multiple sources of identity dataManual user provisioning by help desk delays on/off-boardingand change in positionsLabor-intensive, paper-based approval systemsUsers dependent on help desk response times

ChangingBusinessProcesses

Multi-enterprise fulfillment transactions with increasing partnerprocess participationIndustry-specific user provisioning requirementsInconsistent and informal processes proliferate

No record of who has access to which IT resourcesInability to de-provision user access rights upon terminationIdentify and manage business & IT controlsProvide auditors with complete audit trailPrevention of unauthorized access in multi-enterpriseenvironments

HomeHome


SAP NetWeaver Identity ManagementValue Proposition

Efficiency Insight Flexibility

Central managementof user identities

Lower cost ofadministration

Regulatory compliance

Governance model forpolicy management

Business-drivenidentity management

Responsive tobusiness changes

Standards-basedtechnology platform

Leverage SAPNetWeavermanagement andadministrationcapabilities

Rule-driven workflow /approval process

Extensive audit trail,logging and reportingcapabilities

Integration with SAPBusiness Suite and SAPBusinessObjects AccessControl (GRC) for end-to-end, compliant, role-based control

Standards-basedintegration with SAPBusiness Suite

Identity services enabletightly aligned, looselycoupled integration

HomeHome


Business–Driven, CompliantIdentity Management

IdentityManagement

EnterpriseSOA

EnterpriseSOA

Identity Services Modeldelivers service-enabledidentity management for

SOA environments, enablestightly aligned and loosely

coupled integration

GovernanceRisk and

Compliance

GovernanceRisk and

Compliance

Business-driven identitygovernance model andsustainable prevention ofsegregation of dutiesviolations deliver compliantidentity management

Service-enabled and standards- basedidentity management simplifies

integration and customization acrossheterogeneous landscapes

HeterogeneousIntegration

HeterogeneousIntegration

Integration with the SAP BusinessSuite enables true business process-driven identity management

VisionTo provide an integrated, business-driven, and compliant identity management solution on a

standards-based technology platform

HomeHome


Identity Management YesterdayLocalized User Administration

e.g. on-boarding

ABAP:Transaction SU01 for localuser mgmt

Java:User Management Engine(UME) for local user mgmt Local user mgmt

HomeHome


Identity Management YesterdayPartial Centralization

e.g. on-boarding

CUA

Provisioning forABAP-based systems

LDAPDirectory

3rd Party IdentityManagement

Product

Synchronization

UMEdata source

HomeHomeSAP NetWeaver Identity ManagementHolistic Approach

e.g. on-boarding

SAP NetWeaverIdentity Management

Passwordmanagement

Provisioning to SAPand non-SAP systemsReporting

Rule-based assignmentof business roles

Identity virtualization andidentity as service Approval

workflows

CentralIdentity StoreSAP BusinessObjects

Access Control (GRC)

Compliance checksthrough GRC

SAP Business SuiteIntegration


Web-basedSingle Sign-On &Identity Federation

HomeHome


SAP NetWeaver Identity ManagementWithin the Technology Platform

Identity management is an integral part of theSAP NetWeaver technology platform:

It enables efficient and secure management of identity information.It supports both SAP-only and heterogeneous system landscapes.It integrates with the SAP NetWeaver platform and business applications.It complements integrated SAP NetWeaver security frameworks.

Compliance RegulatoryCompliance Auditing

SAP Solutions forGovernance, Riskand Compliance

Security Targets

SecureCollaboration Web Services Security Content Security Security Interoperability

Identity andAccess

ManagementIdentity Management Authorization Concepts

and ManagementAuthentication and

Single Sign-On

InfrastructureSecurity

Network andCommunications

Security

Operating System andDatabase Security Front-End Security

SoftwareLifecycleSecurity

SecureProduct

Development

SecureDelivery

SecureConfiguration

SecureChange

Management

SecurityGovernance

Compliance RegulatoryCompliance Auditing

SAP Solutions forGovernance, Riskand Compliance

Security Targets

SecureCollaboration Web Services Security Content Security Security Interoperability

Identity andAccess

ManagementIdentity Management Authorization Concepts

and ManagementAuthentication and

Single Sign-On

InfrastructureSecurity

Network andCommunications

Security

Operating System andDatabase Security Front-End Security

SoftwareLifecycleSecurity

SecureProduct

Development

SecureDelivery

SecureConfiguration

SecureChange

Management

SecurityGovernance

HomeHome





Agenda Home

HomeHome


Business Roles and Technical Roles

Business RolesAre defined in the Identity CenterRepresent the business tasks of anemployeeAre usually defined as part of abusiness processCan be set up in hierarchiesAre a combination of technical roles and/orother business rolesAre usually assigned to end users

Technical RolesRepresent access information or technicalauthorizations (e.g. ABAP authorizationroles, UME roles, Portal roles,AD groups, …)Are usually uploaded from the target systemAre system-specificAre usually represented as “privileges” inthe Identity Center

End user(Portal role)

Accounting(ABAP role)

HR manager(ABAP role)

SAP HRActiveDirectory SAP FIE-Mail

SystemSAP

Portal

E-mail ADuser

Business Roles

Technical Roles

Manager

Employee

Accounting

HomeHome


Role Definition and Provisioning

Role Definition (design, one-time task)Read system access information (roles,groups, authorizations, etc.) from targetsystemsDefine a business role hierarchyAssign technical roles to business rolesDevelop rules for role assignments

Provisioning (regularly)Assign or remove roles to/from people

Through request/approval workflowManually (administrator)Automatically, e.g. HR-driven

Automatic adjustment of master data andassignments of technical authorizations intarget systems

End user(Portal role)

Accounting(ABAP role)

HR manager(ABAP role)

SAP HRActiveDirectory SAP FIE-Mail

SystemSAP

Portal

E-mail ADuser

Business Roles

Technical Roles

Manager

Employee

Accounting

HomeHome


Role ManagementBased on Business Processes

Create“Create Sales Order”

business role

Assign authorizationneeded for business

process

Create rule to automatically linkbusiness role to employees with

position sales clerk

SAP ERP HCM SAP NetWeaverIdentity Management

DesignTime

ExecutionTime

Create order inSAP CRM

Check pricing inSAP IPC in SAP SCM

Checkavailability

in SAP SCM

1 32

HomeContext-Based Role AssignmentAvailable Since Release 7.2

As of Release 7.2, SAP NetWeaver ID Mgmtallows for the assignment between

A person / a role or privilegeAnd an optional contextContext types are defined by the customer;examples include factory, store, project, location,etc.

Use case:A person has a specific role in a given factory.Using context-based role assignment, there isno need to duplicate these roles for eachfactory.Example:

20 roles, 1000 factories– IDM 7.1: 20.000 entries (roles)– IDM 7.2: 1.020 entries (roles + contexts)

Roles

People

Factory

Benefit: Assigning a context reduces the number of roles (and privileges).

HomeHome


Workflows – Overview

Operates on entries in theidentity storeManual interactions through Web interface

Start provisioning tasksApprove requestsMonitor status

Workflows can be started from:Web interfaceEvent tasksChange of privilege assignmentsMeta directory operations

Processing logic includes:Sequential operationParallel operationConditional operationApproval operation

IdentityStore

RulesRoles

Applications

WorkflowEngine

Provisioning EngineProvisioning Engine

BusinessProcessOwnerInform

Request

Alert

Approve1

5 23

Applications

4 Provisioning

User

IdentityCenter

HomeHome





Agenda Home

HomeHome


SAP NetWeaver ID Mgmt and SAP BusinessSuite: Increasing User Management Efficiency

Automated User Account Maintenancefor SAP Business Suite Applications

Example: SAP CRMSales representative Tom Peck needsaccess to SAP CRM.Creating a user account and role for Tom isnot sufficient; you also have to create aBusiness Partner in CRM and assign theuser account to this Business Partner.

SAP NetWeaver ID Mgmt automates the Business Partner assignment in SAP CRM,eliminating the need for manual administration steps.

CRM BusinessPartner

Assign RoleUser

Ass

ign

auto

mat

ical

ly

Automaticconsiderationof system- andapplication-specific aspects

HomeHome


SAPNetWeaver

IdentityManagement

SAP Business Suite IntegrationBusiness-Driven Identity Management

KeyBenefits

Automatedcreation ofBusinessPartner inSAP CRM,SAP SCM

Link fromBusinessPartner touser

SAP SupplierRelationship Management

SAP HumanCapital Management

SAP ProductLifecycle Management

SAP Portfolio andProduct Management

SAP CustomerRelationship Management

SAP ServiceParts Planning

SAP Supply NetworkCollaboration

SAP Extended WarehouseManagement

SAP TransportationManagement

SAP ERP Financials

HomeHome


Business Process Driven Identity ManagementOn-Boarding

Line Manager

HR ensures that all necessaryemployee data for Kim isavailable, such as position andentry date

Pre-hire phase

Event-basedextraction ofPersonnel data

1

3 4

First day at work

Based on the position inHCM the business role“Marketing Professional”is being assignedautomatically

Kim’s managerapproves theassignment

HR Operations

Business Partner createdUser created “MarketingProfessional”

User created“Employee”

User createdAccess to SAP ESSAccess to SAP CRM

2

Kim Perkins joins the company as a marketing professional.From the first day with her new company, she is able to log on to all relevant systems, includingaccess to the employee self-services, and access to SAP CRM to track the marketing activitiesshe is responsible for.


HomeHome



Business Process Driven Identity ManagementOrganizational Change: Line Manager Promotion

After two years as a marketing professional, Kim Perkins is promoted to take over personnel andbudget responsibility for her marketing team.On the first day in her new role, she has access to the manager self-services. In her newposition, she is responsible for budget approvals for all marketing campaigns - this requiresimmediate access to SAP ERP to view the marketing costs.

User updated“Marketing Controller”

Day of change

User updated“Employee”“Line Manager”

User updatedAccess to SAP ESSAccess to SAP MSSAccess to SAP CRM

User created“Marketing Controller”

HR ensures that all necessaryemployee data for Kim areavailable, such as position andentry date


1

3 SAP NetWeaver Identity Managementrecognizes the line managerinformation for Kim and automaticallyassigns the business role“Marketing Manager”

HR Operations

2

HomeHome



Business Process Driven Identity ManagementTermination

HR ensures that all terminationrelevant data for Kim areavailable, such as last day withthe company


1

3 SAP NetWeaver Identity Managementrecognizes the last day information forKim and automatically un-assigns allaccess rights and disables heraccounts

HR Operations

2

Day after termination date

User disabled

User disabled

User disabled

User disabled

After eight years, Kim Perkins leaves the company. On her last day, she finishes her tasks in thesystems she used to work on.The day after her official assignment with the company ends, she is no longer able to accessthese systems.

HomeHome





Agenda Home

HomeHomeReporting Options in SAP NetWeaver ID Mgmt


Basic Reporting, Reporting with Jasper Reports / Crystal ReportsFocus: Static, printable reportsReport creation on database level

Extended Reporting with SAP Business Warehouse (SAP BW)Focus: Dynamic reportsReport creation on semantic BW InfoProvidersSample reports availableSAP BW features include filtering, sorting, export to MS Excel, CSV, PDF, send viaeMail, publishing in Portal, etc.

HomeHome


Application/Privilege-CentricDetermination of system access

User-CentricDetermination of user privileges

Entry dataCurrent data, historical data, time

stamps, modified by, audit flagsApproval data

Who approved what when?Who had what privilege at what time?

Segregation of dutiesAttestation

Task audit logDetermination of tasks run on user / by

user?General logsOff-the-shelf reporting tools can be used

SAP NetWeaver Identity ManagementBasic Reporting Functionality

HomeHomeSAP NetWeaver ID Mgmt Extended ReportingCapabilities: Integration with SAP BW


Privilege(s) Role(s)Assignment

Person(s)

Change historyup to the time of

last synchronization

SAP BW report templatesdelivered with persons,privileges, roles and theirassignments over time andfor specific dates

Advanced filtering andsorting options

Access control: Roles forReporting User(Administrator, Manager,Owner)

Flexibility (BEX reports areused)

Implementation Guide:http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f02d16da-1856-2d10-b2ad-bccaff798e97BI Content Documentation:http://help.sap.com/saphelp_nw70ehp2/helpdata/en/f6/436fcc95534cefbf621bc742cd13ff/frameset.htm

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f02d16da-1856-2d10-b2ad-bccaff798e97

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/f6/436fcc95534cefbf621bc742cd13ff/frameset.htm

Home

Object types (can be extended)Person, privilege (aggregated by system), role

Report typesContent-based reporting (person-attributes or role memberships)Time-based reporting (state on given date or changes in period)

AggregationsNumber of assignments between object types

Navigation between reports ("report-report interface")Person to assigned manager, role, etc.

Basic auditing data: Who changed what

Authorization concept with three rolesAdministrator, HR Manager, Object Owner

FlexibilityUse of BEx reports

SAP NetWeaver Identity ManagementExtended Reporting With SAP BW

HomeReporting with SAP BW:Input Help

List of attributes canbe extended/modified

HomeReporting With SAP BW:Person Details at a Given Date

Reference attributes:Show referenced entry’stype and MSKEYVALUE

HomeReporting With SAP BW:Person History

Historic values

HomeReporting With SAP BW:Privilege Aggregations

Number of assignmentsper privilege

HomeHome


Compliant Identity Management

Provides compliant identitymanagement across SAP andheterogeneous landscapes in oneintegrated solution

Standards-based integrationcreates tightly aligned, looselycoupled solution fromcomplementary components

Gives a consistent view on currentand historic access rights, approvalsand policy violations

Compliant Identity Management:The Vision

Meets the requirements of the CFO toensure that IT business application

controls are compliant

Provides the reduced TCO and increasedsecurity required by the CIO

SAP NetWeaverIdentity

ManagementCIO

GRC (SAPBusinessObjectsAccess Control)CFO

HomeHome




Combined

Compliance checksBusiness risk controls andmitigation

Heterogeneous connectivitySAP Business Suite integrationPowerful business role mappingPassword management

Compliant identity managementfor the entire system landscape!


SAP BusinessObjects Access Control (GRC)

SAP BusinessObjectsAccess Control (GRC)

SAP BusinessObjects Access Control (GRC) &SAP NetWeaver ID Mgmt – Integration Scenario

SAP BusinessObjects Access Control (GRC)

HomeCompliant, Business-DrivenIdentity Management

HCM SAP NetWeaverIdentity Management

SAP BusinessObjectsAccess Control

Line Manager Landscape

Yes

No

Calculate entitlementsbased on position

Compliance checkRemediation

Approveassignments

New Hire

Reduce TCO by simplifying assignment of rolesand privileges to users, triggered by HCM eventsReduce risk through compliance checks andremediationAutomate manual processes through integrationwith SAP Business Suite

Create userAssign roles

Create UserAssign roles

Requirement:Provide automated, position-based rolemanagement while ensuring compliance

Create UserAssign privileges


HomeHomeSAP BusinessObjects Access Control:Solution Overview

Minimal Time-to-ComplianceQuick, effective, and comprehensiveaccess risk identificationElimination of existing access andauthorization risks is key

Continuous Access ManagementImprove productivity of end usersReduce cost of role maintenanceAvoid business obstructions withfaster emergency responseEase compliance and avoidauthorization risk

Effective Management OversightCapabilities for managementoversightCapabilities for internal audit

IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-P

latfo

rmC

ross

-Fun

ctio

nA

cces

s R

isk

anal

ysis

Rem

edia

tion Enterprise

rolemanagement

Risk analysisand

remediation

Compliantuser

provisioning

Aud

itO

vers

ight

Identitymanagement

Periodic accessreview and audit

Con

trol

Envi

ronm

ent Cross-enterprise library of best practice

segregation of duties rules

Regulations Rules CorporatePolicies

Best Practices

Superuserprivilege

management

SAP_ALL


Home

VDS IC

Compliant Identity Management:Process Flow

SAP NetWeaver Identity ManagementSAP BusinessObjects AccessControl (GRC)

RAR CUP

Request R

oleAssignm

ent

11R

equest Role

Assignment

1

Forward requestfor risk analysis

33Forward requestfor risk analysis

3 Managerapproval

22Managerapproval

2

Risk status66 Risk status6

Provisioning totarget systems

77Provisioning totarget systems

7

Riskanalysis

44 Riskanalysis

4

Riskmitigation

55Risk

mitigation

5Notification toUser / Manager

88Notification toUser / Manager

8


HomeCompliant Identity Management:Component Usage

Usage of SAP NetWeaver Identity Management components:Virtual Directory Server

Accepts requests from Identity Center.Handles all connection to/from SBOP Access Control through the Web service APIexposed by SBOP Access Control.

Identity CenterContains the workflow tasks and necessary jobs that drive the provisioning to SBOPAccess Control based on the Provisioning Framework for SAP Systems.Communicates with the Virtual Directory Server using the LDAP protocol.

Usage of SAP BusinessObjects Access Control components:Compliant User Provisioning (CUP)

Provides Web services for compliance checks, status checks, etc.Includes workflow for risk analysis and mitigating controls

Risk Analysis and Remediation (RAR)Provides risk analysis services to detect SOD violations and critical permissionsHandles CUP-RAR communication via internal Web services


Home

Create role assignment request in Identity Management (Identity Center)Automatic (using rules, e.g. department assignment) Manual (per user request)

Pre-process request in Identity Management (Identity Center)Assignments require compliance check Assignments do not require compliance check

Request processing & risk analysis in CompliantUser Provisioning

Risk violations found

Request rerouted tomanual workflow

No risk violations found

Declined Approved

Identity Management reads request status

No provisioning Identity Management starts provisioning

Compliant Identity Management:Central User Provisioning


HomeHome





Agenda Home

HomeHome


Password Management

User Help Desk SAP NetWeaverIdentity Management

Landscape

Reset passwordRecover lost password

Set newpassword

Reduce calls to help desk for password resetsEnable password provisioning acrossheterogeneous landscape

Requirement:Centralized password management

HomeHome





Agenda Home

HomeHome


Identity Virtualization

Virtual Directory Server (VDS) providesSingle consistent view and entry point for multipledistributed identity data sourcesIdentity information as a service for applicationsthrough standard protocols (LDAP, SPML)Abstraction layer for underlying data stores

Consumer only sees one standardinterface

Transform incoming LDAP requests, and connectdirectly to the existing data repositories

Data stays within original data sourceEfficient caching

PropertiesReal-time access to dataNo need to consolidate data sourcesNo extra data store

Quick LDAP deploymentEasier and cheaper maintenance

Attribute manipulationName space modificationsComplex operations on-the-fly

SPML

Database

SPML LDAP

LDAP JDBC

ApplicationDirectoryServer

DirectoryServer

Virtual Directory Server

HomeHome





Agenda Home

HomeHome


SAP Central User Administration andSAP NetWeaver Identity Management

What is the relationship between SAP NetWeaver Identity Management and theCentral User Administration (CUA)?

SAP NetWeaver Identity Management is the strategic solution for managing identities in SAPand non-SAP environments.SAP will continue to support SAP CUA in its current functionality according to SAPmaintenance rules; however, the solution will no longer be enhanced with new functionality.SAP NetWeaver ID Mgmt can be connected and used in combination with an existing CUA.Going forward, replacing SAP CUA with SAP NetWeaver Identity Management is a valuablestrategic move. It yields significant benefits and functional enhancementsMain benefits of SAP NetWeaver ID Mgmt compare to CUA include:

Connectivity for a heterogeneous system landscapeAutomatic cross-system rule-based access managementWorkflow support

Home

Functionality Central UserAdministration (CUA)

SAP NetWeaver IdentityManagement (ID Mgmt)

Target Systems ABAP only SAP and non-SAPWorkflow Support No YesRule based accessmanagement

almost no (except therarely used HR Org ruleengine)

Yes

Modeling of role hierarchy No YesCross system roleassignments

Manual Full support

LDAP directory integration LDAP synchronization Full supportSupport of all user attributes Yes Yes

Password management Management anddistribution of initialpasswords

Yes; including userinterface and workflowsupport

Comparing SAP CUA and SAP NetWeaverIdentity Management

HomeHome


Central User Administration:Gradual Migration to SAP NetWeaver ID Mgmt

Manage CUA fromSAP NetWeaver ID Mgmt

Migrate ABAP systemsfrom CUA to ID Mgmt

SAP NetWeaverID Mgmt

Shut down CUA whenall systems are migrated

SAP NetWeaverID Mgmt

Supports SAP and heterogeneous environmentsSelf-service and delegated administrationWorkflows and approvalsBusiness role management

Requirement:Extend identity management to non-SAPenvironments and increase level offunctionality

HomeHome


SAP NetWeaver Identity ManagementConnectivity – Overview

DirectoryServers

ApplicationsSAP Business SuiteSAP BusinessObjectsAccess Control (GRC)Lotus Domino / NotesMicrosoft ExchangeRSA ClearTrustRSA SecurID

OtherSAP Application ServerMicrosoft Windows NTUnix/LinuxShell executeCustom Java connector APIScript-based connector API

DatabasesMicrosoft SQL ServerMicrosoft AccessOracle databaseIBM UDB (DB2)MySQLSybase

TechnicalSPML (Services ProvisioningMarkup Language)LDAPODBC / JDBC / OLE-DBRFCLDIF filesXML filesCSV files

Directory ServersMicrosoft Active DirectoryIBM Tivoli DirectoryNovell eDirectorySunONE Java Directory

Oracle Internet DirectoryMicrosoft Active Directory ApplicationMode (ADAM)Siemens DirXOpenLDAP

eB2Bcom View500 Directory ServerCA eTrust DirectorySAP NetWeaver IDM VirtualDirectory ServerAny LDAP v3 compliant directory server

HomeHome


Connector FrameworkPurpose and Components

PurposeTo provide a development toolkit and guidelines for third party vendors to create an SAPNetWeaver Identity Management connector for non-SAP applications.

ComponentsIdentity Center

Main functionality used here: Identity provisioningVirtual Directory Server

Single access point for data updates in multiple repositories

HomeHome


Connector Framework: Two Integration Steps

Identity Center IntegrationThe connector tasks integrate into theexisting (common) provisioning frameworkin the Identity Center

A set of tasks has to be customized towork together with the target applicationutilizing VDS.

Virtual Directory Server IntegrationThe generic VDS core functionality has tobe extended

A code has to be created which will beused by VDS to connect to the targetapplication.

Identity Center

Provisioning Framework

Connector tasks

Virtual Directory Server

Application IntegrationCode

Application Java Library

Target ApplicationTwo parts that build the connector; to be created by 3rd partyvendor

Typically exists within 3rd party application

HomeHome


Connectivity Architecture

Provisioning FrameworkIndependent of repositories and back-endsHooks into the partner’s set of IC connectortasks

…

IC Tasks (Set From Partner)Hooked into the provisioning framework

Virtual Directory Server (VDS)

Connectors from PartnersMultiple connectors in a virtual tree

Back-Ends (Third-Party Applications)

HomeHomeThird Party Connector CertificationSAP ICC Integration Scenario NW-IDM-CON

SAP NetWeaver Identity Management Integration Scenario NW-IDM-CON

The SAP Integration and Certification Center (ICC) offers a certification for the integrationscenario NW-IDM-CON.

SAP partners as well as potential partners and independent software vendors (ISVs) areinvited to use the Connector Development Kit (CDK) to create an SAP NetWeaver IdentityManagement connector for their application, and to integrate the application into the identitymanagement landscape. This connector can then be certified by the SAP ICC.

For general information about third party certifications with SAP products, please refer tohttp://www.sdn.sap.com/irj/sdn/interface-certifications, or contact the SAP Integration andCertification Center (ICC) directly at [email protected]

http://www.sdn.sap.com/irj/sdn/interface-certifications

mailto:[email protected]

HomeHome


Identity ServicesSOA-Based Identity Management

SAP Business Suite

Other SAP Applications

Heterogeneous Environment

Business Workflow

IDM +++

IdentityManagement

SAP Business Suite

Identity services as a standards-based singleaccess point for querying and managing identityinformation in the complete system landscape‘Tightly aligned, loosely coupled’ integrationwith SAP and heterogeneous applicationsbased on industry standards

Requirements:Create a tight integration with SAP applicationsIntegrate third-party applications

HomeHome





Agenda Home

HomeHomeSSO and Identity FederationThe Problem …

John

Identity Provider(IdP)

Partner Portal

ERP

CRM

John

JDOE

john.doe

salesJohn******

Service Provider (SPs)

How and where are John’s SP accounts linked to his centralaccount at the IdP to enable SSO across all applications?

Home

IdP

SSO and Identity Federation… and Three Solutions to Solve it

Use an existing common, unique NAME to map the accounts

Create a new common, unique IDENTIFIER to link the accounts

Federate the accounts based on identity ATTRIBUTES and mapping rules

JohnSPjdoe

E-Mail: [email protected] E-Mail: [email protected]

IdPJohn

SPjdoe

SP ID: abc123 IdP ID: abc123

IdPJohn

SP

Department: SalessalesDepartment

= Sales ?



HomeHomeWhat is Identity Federation?

Identity FederationDescribes the technologies, standards and use-cases which serve to enable the portabilityof identity information across otherwise autonomous security domains.Enables users of one domain to securely access data or systems of another domainseamlessly, and without the need for completely redundant user administration.Comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well asenterprise controlled or B2B scenariosCould involve user-to-user, user-to-application as well as application-to-applicationuse-case scenarios at both the browser tier as well as the web services. or SOA tier

© SAP 2008 /

HomeHome

Identity Federation in SAP NetWeaver ID Mgmt 7.2Identity federation provides the means to share identity information across companyboundaries.User must be unambiguous and clearly identifiable, even though different user identifiersmay exist across the landscape.The name identifier (name ID) is the means to establish a common identifier.Once the name ID has been established, the user is said to have a federated identity.Identity federation enables SSO for web browser based access (user-centric) and webservices (system centric) across domains.SAP’s solution relies on standards for interoperability between SAP and non SAP systemsFor Web browser-based access, identity federation uses an identity provider that supportsSAML 2.0.For Web services, identity federation uses a security token service (STS) that supportsWS-Trust 1.3, supporting X.509, SAML 1.1, and SAML 2.0 tokens.

Identity Federation in SAP NetWeaverIdentity Management 7.2

HomeHome

The Security Assertion Markup Language (SAML) 2.0The Security Assertion Markup Language (SAML) version 2.0 is a standard for thecommunication of assertions about principals, typically users.The assertion can include the means by which a subject was authenticated, attributesassociated with the subject, and an authorization decision for a given resource.The main benefits of SAML 2.0 are:

SSO with SAML 2.0SAML provides a standard for cross-domain Single Sign-On (SSO)SAML 2.0 supports identity-provider-initiated SSO as in SAML 1.xSAML 2.0 also supports service-provider-initiated SSO

SLO with SAML 2.0Single Log-Out (SLO) enables users to cleanly close all their sessions in a SAMLlandscape, even across domains.

Identity federationIdentity federation provides the means to share identity information betweenpartners.

Security Assertion Markup Language(SAML) 2.0

HomeHome

For Web browser-based access, identity federation uses an identity provider that supportsSAML 2.0.SAML 2.0 also enables Single Log-Out (SLO).Identity federation can also be used to transport profile attributes to create or updatetemporary or permanent users between systems.Authorization attributes can be transported enabling to change user authorizations in targetsystems.

Identity FederationWeb Browser-Based Access

Web-based access

HomeHome

For Web services, identity federation uses a security token service (STS) that supports WS-Trust 1.3.STS supports a number of authentication methods from a Web service consumer. It canconvert these tokens into a security token that a Web service provider can use.STS supports X.509, SAML 1.1, and SAML 2.0 tokens.Like SAML 2.0 for Web-based access, the SAML 2.0 assertion can transport profile andauthorization attributes to the target Web service provider.

Identity FederationWeb Services

Web Services

HomeHomeSSO, Identity Federation and Single Log-Outfor SAP Web Applications with SAML 2

TrustRelationship

SAP applications 3rd Partyapplications

SSOFederation

SSO

This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAPat any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied,including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement

SAP’s SAML 2 Identity ProviderAvailable with SAP NetWeaver IDM 7.1Software component for AS Java 7.2

and higher

SAP’s SAML 2 Identity ProviderAvailable with SAP NetWeaver IDM 7.1Software component for AS Java 7.2

and higher

Efficient and secure user productivity enablement in B2Bscenarios

Shared infrastructure for user interactive applications on theWeb

identity management with SAP NetWeaver IDMtrust management built into SAP application servers

Standardized XML-based SSO, identity federation and SingleLog-out

Centralized user authentication authority at SAML 2.0 IdentityProvider

Application Service Providersfrom a SAML 2 enabled application

server (SAP and non-SAP)

SAP SAML 2 SP capability, availableSAP NetWeaver CE 7.2 and AS Java

7.2 Web applications, planned forrelease with SAP Business Suite

7i2010

HomeHome





Agenda Home

HomeHome


SAP NetWeaver Identity ManagementArchitecture

Identity Center DatabaseIdentity storeConfigurationProcessing logic

Workflow User InterfaceMain interface for users and managers

Monitoring User InterfaceMonitoring and audit interface for administrators

Management ConsoleVisual development and configuration UI

Runtime Engine and DispatcherProcessing and provisioning logicincluding connectors

Event AgentMonitors connected systemsand initiates synchronization

Virtual Directory ServerVirtualization layer


Identity CenterWorkflow andMonitoring UI

(AS Java)

ManagementConsole

DispatcherRuntime Engine

Event AgentService

Detect changesRead / write

SA

PG

RC

Web

services…

Virtual Directory S

erverVirtual D

irectory Server

IdentityCenterDatabase

E-MailSystem

ActiveDirectory

SAPPortal

SAPERP others

…

HomeHome

SAP ERPHCM

System

Identity Center(IC)

Virtual DirectoryServer (VDS)


SAP NetWeaver Identity Management:Communication Paths

SAPBusinessObjectsAccess Control

(GRC)

Transfer employee data to IDM

(LDAP)

Update employee record withcommunication details

(RFC)

Forward request for risk analysis& poll status

(Web Service Call)


Provision identity to target system(Protocol dependant on target system)

HomeHome


Central Hub for All Identity CenterComponents

Provisioning is based on identity datafrom the store

Business roles and privileges are stored here

Workflow processing is based on this data

Meta directory operations keep the informationup-to-date

Identity Store PropertiesKeep historical data and full auditto support compliance

Temporary attributes for trackingtime-critical values

Roles and privileges – validity periods can bedefined

Events on attributes trigger workflow tasks

Virtual attributes reference data in external sources

Roll-back of identity data

Central Identity Store

HR TelephoneSystem

E-mail CA

Object person

Phone: + 47 73934649Email: [email protected]

Store


HomeHome


Virtual Directory Server Architecture

Multiple Inbound Protocols

Configurationmanagementand version

control

LDAP Extensible TransformationFramework

Virtual DirectoryKernel

Connector Framework

In-MemoryCache

ProtocolConnectors

Web ServicesConnectors

ApplicationConnectors

LDAP DB API SPML DSML … SAP SalesForce …

JavaGUI

HomeHome


Sizing SAP NetWeaver Identity Management

Sizing SAP NetWeaver Identity ManagementSizing means determining the hardware requirements of an SAP application, such as the networkbandwidth, physical memory, CPU processing power, and I/O capacity.The size of the hardware and database is influenced by both business aspects and technological aspects.The number of users using the various application components and the data load they put on the servermust be taken into account.Usage patterns influences how to size SAP NetWeaver ID Mgmt. The main factors are: Number of entries(amount of data), number of lookups (searches), number of changes, number of simultaneous users

The SAP NetWeaver Identity Management 7.1 Sizing GuideThe Sizing Guide provides initial sizing information for the SAP NetWeaver Identity Management.Precise recommendations for each customer will be determined on a case-by-case basis for eachcustomer’s specific requirements.

Download the SAP NetWeaver Identity Management Sizing Guide:http://service.sap.com/sizing Sizing Guidelines Solutions & PlatformSAP NetWeaver Identity Management 7.1

http://service.sap.com/sizingSizing

HomeCustom User Interfaces for SAP NetWeaver IDMgmt With Open API (RESTful Web Services)

ArchitectureREST

Representational State TransferJSON

Java Script Object NotationSchema

Retrieve schema informationEntries

Search for entriesRetrieve entries and attributesChange attribute valuesResetting of passwords

ApprovalsRetrieving open approvalsProcessing of approvals

AS Java

ID Mgmt JMXLayer

IdMREST Web Dynpro UI

Identity Store

Client-sideUI library

WEB browser

RESTful web services

Mobile device

HomeHome





Agenda Home

HomeHome


Highlights of SAP NetWeaver ID Mgmt 7.1

WebDynpro-Based UIsThe PHP-based Web interfaces for workflow used by end users and managers for self-service, delegatedadministration, approval tasks, and monitoring are replaced by a WebDynpro-based user interface deployed onSAP NetWeaver AS Java 7.0 or 7.1.You can run the user interface as a stand-alone application or integrate it into the portal.New features are added for improving the task layout in the user interface, such as tabs and multiple columns.

Event-Driven SAP ERP HCM IntegrationIn this release, the integration with SAP ERP HCM is extended to be event-based.

Extended Platform SupportExtended support of operating systems (Windows, Unix, Linux, …)

Extended Integration With SAP’s GRC Solution (SAP BusinessObjects Access Control)The integration with SAP’s GRC solution has been extended and covers current BusinessObjects Access Controlreleases.

Further Integration With SAP Business SuiteA new framework enables product-specific extensions to be executed when identity provisioning operations areperformed. This enables a deep integration with various applications in SAP Business Suite, including operationslike updating employee master data or linking users to business partners.

Extended Identity ServicesSimplify management of deployed services and connectors

Support for connector framework to enable partners to develop third-party connectorsImproved deployment on SAP NetWeaver including logging

HomeHome


Highlights of SAP NetWeaver ID Mgmt 7.2

Identity FederationUse of Identity Provider (IdP) and Security Token Service (STS) for Web- and browser-based single sign-onscenarios.

Reporting with SAP Business WarehouseLeverage SAP BW for dynamic, flexible reporting.

Context-Based Role AssignmentsUse of context-based assignment to reduce the number of roles and privileges in the enterprise.

Custom User Interfaces with Open APIUse of a REST-based open API to develop custom user interfaces (for example for mobile devices) and/or extendthe existing UIs.

Continuous Improvement in Various AreasExamples include: Assignment improvements, context towards back-end systems, accessing assignmentinformation from run time, guided tasks, approvals, configuration transport, request-complete task, dispatchersystem tuning, extension framework, provisioning framework, etc.

HomeHome


Why SAP NetWeaver Identity Management

Offers close alignment with business processes

Provides best value for business sponsors

Re-uses SAP deployment experience and intellectual property

Integrates with existing identity management infrastructure

Combines tight SAP integration with heterogeneous IT

Integrates roadmap and “blueprint” withSAP BusinessObjects Access Control (GRC)

Provides the lowest-risk solution for SAP connectivity

HomeHome


More Information

Visit the SAP Developer Network (SDN) for comprehensive information onSAP NetWeaver Identity Management, such as

Product information, documentation, training, and support informationArticles, blogs, WIKI, FAQs, forum, and newslettersDownloads

http://sdn.sap.com

SAP NetWeaver ProductComplementary OfferingsSAP NetWeaver Identity

Management

http://www.sdn.sap.com/irj/sdn/nw-identitymanagement

http://sdn.sap.com/

http://www.sdn.sap.com/irj/

HomeHome


Questions and Answers


HomeHome


Copyright 2010 SAP AGAll Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained hereinmay be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries,eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+,POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or othercountries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logosare trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only,without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construedas constituting an additional warrant.

IDM 7.2 Presentation

Documents

Transcript of IDM 7.2 Presentation