SCI160-SAML2.0

1

SCI160

Exploring SAML 20

Angel Dichev SAP Labs LLC

Peter McNulty SAP Labs LLC

Dimitar Mihaylov SAP Labs Bulgaria

Dong Pan SAP Australia

Joseph Zeinoun SAP Mentor

Stephan Zlatarev SAP Labs Bulgaria

October 2010

copy 2010 SAP AG All rights reserved Page 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision This presentation is not subject to your license agreement or any other

agreement with SAP SAP has no obligation to pursue any course of business outlined in this

presentation or to develop or release any functionality mentioned in this presentation This

presentation and SAPs strategy and possible future developments are subject to change and

may be changed by SAP at any time for any reason without notice This document is provided

without a warranty of any kind either express or implied including but not limited to the implied

warranties of merchantability fitness for a particular purpose or non-infringement SAP

assumes no responsibility for errors or omissions in this document except if such damages

were caused by SAP intentionally or grossly negligent

2


Technical Challenges with User Provisioning

User provisioning on the Measurit e-shop system

How will the Boilit employees be able to login to Measurit

How would Measurit know what permissions each Boilit user needs

How would you link existing accounts in both portals

Measurit

(e-shop)

Boilit


Agenda

1 Single Sign-on and Identity Federation with SAML 20

2 Exercises

3 Further information

4 Appendix

3


Brokered Authentication ndash

A Core Security Pattern for Single Sign-On

Security Token

Issuer

Applications

John

1

1 John proves his identity to a central Security

Token Issuer by presenting his credentials

John

John

2 The issuer verifies the correctness and

trustworthiness of the credentials and issues a

security token with Johnlsquos identity information

2

3

3 John presents the security token to the

application(s) he wants to Single Sign-On

4

4 The Application verifies the security token

John5

5 The Application associates an identity from its

user store based on a unique value in the token


Analogy of an Interoperable Cross-Domain

Security Token in the Real World

Citizen of

Germany

German Government

Passport

US Government

TRUST

ID Card Passport

Immigration

Officer

4


Key Properties of SSO Technologies

Cross-Domain

Is it possible to use the SSO technology only

within a security domain (ie the corporate

Intranet) or can it be used across different

domains (eg to access a business partner

system)

Cross-Platform

Which platforms are supported by the SSO

technology Does it work in a heterogeneous

system landscape Is it based on industry

standards

Token Content Model

Does the security token only allow a fixed set of

identity attributes or can it be extended

dynamically

Domain A

Domain B

Security

Token Issuer

Application

Security

Token Issuer

Application


SSO Technologies Compared

SSO Technology Cross-Domain Cross-PlatformToken Content

Model

SAP Logon Ticket No No Fixed

Digital Certificate Yes Yes Fixed

Kerberos No Yes Fixed

SAML Yes Yes Extensible

Issuer running on SAP only ticket validation also possible with non-SAP applications

5


The Security Assertion Markup Language

(SAML) in a Nutshell

Industry standard for cross-vendor Web-based Single

Sign-On and Single Log-Out with wide adoption in the

industry

XML-based framework for security and identity

information and exchanging it across administrative

and technical domain boundaries

SAML profiles describe a variety of end use cases for

framework

SAML Security Token Assertion

contains a statement about a userlsquos authentication that happened in the

past ie when and how the user authenticated at the Issuer

who is the Issuer of the Assertion

additional information (aka attributes) about the userrsquos identity

ie role information

copy 2010 SAP AG All rights reserved 0

SAML 20 Terminology

Identity Provider (IdP)Authority responsible for authenticating an end user and asserting

an identity for that user in a trusted fashion to trusted partners

Synonyms (Security Token) Issuer

Service Provider (SP)Offers servicesresources to users and has a trust relationship

with an IdP to accept and trust vouch-for information provided by

the IdP on behalf of a user

Synonyms (Web) Application Relying Party

SubjectA subject is the user who has been authenticated by the IdP

Synonyms User Principal

Identity Provider

(IdP)

Service

Provider

(SP)

Subject

6


Identity Federation with SAML 20

Examples

John

Identity Provider

(IdP)

johnidpcom

E-Mail johnidpcom

Department Sales

johndoe

SalesEmployee

Service

Provider (SPs)

Format emailAddress

ID johnidpcom

Format transient|persistent

ID ltopaque string pseudonymgt

Attribute Department=Sales


Agenda


2 Exercises


4 Appendix

7


SAML 20 Configuration Using the

SAP NetWeaver Administrator

SAML 20 configuration necessary in multiple business scenarios involving security

across organizationaldepartmental boundaries

SAP NetWeaver Administrator is the tool available with administrators to technically

configure the security aspects (like identity federation) of the scenarios

BOILIT

IDENTITY

PROVIDER (IDP)

When the BoiliIt

employee clicks

on the vendor

(MeasurIt) portal

link heshe

authenticates

himherself as a

trusted identity

Measurit

SERVICE

PROVIDER (SP)

The MeasurIt portal

should display

screens based on

the role of the

employee in the

customer (BoilIt)

organization

MeasurIt is a suppliervendor for BoilIt and hence

provides access to a portal for BoilIt engineers to

order equipment

BoilIt engineers log in to MeasurIt portal to order items

BoilIt purchasers log in to MeasurIt portal to approve

purchase requests made by the engineers

Scenario requires communication between BoilIt and MeasurIt using SAML 20 tokens


Purchase Order CreationApproval Scenario hellip

hellip enabled by SAP NetWeaver Administrator 730 security configuration

Enable SAML 20 for MeasurIt

Setup trusted connection between BoilIt

(IDP) and MeasuIt (SP)

Configure MeasurIt AS Java so all BoilIt

employees can access MeasurIt portal

without separate logon

Configure so that BoilIt engineers and

purchasers can view Login button

Configuring so that BoilIt engineers

purchasers can create an account on the fly

Angie Neer

BoilIt Engineer

Per Chaser

BoilIt Purchaser

MeasurIt

Administrator

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Create account

on the fly

Automatically uses

account created

the first time

Order an item

Order an item

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Logs in with a

preset account

Approves Angiersquos

request

Logs on to NWA of

MeasurIt AS Java

Do SAML 20

configuration in NWA

first time

Subsequent times

8


Over to the Security Configuration Hands On hellip

Enabling SAML 20 for the Service Provider MeasurIt

Setting up a trusted connection with the Identity Provider BoilIt

Configuring so that BoilIt employees can access MeasurIt portal without separate Logon

Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt

portal

Configuring so that BoilIt engineers and purchasers can create an account on the fly in order

to access MeasurIt portal and place purchase ordersapprove purchase orders

Important information

BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp

MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa

Usernamespasswords

Application Username Password

MeasurIt AS Java administrator abcd1234

BoilIt Portal angie abcd1234

BoilIt Portal per abcd1234

BoilIt Portal bo abcd1234


Agenda


2 Exercises


4 Appendix

9


Further Information

Recommended Books

Comprehensive Guide on SSO and

Identity Federation with SAP Kerberos

SAML 20 for Web browser and Web

services X509 Certificates OpenID and

others

Identity Federation with SAP NetWeaver

Identity Management Administration

Interoperability with other platforms

Many Hands-on tutorials amp code

samples

Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2

httpwwwsap-pressdekatalogbuechertitelgptitelID-2409

English edition planned for March 2011

SAP PRESS


Further Information

SAP Public Web

SAP Developer Network (SDN) wwwsdnsapcom

Business Process Expert (BPX) Community wwwbpxsapcom

SAP BusinessObjects Community (BOC) bocsapcom

Expert Networking Sessions

SAML 20 Goes Live New Features in IDM 72 (POD54)

Related WorkshopsLectures at SAP TechEd 2010

SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)

SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)

SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)

SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)

10


Agenda


2 Exercises


4 Appendix


Browser-based Web SSO with SAML

Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http

1 John invokes the URL of an access protected

Web Application with his browser

2 redirect

request

2 The Web Application redirects the request to its

trusted Security Token Issuer

3

3 If John is not already logged on at the Security

Token Issuer he will be asked to provide his

credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John

5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element

5

6

POSTltformgt

6 The Web Browser sends the SAML Assertion

with a HTTP POST Request to the Web

Application

4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element

4

ltformgt

with A

ssert

ion

7 John

7 The Web Application validates the SAML

Assertion assigns a local user account to

Johnlsquos session and returns the web page


The issuer with the id

httpidpcom

confirms that the subject (user) with the

e-mail address

johnidpcom

has been successfully

authenticated at

931 am on Sept 30th 2010

using a

Kerberos Ticket

with Integrated Windows Authentication

It also confirms to the Service Provider

that subject is working in the

Sales

Department

An Example of a SAML Assertion

ltAssertion ID=59313c96

IssueInstant=2010-06-30T093106474Z

Version=20gt

ltIssuergthttpidpcomltIssuergt

ltSubjectgt

ltNameID Format=nameid-format

emailAddressgtjohnidpcomltNameIDgt

ltSubjectgt

ltAuthnStatement AuthnInstant=

2010-09-30T093107474Zgt

ltAuthnContextgt

ltAuthnContextClassRefgt

authenticationwindows


ltAuthnContextgt

ltAuthnStatementgt

ltAttributeStatementgt

ltAttribute Name=Department

ltAttributeValue gtSales

ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback

Please complete your session evaluation

Be courteous mdash deposit your trash

and do not take the handouts for the following session


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors

Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation

IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation

Linux is the registered trademark of Linus Torvalds in the US and other countries

Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries

Oracle is a registered trademark of Oracle Corporation

UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group

Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc

HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology

Java is a registered trademark of Sun Microsystems Inc

JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape

SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries

Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries

All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary

The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice

SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement

SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence

The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages

copy 2010 SAP AG All Rights Reserved

2


Technical Challenges with User Provisioning

User provisioning on the Measurit e-shop system

How will the Boilit employees be able to login to Measurit

How would Measurit know what permissions each Boilit user needs

How would you link existing accounts in both portals

Measurit

(e-shop)

Boilit


Agenda


2 Exercises


4 Appendix

3




Security Token

Issuer

Applications

John

1



John

John




2

3



4


John5






Citizen of

Germany

German Government

Passport

US Government

TRUST

ID Card Passport

Immigration

Officer

4



Cross-Domain





system)

Cross-Platform




standards

Token Content Model



dynamically

Domain A

Domain B

Security

Token Issuer

Application

Security

Token Issuer

Application




Model






5






industry





framework






ie role information


SAML 20 Terminology










Identity Provider

(IdP)

Service

Provider

(SP)

Subject

6



Examples

John

Identity Provider

(IdP)

johnidpcom

E-Mail johnidpcom

Department Sales

johndoe

SalesEmployee

Service

Provider (SPs)

Format emailAddress

ID johnidpcom





Agenda


2 Exercises


4 Appendix

7








BOILIT

IDENTITY

PROVIDER (IDP)

When the BoiliIt

employee clicks

on the vendor

(MeasurIt) portal

link heshe

authenticates

himherself as a

trusted identity

Measurit

SERVICE

PROVIDER (SP)

The MeasurIt portal

should display

screens based on

the role of the

employee in the

customer (BoilIt)

organization



order equipment


















Angie Neer

BoilIt Engineer

Per Chaser

BoilIt Purchaser

MeasurIt

Administrator

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Create account

on the fly

Automatically uses

account created

the first time

Order an item

Order an item

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Logs in with a

preset account


request

Logs on to NWA of

MeasurIt AS Java

Do SAML 20


first time

Subsequent times

8







portal






Usernamespasswords







Agenda


2 Exercises


4 Appendix

9


Further Information

Recommended Books





others





samples




SAP PRESS


Further Information

SAP Public Web











10


Agenda


2 Exercises


4 Appendix

copy 2010 SAP AG All rights reserved 0


Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























3




Security Token

Issuer

Applications

John

1



John

John




2

3



4


John5






Citizen of

Germany

German Government

Passport

US Government

TRUST

ID Card Passport

Immigration

Officer

4



Cross-Domain





system)

Cross-Platform




standards

Token Content Model



dynamically

Domain A

Domain B

Security

Token Issuer

Application

Security

Token Issuer

Application




Model






5






industry





framework






ie role information


SAML 20 Terminology










Identity Provider

(IdP)

Service

Provider

(SP)

Subject

6



Examples

John

Identity Provider

(IdP)

johnidpcom

E-Mail johnidpcom

Department Sales

johndoe

SalesEmployee

Service

Provider (SPs)

Format emailAddress

ID johnidpcom





Agenda


2 Exercises


4 Appendix

7








BOILIT

IDENTITY

PROVIDER (IDP)

When the BoiliIt

employee clicks

on the vendor

(MeasurIt) portal

link heshe

authenticates

himherself as a

trusted identity

Measurit

SERVICE

PROVIDER (SP)

The MeasurIt portal

should display

screens based on

the role of the

employee in the

customer (BoilIt)

organization



order equipment


















Angie Neer

BoilIt Engineer

Per Chaser

BoilIt Purchaser

MeasurIt

Administrator

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Create account

on the fly

Automatically uses

account created

the first time

Order an item

Order an item

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Logs in with a

preset account


request

Logs on to NWA of

MeasurIt AS Java

Do SAML 20


first time

Subsequent times

8







portal






Usernamespasswords







Agenda


2 Exercises


4 Appendix

9


Further Information

Recommended Books





others





samples




SAP PRESS


Further Information

SAP Public Web











10


Agenda


2 Exercises


4 Appendix



Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























4



Cross-Domain





system)

Cross-Platform




standards

Token Content Model



dynamically

Domain A

Domain B

Security

Token Issuer

Application

Security

Token Issuer

Application




Model






5






industry





framework






ie role information


SAML 20 Terminology










Identity Provider

(IdP)

Service

Provider

(SP)

Subject

6



Examples

John

Identity Provider

(IdP)

johnidpcom

E-Mail johnidpcom

Department Sales

johndoe

SalesEmployee

Service

Provider (SPs)

Format emailAddress

ID johnidpcom





Agenda


2 Exercises


4 Appendix

7








BOILIT

IDENTITY

PROVIDER (IDP)

When the BoiliIt

employee clicks

on the vendor

(MeasurIt) portal

link heshe

authenticates

himherself as a

trusted identity

Measurit

SERVICE

PROVIDER (SP)

The MeasurIt portal

should display

screens based on

the role of the

employee in the

customer (BoilIt)

organization



order equipment


















Angie Neer

BoilIt Engineer

Per Chaser

BoilIt Purchaser

MeasurIt

Administrator

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Create account

on the fly

Automatically uses

account created

the first time

Order an item

Order an item

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Logs in with a

preset account


request

Logs on to NWA of

MeasurIt AS Java

Do SAML 20


first time

Subsequent times

8







portal






Usernamespasswords







Agenda


2 Exercises


4 Appendix

9


Further Information

Recommended Books





others





samples




SAP PRESS


Further Information

SAP Public Web











10


Agenda


2 Exercises


4 Appendix



Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























5






industry





framework






ie role information


SAML 20 Terminology










Identity Provider

(IdP)

Service

Provider

(SP)

Subject

6



Examples

John

Identity Provider

(IdP)

johnidpcom

E-Mail johnidpcom

Department Sales

johndoe

SalesEmployee

Service

Provider (SPs)

Format emailAddress

ID johnidpcom





Agenda


2 Exercises


4 Appendix

7








BOILIT

IDENTITY

PROVIDER (IDP)

When the BoiliIt

employee clicks

on the vendor

(MeasurIt) portal

link heshe

authenticates

himherself as a

trusted identity

Measurit

SERVICE

PROVIDER (SP)

The MeasurIt portal

should display

screens based on

the role of the

employee in the

customer (BoilIt)

organization



order equipment


















Angie Neer

BoilIt Engineer

Per Chaser

BoilIt Purchaser

MeasurIt

Administrator

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Create account

on the fly

Automatically uses

account created

the first time

Order an item

Order an item

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Logs in with a

preset account


request

Logs on to NWA of

MeasurIt AS Java

Do SAML 20


first time

Subsequent times

8







portal






Usernamespasswords







Agenda


2 Exercises


4 Appendix

9


Further Information

Recommended Books





others





samples




SAP PRESS


Further Information

SAP Public Web











10


Agenda


2 Exercises


4 Appendix



Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























6



Examples

John

Identity Provider

(IdP)

johnidpcom

E-Mail johnidpcom

Department Sales

johndoe

SalesEmployee

Service

Provider (SPs)

Format emailAddress

ID johnidpcom





Agenda


2 Exercises


4 Appendix

7








BOILIT

IDENTITY

PROVIDER (IDP)

When the BoiliIt

employee clicks

on the vendor

(MeasurIt) portal

link heshe

authenticates

himherself as a

trusted identity

Measurit

SERVICE

PROVIDER (SP)

The MeasurIt portal

should display

screens based on

the role of the

employee in the

customer (BoilIt)

organization



order equipment


















Angie Neer

BoilIt Engineer

Per Chaser

BoilIt Purchaser

MeasurIt

Administrator

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Create account

on the fly

Automatically uses

account created

the first time

Order an item

Order an item

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Logs in with a

preset account


request

Logs on to NWA of

MeasurIt AS Java

Do SAML 20


first time

Subsequent times

8







portal






Usernamespasswords







Agenda


2 Exercises


4 Appendix

9


Further Information

Recommended Books





others





samples




SAP PRESS


Further Information

SAP Public Web











10


Agenda


2 Exercises


4 Appendix



Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























7








BOILIT

IDENTITY

PROVIDER (IDP)

When the BoiliIt

employee clicks

on the vendor

(MeasurIt) portal

link heshe

authenticates

himherself as a

trusted identity

Measurit

SERVICE

PROVIDER (SP)

The MeasurIt portal

should display

screens based on

the role of the

employee in the

customer (BoilIt)

organization



order equipment


















Angie Neer

BoilIt Engineer

Per Chaser

BoilIt Purchaser

MeasurIt

Administrator

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Create account

on the fly

Automatically uses

account created

the first time

Order an item

Order an item

Logs on to

BoilIt Portal

Navigates to

MeasurIt Portal

Logs in with a

preset account


request

Logs on to NWA of

MeasurIt AS Java

Do SAML 20


first time

Subsequent times

8







portal






Usernamespasswords







Agenda


2 Exercises


4 Appendix

9


Further Information

Recommended Books





others





samples




SAP PRESS


Further Information

SAP Public Web











10


Agenda


2 Exercises


4 Appendix



Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























8







portal






Usernamespasswords







Agenda


2 Exercises


4 Appendix

9


Further Information

Recommended Books





others





samples




SAP PRESS


Further Information

SAP Public Web











10


Agenda


2 Exercises


4 Appendix



Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























9


Further Information

Recommended Books





others





samples




SAP PRESS


Further Information

SAP Public Web











10


Agenda


2 Exercises


4 Appendix



Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























10


Agenda


2 Exercises


4 Appendix



Part 1

Identity Provider

(IdP)

Service

Provider (SP)

John

John

1 http



2 redirect

request



3



credentials

John

11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























11



Part 2

Identity Provider

(IdP)

Service

Provider (SPs)

John

John


5

6

POSTltformgt



Application


4

ltformgt

with A

ssert

ion

7 John






httpidpcom


e-mail address

johnidpcom


authenticated at


using a

Kerberos Ticket




Sales

Department




Version=20gt


ltSubjectgt



ltSubjectgt


2010-09-30T093107474Zgt

ltAuthnContextgt




ltAuthnContextgt

ltAuthnStatementgt




ltAttributeValuegt

ltAttributegt


ltAssertiongt

12

ContactFeedback


























12

ContactFeedback


























SCI160-SAML2.0

Documents

Transcript of SCI160-SAML2.0