SCI160-SAML2.0
-
Upload
punit-bafna -
Category
Documents
-
view
104 -
download
0
Transcript of SCI160-SAML2.0
1
SCI160
Exploring SAML 20
Angel Dichev SAP Labs LLC
Peter McNulty SAP Labs LLC
Dimitar Mihaylov SAP Labs Bulgaria
Dong Pan SAP Australia
Joseph Zeinoun SAP Mentor
Stephan Zlatarev SAP Labs Bulgaria
October 2010
copy 2010 SAP AG All rights reserved Page 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision This presentation is not subject to your license agreement or any other
agreement with SAP SAP has no obligation to pursue any course of business outlined in this
presentation or to develop or release any functionality mentioned in this presentation This
presentation and SAPs strategy and possible future developments are subject to change and
may be changed by SAP at any time for any reason without notice This document is provided
without a warranty of any kind either express or implied including but not limited to the implied
warranties of merchantability fitness for a particular purpose or non-infringement SAP
assumes no responsibility for errors or omissions in this document except if such damages
were caused by SAP intentionally or grossly negligent
2
copy 2010 SAP AG All rights reserved Page 3
Technical Challenges with User Provisioning
User provisioning on the Measurit e-shop system
How will the Boilit employees be able to login to Measurit
How would Measurit know what permissions each Boilit user needs
How would you link existing accounts in both portals
Measurit
(e-shop)
Boilit
copy 2010 SAP AG All rights reserved Page 4
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
3
copy 2010 SAP AG All rights reserved Page 5
Brokered Authentication ndash
A Core Security Pattern for Single Sign-On
Security Token
Issuer
Applications
John
1
1 John proves his identity to a central Security
Token Issuer by presenting his credentials
John
John
2 The issuer verifies the correctness and
trustworthiness of the credentials and issues a
security token with Johnlsquos identity information
2
3
3 John presents the security token to the
application(s) he wants to Single Sign-On
4
4 The Application verifies the security token
John5
5 The Application associates an identity from its
user store based on a unique value in the token
copy 2010 SAP AG All rights reserved Page 6
Analogy of an Interoperable Cross-Domain
Security Token in the Real World
Citizen of
Germany
German Government
Passport
US Government
TRUST
ID Card Passport
Immigration
Officer
4
copy 2010 SAP AG All rights reserved Page 7
Key Properties of SSO Technologies
Cross-Domain
Is it possible to use the SSO technology only
within a security domain (ie the corporate
Intranet) or can it be used across different
domains (eg to access a business partner
system)
Cross-Platform
Which platforms are supported by the SSO
technology Does it work in a heterogeneous
system landscape Is it based on industry
standards
Token Content Model
Does the security token only allow a fixed set of
identity attributes or can it be extended
dynamically
Domain A
Domain B
Security
Token Issuer
Application
Security
Token Issuer
Application
copy 2010 SAP AG All rights reserved Page 8
SSO Technologies Compared
SSO Technology Cross-Domain Cross-PlatformToken Content
Model
SAP Logon Ticket No No Fixed
Digital Certificate Yes Yes Fixed
Kerberos No Yes Fixed
SAML Yes Yes Extensible
Issuer running on SAP only ticket validation also possible with non-SAP applications
5
copy 2010 SAP AG All rights reserved Page 9
The Security Assertion Markup Language
(SAML) in a Nutshell
Industry standard for cross-vendor Web-based Single
Sign-On and Single Log-Out with wide adoption in the
industry
XML-based framework for security and identity
information and exchanging it across administrative
and technical domain boundaries
SAML profiles describe a variety of end use cases for
framework
SAML Security Token Assertion
contains a statement about a userlsquos authentication that happened in the
past ie when and how the user authenticated at the Issuer
who is the Issuer of the Assertion
additional information (aka attributes) about the userrsquos identity
ie role information
copy 2010 SAP AG All rights reserved Page 10
SAML 20 Terminology
Identity Provider (IdP)Authority responsible for authenticating an end user and asserting
an identity for that user in a trusted fashion to trusted partners
Synonyms (Security Token) Issuer
Service Provider (SP)Offers servicesresources to users and has a trust relationship
with an IdP to accept and trust vouch-for information provided by
the IdP on behalf of a user
Synonyms (Web) Application Relying Party
SubjectA subject is the user who has been authenticated by the IdP
Synonyms User Principal
Identity Provider
(IdP)
Service
Provider
(SP)
Subject
6
copy 2010 SAP AG All rights reserved Page 11
Identity Federation with SAML 20
Examples
John
Identity Provider
(IdP)
johnidpcom
E-Mail johnidpcom
Department Sales
johndoe
SalesEmployee
Service
Provider (SPs)
Format emailAddress
ID johnidpcom
Format transient|persistent
ID ltopaque string pseudonymgt
Attribute Department=Sales
copy 2010 SAP AG All rights reserved Page 12
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
7
copy 2010 SAP AG All rights reserved Page 13
SAML 20 Configuration Using the
SAP NetWeaver Administrator
SAML 20 configuration necessary in multiple business scenarios involving security
across organizationaldepartmental boundaries
SAP NetWeaver Administrator is the tool available with administrators to technically
configure the security aspects (like identity federation) of the scenarios
BOILIT
IDENTITY
PROVIDER (IDP)
When the BoiliIt
employee clicks
on the vendor
(MeasurIt) portal
link heshe
authenticates
himherself as a
trusted identity
Measurit
SERVICE
PROVIDER (SP)
The MeasurIt portal
should display
screens based on
the role of the
employee in the
customer (BoilIt)
organization
MeasurIt is a suppliervendor for BoilIt and hence
provides access to a portal for BoilIt engineers to
order equipment
BoilIt engineers log in to MeasurIt portal to order items
BoilIt purchasers log in to MeasurIt portal to approve
purchase requests made by the engineers
Scenario requires communication between BoilIt and MeasurIt using SAML 20 tokens
copy 2010 SAP AG All rights reserved Page 14
Purchase Order CreationApproval Scenario hellip
hellip enabled by SAP NetWeaver Administrator 730 security configuration
Enable SAML 20 for MeasurIt
Setup trusted connection between BoilIt
(IDP) and MeasuIt (SP)
Configure MeasurIt AS Java so all BoilIt
employees can access MeasurIt portal
without separate logon
Configure so that BoilIt engineers and
purchasers can view Login button
Configuring so that BoilIt engineers
purchasers can create an account on the fly
Angie Neer
BoilIt Engineer
Per Chaser
BoilIt Purchaser
MeasurIt
Administrator
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Create account
on the fly
Automatically uses
account created
the first time
Order an item
Order an item
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Logs in with a
preset account
Approves Angiersquos
request
Logs on to NWA of
MeasurIt AS Java
Do SAML 20
configuration in NWA
first time
Subsequent times
8
copy 2010 SAP AG All rights reserved Page 15
Over to the Security Configuration Hands On hellip
Enabling SAML 20 for the Service Provider MeasurIt
Setting up a trusted connection with the Identity Provider BoilIt
Configuring so that BoilIt employees can access MeasurIt portal without separate Logon
Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt
portal
Configuring so that BoilIt engineers and purchasers can create an account on the fly in order
to access MeasurIt portal and place purchase ordersapprove purchase orders
Important information
BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp
MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa
Usernamespasswords
Application Username Password
MeasurIt AS Java administrator abcd1234
BoilIt Portal angie abcd1234
BoilIt Portal per abcd1234
BoilIt Portal bo abcd1234
copy 2010 SAP AG All rights reserved Page 16
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
2
copy 2010 SAP AG All rights reserved Page 3
Technical Challenges with User Provisioning
User provisioning on the Measurit e-shop system
How will the Boilit employees be able to login to Measurit
How would Measurit know what permissions each Boilit user needs
How would you link existing accounts in both portals
Measurit
(e-shop)
Boilit
copy 2010 SAP AG All rights reserved Page 4
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
3
copy 2010 SAP AG All rights reserved Page 5
Brokered Authentication ndash
A Core Security Pattern for Single Sign-On
Security Token
Issuer
Applications
John
1
1 John proves his identity to a central Security
Token Issuer by presenting his credentials
John
John
2 The issuer verifies the correctness and
trustworthiness of the credentials and issues a
security token with Johnlsquos identity information
2
3
3 John presents the security token to the
application(s) he wants to Single Sign-On
4
4 The Application verifies the security token
John5
5 The Application associates an identity from its
user store based on a unique value in the token
copy 2010 SAP AG All rights reserved Page 6
Analogy of an Interoperable Cross-Domain
Security Token in the Real World
Citizen of
Germany
German Government
Passport
US Government
TRUST
ID Card Passport
Immigration
Officer
4
copy 2010 SAP AG All rights reserved Page 7
Key Properties of SSO Technologies
Cross-Domain
Is it possible to use the SSO technology only
within a security domain (ie the corporate
Intranet) or can it be used across different
domains (eg to access a business partner
system)
Cross-Platform
Which platforms are supported by the SSO
technology Does it work in a heterogeneous
system landscape Is it based on industry
standards
Token Content Model
Does the security token only allow a fixed set of
identity attributes or can it be extended
dynamically
Domain A
Domain B
Security
Token Issuer
Application
Security
Token Issuer
Application
copy 2010 SAP AG All rights reserved Page 8
SSO Technologies Compared
SSO Technology Cross-Domain Cross-PlatformToken Content
Model
SAP Logon Ticket No No Fixed
Digital Certificate Yes Yes Fixed
Kerberos No Yes Fixed
SAML Yes Yes Extensible
Issuer running on SAP only ticket validation also possible with non-SAP applications
5
copy 2010 SAP AG All rights reserved Page 9
The Security Assertion Markup Language
(SAML) in a Nutshell
Industry standard for cross-vendor Web-based Single
Sign-On and Single Log-Out with wide adoption in the
industry
XML-based framework for security and identity
information and exchanging it across administrative
and technical domain boundaries
SAML profiles describe a variety of end use cases for
framework
SAML Security Token Assertion
contains a statement about a userlsquos authentication that happened in the
past ie when and how the user authenticated at the Issuer
who is the Issuer of the Assertion
additional information (aka attributes) about the userrsquos identity
ie role information
copy 2010 SAP AG All rights reserved Page 10
SAML 20 Terminology
Identity Provider (IdP)Authority responsible for authenticating an end user and asserting
an identity for that user in a trusted fashion to trusted partners
Synonyms (Security Token) Issuer
Service Provider (SP)Offers servicesresources to users and has a trust relationship
with an IdP to accept and trust vouch-for information provided by
the IdP on behalf of a user
Synonyms (Web) Application Relying Party
SubjectA subject is the user who has been authenticated by the IdP
Synonyms User Principal
Identity Provider
(IdP)
Service
Provider
(SP)
Subject
6
copy 2010 SAP AG All rights reserved Page 11
Identity Federation with SAML 20
Examples
John
Identity Provider
(IdP)
johnidpcom
E-Mail johnidpcom
Department Sales
johndoe
SalesEmployee
Service
Provider (SPs)
Format emailAddress
ID johnidpcom
Format transient|persistent
ID ltopaque string pseudonymgt
Attribute Department=Sales
copy 2010 SAP AG All rights reserved Page 12
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
7
copy 2010 SAP AG All rights reserved Page 13
SAML 20 Configuration Using the
SAP NetWeaver Administrator
SAML 20 configuration necessary in multiple business scenarios involving security
across organizationaldepartmental boundaries
SAP NetWeaver Administrator is the tool available with administrators to technically
configure the security aspects (like identity federation) of the scenarios
BOILIT
IDENTITY
PROVIDER (IDP)
When the BoiliIt
employee clicks
on the vendor
(MeasurIt) portal
link heshe
authenticates
himherself as a
trusted identity
Measurit
SERVICE
PROVIDER (SP)
The MeasurIt portal
should display
screens based on
the role of the
employee in the
customer (BoilIt)
organization
MeasurIt is a suppliervendor for BoilIt and hence
provides access to a portal for BoilIt engineers to
order equipment
BoilIt engineers log in to MeasurIt portal to order items
BoilIt purchasers log in to MeasurIt portal to approve
purchase requests made by the engineers
Scenario requires communication between BoilIt and MeasurIt using SAML 20 tokens
copy 2010 SAP AG All rights reserved Page 14
Purchase Order CreationApproval Scenario hellip
hellip enabled by SAP NetWeaver Administrator 730 security configuration
Enable SAML 20 for MeasurIt
Setup trusted connection between BoilIt
(IDP) and MeasuIt (SP)
Configure MeasurIt AS Java so all BoilIt
employees can access MeasurIt portal
without separate logon
Configure so that BoilIt engineers and
purchasers can view Login button
Configuring so that BoilIt engineers
purchasers can create an account on the fly
Angie Neer
BoilIt Engineer
Per Chaser
BoilIt Purchaser
MeasurIt
Administrator
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Create account
on the fly
Automatically uses
account created
the first time
Order an item
Order an item
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Logs in with a
preset account
Approves Angiersquos
request
Logs on to NWA of
MeasurIt AS Java
Do SAML 20
configuration in NWA
first time
Subsequent times
8
copy 2010 SAP AG All rights reserved Page 15
Over to the Security Configuration Hands On hellip
Enabling SAML 20 for the Service Provider MeasurIt
Setting up a trusted connection with the Identity Provider BoilIt
Configuring so that BoilIt employees can access MeasurIt portal without separate Logon
Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt
portal
Configuring so that BoilIt engineers and purchasers can create an account on the fly in order
to access MeasurIt portal and place purchase ordersapprove purchase orders
Important information
BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp
MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa
Usernamespasswords
Application Username Password
MeasurIt AS Java administrator abcd1234
BoilIt Portal angie abcd1234
BoilIt Portal per abcd1234
BoilIt Portal bo abcd1234
copy 2010 SAP AG All rights reserved Page 16
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
3
copy 2010 SAP AG All rights reserved Page 5
Brokered Authentication ndash
A Core Security Pattern for Single Sign-On
Security Token
Issuer
Applications
John
1
1 John proves his identity to a central Security
Token Issuer by presenting his credentials
John
John
2 The issuer verifies the correctness and
trustworthiness of the credentials and issues a
security token with Johnlsquos identity information
2
3
3 John presents the security token to the
application(s) he wants to Single Sign-On
4
4 The Application verifies the security token
John5
5 The Application associates an identity from its
user store based on a unique value in the token
copy 2010 SAP AG All rights reserved Page 6
Analogy of an Interoperable Cross-Domain
Security Token in the Real World
Citizen of
Germany
German Government
Passport
US Government
TRUST
ID Card Passport
Immigration
Officer
4
copy 2010 SAP AG All rights reserved Page 7
Key Properties of SSO Technologies
Cross-Domain
Is it possible to use the SSO technology only
within a security domain (ie the corporate
Intranet) or can it be used across different
domains (eg to access a business partner
system)
Cross-Platform
Which platforms are supported by the SSO
technology Does it work in a heterogeneous
system landscape Is it based on industry
standards
Token Content Model
Does the security token only allow a fixed set of
identity attributes or can it be extended
dynamically
Domain A
Domain B
Security
Token Issuer
Application
Security
Token Issuer
Application
copy 2010 SAP AG All rights reserved Page 8
SSO Technologies Compared
SSO Technology Cross-Domain Cross-PlatformToken Content
Model
SAP Logon Ticket No No Fixed
Digital Certificate Yes Yes Fixed
Kerberos No Yes Fixed
SAML Yes Yes Extensible
Issuer running on SAP only ticket validation also possible with non-SAP applications
5
copy 2010 SAP AG All rights reserved Page 9
The Security Assertion Markup Language
(SAML) in a Nutshell
Industry standard for cross-vendor Web-based Single
Sign-On and Single Log-Out with wide adoption in the
industry
XML-based framework for security and identity
information and exchanging it across administrative
and technical domain boundaries
SAML profiles describe a variety of end use cases for
framework
SAML Security Token Assertion
contains a statement about a userlsquos authentication that happened in the
past ie when and how the user authenticated at the Issuer
who is the Issuer of the Assertion
additional information (aka attributes) about the userrsquos identity
ie role information
copy 2010 SAP AG All rights reserved Page 10
SAML 20 Terminology
Identity Provider (IdP)Authority responsible for authenticating an end user and asserting
an identity for that user in a trusted fashion to trusted partners
Synonyms (Security Token) Issuer
Service Provider (SP)Offers servicesresources to users and has a trust relationship
with an IdP to accept and trust vouch-for information provided by
the IdP on behalf of a user
Synonyms (Web) Application Relying Party
SubjectA subject is the user who has been authenticated by the IdP
Synonyms User Principal
Identity Provider
(IdP)
Service
Provider
(SP)
Subject
6
copy 2010 SAP AG All rights reserved Page 11
Identity Federation with SAML 20
Examples
John
Identity Provider
(IdP)
johnidpcom
E-Mail johnidpcom
Department Sales
johndoe
SalesEmployee
Service
Provider (SPs)
Format emailAddress
ID johnidpcom
Format transient|persistent
ID ltopaque string pseudonymgt
Attribute Department=Sales
copy 2010 SAP AG All rights reserved Page 12
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
7
copy 2010 SAP AG All rights reserved Page 13
SAML 20 Configuration Using the
SAP NetWeaver Administrator
SAML 20 configuration necessary in multiple business scenarios involving security
across organizationaldepartmental boundaries
SAP NetWeaver Administrator is the tool available with administrators to technically
configure the security aspects (like identity federation) of the scenarios
BOILIT
IDENTITY
PROVIDER (IDP)
When the BoiliIt
employee clicks
on the vendor
(MeasurIt) portal
link heshe
authenticates
himherself as a
trusted identity
Measurit
SERVICE
PROVIDER (SP)
The MeasurIt portal
should display
screens based on
the role of the
employee in the
customer (BoilIt)
organization
MeasurIt is a suppliervendor for BoilIt and hence
provides access to a portal for BoilIt engineers to
order equipment
BoilIt engineers log in to MeasurIt portal to order items
BoilIt purchasers log in to MeasurIt portal to approve
purchase requests made by the engineers
Scenario requires communication between BoilIt and MeasurIt using SAML 20 tokens
copy 2010 SAP AG All rights reserved Page 14
Purchase Order CreationApproval Scenario hellip
hellip enabled by SAP NetWeaver Administrator 730 security configuration
Enable SAML 20 for MeasurIt
Setup trusted connection between BoilIt
(IDP) and MeasuIt (SP)
Configure MeasurIt AS Java so all BoilIt
employees can access MeasurIt portal
without separate logon
Configure so that BoilIt engineers and
purchasers can view Login button
Configuring so that BoilIt engineers
purchasers can create an account on the fly
Angie Neer
BoilIt Engineer
Per Chaser
BoilIt Purchaser
MeasurIt
Administrator
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Create account
on the fly
Automatically uses
account created
the first time
Order an item
Order an item
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Logs in with a
preset account
Approves Angiersquos
request
Logs on to NWA of
MeasurIt AS Java
Do SAML 20
configuration in NWA
first time
Subsequent times
8
copy 2010 SAP AG All rights reserved Page 15
Over to the Security Configuration Hands On hellip
Enabling SAML 20 for the Service Provider MeasurIt
Setting up a trusted connection with the Identity Provider BoilIt
Configuring so that BoilIt employees can access MeasurIt portal without separate Logon
Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt
portal
Configuring so that BoilIt engineers and purchasers can create an account on the fly in order
to access MeasurIt portal and place purchase ordersapprove purchase orders
Important information
BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp
MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa
Usernamespasswords
Application Username Password
MeasurIt AS Java administrator abcd1234
BoilIt Portal angie abcd1234
BoilIt Portal per abcd1234
BoilIt Portal bo abcd1234
copy 2010 SAP AG All rights reserved Page 16
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
4
copy 2010 SAP AG All rights reserved Page 7
Key Properties of SSO Technologies
Cross-Domain
Is it possible to use the SSO technology only
within a security domain (ie the corporate
Intranet) or can it be used across different
domains (eg to access a business partner
system)
Cross-Platform
Which platforms are supported by the SSO
technology Does it work in a heterogeneous
system landscape Is it based on industry
standards
Token Content Model
Does the security token only allow a fixed set of
identity attributes or can it be extended
dynamically
Domain A
Domain B
Security
Token Issuer
Application
Security
Token Issuer
Application
copy 2010 SAP AG All rights reserved Page 8
SSO Technologies Compared
SSO Technology Cross-Domain Cross-PlatformToken Content
Model
SAP Logon Ticket No No Fixed
Digital Certificate Yes Yes Fixed
Kerberos No Yes Fixed
SAML Yes Yes Extensible
Issuer running on SAP only ticket validation also possible with non-SAP applications
5
copy 2010 SAP AG All rights reserved Page 9
The Security Assertion Markup Language
(SAML) in a Nutshell
Industry standard for cross-vendor Web-based Single
Sign-On and Single Log-Out with wide adoption in the
industry
XML-based framework for security and identity
information and exchanging it across administrative
and technical domain boundaries
SAML profiles describe a variety of end use cases for
framework
SAML Security Token Assertion
contains a statement about a userlsquos authentication that happened in the
past ie when and how the user authenticated at the Issuer
who is the Issuer of the Assertion
additional information (aka attributes) about the userrsquos identity
ie role information
copy 2010 SAP AG All rights reserved Page 10
SAML 20 Terminology
Identity Provider (IdP)Authority responsible for authenticating an end user and asserting
an identity for that user in a trusted fashion to trusted partners
Synonyms (Security Token) Issuer
Service Provider (SP)Offers servicesresources to users and has a trust relationship
with an IdP to accept and trust vouch-for information provided by
the IdP on behalf of a user
Synonyms (Web) Application Relying Party
SubjectA subject is the user who has been authenticated by the IdP
Synonyms User Principal
Identity Provider
(IdP)
Service
Provider
(SP)
Subject
6
copy 2010 SAP AG All rights reserved Page 11
Identity Federation with SAML 20
Examples
John
Identity Provider
(IdP)
johnidpcom
E-Mail johnidpcom
Department Sales
johndoe
SalesEmployee
Service
Provider (SPs)
Format emailAddress
ID johnidpcom
Format transient|persistent
ID ltopaque string pseudonymgt
Attribute Department=Sales
copy 2010 SAP AG All rights reserved Page 12
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
7
copy 2010 SAP AG All rights reserved Page 13
SAML 20 Configuration Using the
SAP NetWeaver Administrator
SAML 20 configuration necessary in multiple business scenarios involving security
across organizationaldepartmental boundaries
SAP NetWeaver Administrator is the tool available with administrators to technically
configure the security aspects (like identity federation) of the scenarios
BOILIT
IDENTITY
PROVIDER (IDP)
When the BoiliIt
employee clicks
on the vendor
(MeasurIt) portal
link heshe
authenticates
himherself as a
trusted identity
Measurit
SERVICE
PROVIDER (SP)
The MeasurIt portal
should display
screens based on
the role of the
employee in the
customer (BoilIt)
organization
MeasurIt is a suppliervendor for BoilIt and hence
provides access to a portal for BoilIt engineers to
order equipment
BoilIt engineers log in to MeasurIt portal to order items
BoilIt purchasers log in to MeasurIt portal to approve
purchase requests made by the engineers
Scenario requires communication between BoilIt and MeasurIt using SAML 20 tokens
copy 2010 SAP AG All rights reserved Page 14
Purchase Order CreationApproval Scenario hellip
hellip enabled by SAP NetWeaver Administrator 730 security configuration
Enable SAML 20 for MeasurIt
Setup trusted connection between BoilIt
(IDP) and MeasuIt (SP)
Configure MeasurIt AS Java so all BoilIt
employees can access MeasurIt portal
without separate logon
Configure so that BoilIt engineers and
purchasers can view Login button
Configuring so that BoilIt engineers
purchasers can create an account on the fly
Angie Neer
BoilIt Engineer
Per Chaser
BoilIt Purchaser
MeasurIt
Administrator
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Create account
on the fly
Automatically uses
account created
the first time
Order an item
Order an item
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Logs in with a
preset account
Approves Angiersquos
request
Logs on to NWA of
MeasurIt AS Java
Do SAML 20
configuration in NWA
first time
Subsequent times
8
copy 2010 SAP AG All rights reserved Page 15
Over to the Security Configuration Hands On hellip
Enabling SAML 20 for the Service Provider MeasurIt
Setting up a trusted connection with the Identity Provider BoilIt
Configuring so that BoilIt employees can access MeasurIt portal without separate Logon
Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt
portal
Configuring so that BoilIt engineers and purchasers can create an account on the fly in order
to access MeasurIt portal and place purchase ordersapprove purchase orders
Important information
BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp
MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa
Usernamespasswords
Application Username Password
MeasurIt AS Java administrator abcd1234
BoilIt Portal angie abcd1234
BoilIt Portal per abcd1234
BoilIt Portal bo abcd1234
copy 2010 SAP AG All rights reserved Page 16
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
5
copy 2010 SAP AG All rights reserved Page 9
The Security Assertion Markup Language
(SAML) in a Nutshell
Industry standard for cross-vendor Web-based Single
Sign-On and Single Log-Out with wide adoption in the
industry
XML-based framework for security and identity
information and exchanging it across administrative
and technical domain boundaries
SAML profiles describe a variety of end use cases for
framework
SAML Security Token Assertion
contains a statement about a userlsquos authentication that happened in the
past ie when and how the user authenticated at the Issuer
who is the Issuer of the Assertion
additional information (aka attributes) about the userrsquos identity
ie role information
copy 2010 SAP AG All rights reserved Page 10
SAML 20 Terminology
Identity Provider (IdP)Authority responsible for authenticating an end user and asserting
an identity for that user in a trusted fashion to trusted partners
Synonyms (Security Token) Issuer
Service Provider (SP)Offers servicesresources to users and has a trust relationship
with an IdP to accept and trust vouch-for information provided by
the IdP on behalf of a user
Synonyms (Web) Application Relying Party
SubjectA subject is the user who has been authenticated by the IdP
Synonyms User Principal
Identity Provider
(IdP)
Service
Provider
(SP)
Subject
6
copy 2010 SAP AG All rights reserved Page 11
Identity Federation with SAML 20
Examples
John
Identity Provider
(IdP)
johnidpcom
E-Mail johnidpcom
Department Sales
johndoe
SalesEmployee
Service
Provider (SPs)
Format emailAddress
ID johnidpcom
Format transient|persistent
ID ltopaque string pseudonymgt
Attribute Department=Sales
copy 2010 SAP AG All rights reserved Page 12
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
7
copy 2010 SAP AG All rights reserved Page 13
SAML 20 Configuration Using the
SAP NetWeaver Administrator
SAML 20 configuration necessary in multiple business scenarios involving security
across organizationaldepartmental boundaries
SAP NetWeaver Administrator is the tool available with administrators to technically
configure the security aspects (like identity federation) of the scenarios
BOILIT
IDENTITY
PROVIDER (IDP)
When the BoiliIt
employee clicks
on the vendor
(MeasurIt) portal
link heshe
authenticates
himherself as a
trusted identity
Measurit
SERVICE
PROVIDER (SP)
The MeasurIt portal
should display
screens based on
the role of the
employee in the
customer (BoilIt)
organization
MeasurIt is a suppliervendor for BoilIt and hence
provides access to a portal for BoilIt engineers to
order equipment
BoilIt engineers log in to MeasurIt portal to order items
BoilIt purchasers log in to MeasurIt portal to approve
purchase requests made by the engineers
Scenario requires communication between BoilIt and MeasurIt using SAML 20 tokens
copy 2010 SAP AG All rights reserved Page 14
Purchase Order CreationApproval Scenario hellip
hellip enabled by SAP NetWeaver Administrator 730 security configuration
Enable SAML 20 for MeasurIt
Setup trusted connection between BoilIt
(IDP) and MeasuIt (SP)
Configure MeasurIt AS Java so all BoilIt
employees can access MeasurIt portal
without separate logon
Configure so that BoilIt engineers and
purchasers can view Login button
Configuring so that BoilIt engineers
purchasers can create an account on the fly
Angie Neer
BoilIt Engineer
Per Chaser
BoilIt Purchaser
MeasurIt
Administrator
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Create account
on the fly
Automatically uses
account created
the first time
Order an item
Order an item
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Logs in with a
preset account
Approves Angiersquos
request
Logs on to NWA of
MeasurIt AS Java
Do SAML 20
configuration in NWA
first time
Subsequent times
8
copy 2010 SAP AG All rights reserved Page 15
Over to the Security Configuration Hands On hellip
Enabling SAML 20 for the Service Provider MeasurIt
Setting up a trusted connection with the Identity Provider BoilIt
Configuring so that BoilIt employees can access MeasurIt portal without separate Logon
Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt
portal
Configuring so that BoilIt engineers and purchasers can create an account on the fly in order
to access MeasurIt portal and place purchase ordersapprove purchase orders
Important information
BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp
MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa
Usernamespasswords
Application Username Password
MeasurIt AS Java administrator abcd1234
BoilIt Portal angie abcd1234
BoilIt Portal per abcd1234
BoilIt Portal bo abcd1234
copy 2010 SAP AG All rights reserved Page 16
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
6
copy 2010 SAP AG All rights reserved Page 11
Identity Federation with SAML 20
Examples
John
Identity Provider
(IdP)
johnidpcom
E-Mail johnidpcom
Department Sales
johndoe
SalesEmployee
Service
Provider (SPs)
Format emailAddress
ID johnidpcom
Format transient|persistent
ID ltopaque string pseudonymgt
Attribute Department=Sales
copy 2010 SAP AG All rights reserved Page 12
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
7
copy 2010 SAP AG All rights reserved Page 13
SAML 20 Configuration Using the
SAP NetWeaver Administrator
SAML 20 configuration necessary in multiple business scenarios involving security
across organizationaldepartmental boundaries
SAP NetWeaver Administrator is the tool available with administrators to technically
configure the security aspects (like identity federation) of the scenarios
BOILIT
IDENTITY
PROVIDER (IDP)
When the BoiliIt
employee clicks
on the vendor
(MeasurIt) portal
link heshe
authenticates
himherself as a
trusted identity
Measurit
SERVICE
PROVIDER (SP)
The MeasurIt portal
should display
screens based on
the role of the
employee in the
customer (BoilIt)
organization
MeasurIt is a suppliervendor for BoilIt and hence
provides access to a portal for BoilIt engineers to
order equipment
BoilIt engineers log in to MeasurIt portal to order items
BoilIt purchasers log in to MeasurIt portal to approve
purchase requests made by the engineers
Scenario requires communication between BoilIt and MeasurIt using SAML 20 tokens
copy 2010 SAP AG All rights reserved Page 14
Purchase Order CreationApproval Scenario hellip
hellip enabled by SAP NetWeaver Administrator 730 security configuration
Enable SAML 20 for MeasurIt
Setup trusted connection between BoilIt
(IDP) and MeasuIt (SP)
Configure MeasurIt AS Java so all BoilIt
employees can access MeasurIt portal
without separate logon
Configure so that BoilIt engineers and
purchasers can view Login button
Configuring so that BoilIt engineers
purchasers can create an account on the fly
Angie Neer
BoilIt Engineer
Per Chaser
BoilIt Purchaser
MeasurIt
Administrator
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Create account
on the fly
Automatically uses
account created
the first time
Order an item
Order an item
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Logs in with a
preset account
Approves Angiersquos
request
Logs on to NWA of
MeasurIt AS Java
Do SAML 20
configuration in NWA
first time
Subsequent times
8
copy 2010 SAP AG All rights reserved Page 15
Over to the Security Configuration Hands On hellip
Enabling SAML 20 for the Service Provider MeasurIt
Setting up a trusted connection with the Identity Provider BoilIt
Configuring so that BoilIt employees can access MeasurIt portal without separate Logon
Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt
portal
Configuring so that BoilIt engineers and purchasers can create an account on the fly in order
to access MeasurIt portal and place purchase ordersapprove purchase orders
Important information
BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp
MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa
Usernamespasswords
Application Username Password
MeasurIt AS Java administrator abcd1234
BoilIt Portal angie abcd1234
BoilIt Portal per abcd1234
BoilIt Portal bo abcd1234
copy 2010 SAP AG All rights reserved Page 16
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
7
copy 2010 SAP AG All rights reserved Page 13
SAML 20 Configuration Using the
SAP NetWeaver Administrator
SAML 20 configuration necessary in multiple business scenarios involving security
across organizationaldepartmental boundaries
SAP NetWeaver Administrator is the tool available with administrators to technically
configure the security aspects (like identity federation) of the scenarios
BOILIT
IDENTITY
PROVIDER (IDP)
When the BoiliIt
employee clicks
on the vendor
(MeasurIt) portal
link heshe
authenticates
himherself as a
trusted identity
Measurit
SERVICE
PROVIDER (SP)
The MeasurIt portal
should display
screens based on
the role of the
employee in the
customer (BoilIt)
organization
MeasurIt is a suppliervendor for BoilIt and hence
provides access to a portal for BoilIt engineers to
order equipment
BoilIt engineers log in to MeasurIt portal to order items
BoilIt purchasers log in to MeasurIt portal to approve
purchase requests made by the engineers
Scenario requires communication between BoilIt and MeasurIt using SAML 20 tokens
copy 2010 SAP AG All rights reserved Page 14
Purchase Order CreationApproval Scenario hellip
hellip enabled by SAP NetWeaver Administrator 730 security configuration
Enable SAML 20 for MeasurIt
Setup trusted connection between BoilIt
(IDP) and MeasuIt (SP)
Configure MeasurIt AS Java so all BoilIt
employees can access MeasurIt portal
without separate logon
Configure so that BoilIt engineers and
purchasers can view Login button
Configuring so that BoilIt engineers
purchasers can create an account on the fly
Angie Neer
BoilIt Engineer
Per Chaser
BoilIt Purchaser
MeasurIt
Administrator
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Create account
on the fly
Automatically uses
account created
the first time
Order an item
Order an item
Logs on to
BoilIt Portal
Navigates to
MeasurIt Portal
Logs in with a
preset account
Approves Angiersquos
request
Logs on to NWA of
MeasurIt AS Java
Do SAML 20
configuration in NWA
first time
Subsequent times
8
copy 2010 SAP AG All rights reserved Page 15
Over to the Security Configuration Hands On hellip
Enabling SAML 20 for the Service Provider MeasurIt
Setting up a trusted connection with the Identity Provider BoilIt
Configuring so that BoilIt employees can access MeasurIt portal without separate Logon
Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt
portal
Configuring so that BoilIt engineers and purchasers can create an account on the fly in order
to access MeasurIt portal and place purchase ordersapprove purchase orders
Important information
BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp
MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa
Usernamespasswords
Application Username Password
MeasurIt AS Java administrator abcd1234
BoilIt Portal angie abcd1234
BoilIt Portal per abcd1234
BoilIt Portal bo abcd1234
copy 2010 SAP AG All rights reserved Page 16
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
8
copy 2010 SAP AG All rights reserved Page 15
Over to the Security Configuration Hands On hellip
Enabling SAML 20 for the Service Provider MeasurIt
Setting up a trusted connection with the Identity Provider BoilIt
Configuring so that BoilIt employees can access MeasurIt portal without separate Logon
Configuring so that BoilIt engineers and purchasers can view the Login button on the MeasurIt
portal
Configuring so that BoilIt engineers and purchasers can create an account on the fly in order
to access MeasurIt portal and place purchase ordersapprove purchase orders
Important information
BoilIt Portal URL httpsltfully qualified hostnamegt50001boilitportalindexjsp
MeasurIt AS Java SAP NetWeaver Administrator httpltfully qualified hostnamegt50000nwa
Usernamespasswords
Application Username Password
MeasurIt AS Java administrator abcd1234
BoilIt Portal angie abcd1234
BoilIt Portal per abcd1234
BoilIt Portal bo abcd1234
copy 2010 SAP AG All rights reserved Page 16
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
9
copy 2010 SAP AG All rights reserved Page 17
Further Information
Recommended Books
Comprehensive Guide on SSO and
Identity Federation with SAP Kerberos
SAML 20 for Web browser and Web
services X509 Certificates OpenID and
others
Identity Federation with SAP NetWeaver
Identity Management Administration
Interoperability with other platforms
Many Hands-on tutorials amp code
samples
Single Sign-on mit SAP ~400 pages ISBN 978-3-8362-1627-2
httpwwwsap-pressdekatalogbuechertitelgptitelID-2409
English edition planned for March 2011
SAP PRESS
copy 2010 SAP AG All rights reserved Page 18
Further Information
SAP Public Web
SAP Developer Network (SDN) wwwsdnsapcom
Business Process Expert (BPX) Community wwwbpxsapcom
SAP BusinessObjects Community (BOC) bocsapcom
Expert Networking Sessions
SAML 20 Goes Live New Features in IDM 72 (POD54)
Related WorkshopsLectures at SAP TechEd 2010
SCI103 Facing the Challenge of Single Sign-On with Open Standards like SAML and Web Services 1 hr lecture (Beginner)
SCI264 Facing the Challenge of Single Sign-on in an SAP- and Microsoft-combined Environment (Intermediate)
SCI265 Managing Federated Identities for Service-Based Single Sign-On2 hr Hands-On (Intermediate)
SCI204 SAP NetWeaver Business Process Management and SSO Inextricably Intertwined 1 hr Lecture (Intermediate)
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
10
copy 2010 SAP AG All rights reserved Page 19
Agenda
1 Single Sign-on and Identity Federation with SAML 20
2 Exercises
3 Further information
4 Appendix
copy 2010 SAP AG All rights reserved Page 20
Browser-based Web SSO with SAML
Part 1
Identity Provider
(IdP)
Service
Provider (SP)
John
John
1 http
1 John invokes the URL of an access protected
Web Application with his browser
2 redirect
request
2 The Web Application redirects the request to its
trusted Security Token Issuer
3
3 If John is not already logged on at the Security
Token Issuer he will be asked to provide his
credentials
John
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
11
copy 2010 SAP AG All rights reserved Page 21
Browser-based Web SSO with SAML
Part 2
Identity Provider
(IdP)
Service
Provider (SPs)
John
John
5 Johnlsquos Web Browser (automatically) submits the SAML Assertion in the ltformgt element
5
6
POSTltformgt
6 The Web Browser sends the SAML Assertion
with a HTTP POST Request to the Web
Application
4 The Security Token Issuer returns a SAML Assertion for John in a ltformgt HTML element
4
ltformgt
with A
ssert
ion
7 John
7 The Web Application validates the SAML
Assertion assigns a local user account to
Johnlsquos session and returns the web page
copy 2010 SAP AG All rights reserved Page 22
The issuer with the id
httpidpcom
confirms that the subject (user) with the
e-mail address
johnidpcom
has been successfully
authenticated at
931 am on Sept 30th 2010
using a
Kerberos Ticket
with Integrated Windows Authentication
It also confirms to the Service Provider
that subject is working in the
Sales
Department
An Example of a SAML Assertion
ltAssertion ID=59313c96
IssueInstant=2010-06-30T093106474Z
Version=20gt
ltIssuergthttpidpcomltIssuergt
ltSubjectgt
ltNameID Format=nameid-format
emailAddressgtjohnidpcomltNameIDgt
ltSubjectgt
ltAuthnStatement AuthnInstant=
2010-09-30T093107474Zgt
ltAuthnContextgt
ltAuthnContextClassRefgt
authenticationwindows
ltAuthnContextClassRefgt
ltAuthnContextgt
ltAuthnStatementgt
ltAttributeStatementgt
ltAttribute Name=Department
ltAttributeValue gtSales
ltAttributeValuegt
ltAttributegt
ltAttributeStatementgt
ltAssertiongt
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved
12
ContactFeedback
Please complete your session evaluation
Be courteous mdash deposit your trash
and do not take the handouts for the following session
copy 2010 SAP AG All rights reserved Page 24
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd in the United States and in other countries
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
The information in this document is proprietary to SAP No part of this document may be reproduced copied or transmitted in any form or for any purpose without the express prior written permission of SAP AG
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP This document contains only intended strategies developments and functionalities of the SAPreg product and is not intended to be binding upon SAP to any particular course of business product strategy andor development Please note that this document is subject to change and may be changed by SAP at any time without notice
SAP assumes no responsibility for errors or omissions in this document SAP does not warrant the accuracy or completeness of the information text graphics links or other items contained within this material This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose or non-infringement
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these materials This limitation shall not apply in cases of intent or gross negligence
The statutory liability for personal injury and defective products is not affected SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages
copy 2010 SAP AG All Rights Reserved