Authentication and Single Sign
Authentication and Single Sign Authentication and Single Sign
Authentication and Single Sign-On Patrick Hildenbrand NW PM Security, SAP AG
- Page 2 and 3: Agenda Authentication and Identitie
- Page 4 and 5: Single Sign-On is a Specialized For
- Page 6 and 7: What the User Wants … Portal WebA
- Page 8 and 9: Agenda Authentication and Identitie
- Page 10 and 11: X.509 Client Certificates - SSO Pro
- Page 12 and 13: X.509 Certificates • X.509 certif
- Page 14 and 15: SAP Trust Center Service: Enrollmen
- Page 16 and 17: Example of an HTTP Request GET /som
- Page 18 and 19: SAP Logon Tickets - Prerequisites P
- Page 20 and 21: Ticket Verification for Non-SAP Com
- Page 22 and 23: HTTP Header Authentication - SSO Pr
- Page 24 and 25: Integrated Windows Authentication I
- Page 26 and 27: Security Assertion Markup Language
- Page 28 and 29: Support of SAML in the SAP WebAS 64
- Page 30 and 31: Pluggable Authentication Service: W
- Page 32 and 33: Pluggable Authentication - JAAS Int
- Page 34 and 35: Agenda Authentication and Identitie
- Page 36 and 37: Two Worlds: SAP GUI for Windows and
- Page 38 and 39: SSO From Web to Traditional - Enter
- Page 40 and 41: SSO EP to ABAP Process Overview Imp
- Page 42 and 43: IView Creation 1. Create an iView u
- Page 44 and 45: Communication in Integration Scenar
- Page 46 and 47: Selecting SSO Possibilities for App
- Page 48: Copyright 2005 SAP AG. All Rights R
<strong>Authentication</strong> <strong>and</strong><br />
<strong>Single</strong> <strong>Sign</strong>-On<br />
Patrick Hildenbr<strong>and</strong><br />
NW PM Security, SAP AG
Agenda<br />
<strong>Authentication</strong> <strong>and</strong> Identities<br />
<strong>Authentication</strong> with SAP<br />
• in a Web Based Scenario<br />
• At the SAP GUI for Windows<br />
Summary<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 2
<strong>Authentication</strong> Identifies a Subject<br />
In computer security, authentication is the process by which a<br />
computer, computer program, or another user<br />
attempts to confirm that the<br />
computer, computer program, or user<br />
from whom the second party has received some communication is,<br />
or is not, the claimed first party.<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 3
<strong>Single</strong> <strong>Sign</strong>-On is a Specialized Form of <strong>Authentication</strong><br />
<strong>Single</strong> <strong>Sign</strong>-On (SSO) is a specialized form of authentication that<br />
enables a user to authenticate once <strong>and</strong> gain access to the<br />
resources of multiple software systems.<br />
Intranet<br />
CRM<br />
<strong>Authentication</strong> to:<br />
•Portal<br />
•WebAS<br />
•Local system<br />
Access<br />
ERP<br />
Internet<br />
Authenticate<br />
only once<br />
Groupware<br />
Other...<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 4
Why Use <strong>Single</strong> <strong>Sign</strong>-On?<br />
Typical situation<br />
• In a complex system l<strong>and</strong>scape an employee has many user IDs with<br />
different passwords<br />
• Different procedures for each system to roll-out, reset <strong>and</strong> change<br />
new / existing passwords<br />
• Users find continuous password changing for many systems annoying<br />
Problems<br />
• High administration cost <strong>and</strong> effort<br />
• Security risk: Users write passwords down <strong>and</strong> store them<br />
where they can easily be found<br />
Solution: <strong>Single</strong> <strong>Sign</strong>-On<br />
• Users only have to remember one password to gain access to every<br />
system<br />
• Administration costs <strong>and</strong> efforts are drastically reduced<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 5
What the User Wants …<br />
Portal<br />
WebAS<br />
ITS<br />
Intranet<br />
CRM<br />
Access<br />
ERP<br />
Internet<br />
Groupware<br />
Other...<br />
Authenticate<br />
once<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 6
What the Administrator Wants …<br />
Central user management<br />
• <strong>Single</strong> point of administration<br />
• Assign user rights in various applications with one keystroke<br />
• Lock or delete users centrally<br />
Central user repository<br />
• Avoid redundant user information<br />
• Easy De-Provisioning<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 7
Agenda<br />
<strong>Authentication</strong> <strong>and</strong> Identities<br />
<strong>Authentication</strong> with SAP<br />
• in a Web Based Scenario<br />
• At the SAP GUI for Windows<br />
Summary<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 8
Web-Based <strong>Authentication</strong> Methods<br />
• Anonymous/guest access<br />
• User ID / password<br />
Form-based *<br />
Basic authentication *<br />
• X.509 digital certificates<br />
• SAP Logon Tickets<br />
• External authentication methods<br />
HTTP header variable authentication<br />
(not ABAP except for X.509 certificate information forwarding)<br />
Enterprise Access Management - EAM<br />
Security Assertion Markup Language (SAML – only Java)<br />
Through Pluggable <strong>Authentication</strong> Services (PAS – only external ITS)<br />
Through Java <strong>Authentication</strong> <strong>and</strong> Authorization Services<br />
(JAAS – only Java)<br />
Java SAP WebAS 640 Java or SAP Enterprise Portal 6 > SP3<br />
* Only authentication, not <strong>Single</strong> <strong>Sign</strong>-On<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 9
X.509 Client Certificates – SSO Process<br />
• <strong>Authentication</strong> occurs using SSL<br />
with mutual authentication<br />
• User possesses a public /<br />
private key pair <strong>and</strong><br />
public-key certificate<br />
Intranet<br />
CRM<br />
SSL<br />
SSL<br />
SSL<br />
ERP<br />
Access<br />
Groupware<br />
Internet<br />
Other...<br />
X.509 Client Certificate<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 10
<strong>Authentication</strong> <strong>and</strong> SSL with X.509 Certificates<br />
• Mutual authentication between Alice <strong>and</strong> the server<br />
• The SSL – Process:<br />
Client sends „Hello“-message to server<br />
Server sends his certificate <strong>and</strong> asks for client cert.<br />
sends his certificate , encrypted secret key<br />
<strong>and</strong> list of supported crypto algorithms<br />
Sends back confirmation<br />
Alice<br />
Session established …using symmetric encryption<br />
Private<br />
Public<br />
Secret<br />
Private<br />
Public<br />
Secret<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 11
X.509 Certificates<br />
• X.509 certificates are used for<br />
Secure Sockets Layer (SSL) based<br />
communications:<br />
Internet st<strong>and</strong>ard for secure HTTP<br />
connections<br />
Provides for server, client or mutual<br />
authentication <strong>and</strong> encryption<br />
Uses both symmetric <strong>and</strong> public-key<br />
encryption for protection<br />
• X.509 certificates (“digital<br />
certificates”) can be used both<br />
for initial authentication <strong>and</strong> for<br />
successive <strong>Single</strong> <strong>Sign</strong>-On<br />
• Each certificate includes:<br />
Name<br />
CA name<br />
Validity period<br />
Public key<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 12
Obtaining a X.509 Certificate<br />
Digital certificates must be X.509v3 compliant<br />
Various options possible:<br />
• Using SAP Trust Center Service<br />
For SAP users only<br />
Free of charge<br />
Portal server acts as Registration Authority (RA)<br />
• Setting up internal PKI system<br />
Buy software from CA product vendor<br />
• Using external PKI system<br />
Contract with Trust Center Service<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 13
SAP Trust Center Service: Enrollment Process<br />
5<br />
SAP Trust<br />
Center<br />
Service<br />
4<br />
Verifies naming conventions<br />
<strong>and</strong> issues certificate<br />
Send approved certificate<br />
request<br />
Web<br />
Browser<br />
1<br />
2<br />
Log on using SAP user ID <strong>and</strong> password <strong>and</strong><br />
initiate the SAP Passport request<br />
Specify naming convention <strong>and</strong> trigger key<br />
generation<br />
Portal<br />
Server<br />
3<br />
Web browser generates key pair <strong>and</strong><br />
sends the SAP Passport request<br />
6<br />
Log on using the SAP Passport<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 14
SAP Logon Tickets – SSO Process<br />
Portal<br />
WebAS<br />
ITS<br />
Intranet<br />
CRM<br />
Initial<br />
logon<br />
ERP<br />
Internet<br />
Access<br />
Groupware<br />
Other...<br />
SAP Logon Ticket<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 15
Example of an HTTP Request<br />
GET /someresource HTTP/1.1<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, [ … ], */*<br />
Referer: https://some.host.domain/some/other/resource<br />
Accept-Language: en,de;q=0.5<br />
Accept-Encoding: gzip, deflate<br />
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)<br />
Host: nw-portal.wdf.sap.corp<br />
Connection: Keep-Alive<br />
Cookie: saplb_*=(J2EE6527200)6527250; PortalAlias=portal;<br />
MYSAPSSO2=AjExMDAgAA5wb3J0YWw6ZDAzMzA5OYgAE2Jhc2ljYXV0aGVudGljYXRpb24<br />
BAAdEMDMzMDk5AgADMDAwAwADTldUBAAMMjAwNTA5MDIwNjE0BQAEAAAACAoAB0Q<br />
wMzMwOTn%2FAPUwgfIGCSqGSIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCw<br />
YJKoZIhvcNAQcBMYHBMIG%2BAgEBMBMwDjEMMAoGA1UEAxMDTldUAgEAMAkGBSsO<br />
AwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0<br />
wNTA5MDIwNjE0NDRaMCMGCSqGSIb3DQEJBDEWBBQ28lOiAPAV2KfBJR18ElZxaNenHzA<br />
JBgcqhkjOOAQDBC8wLQIUIaaWKYY4%2BCT26P07coHVYP63eCkCFQCLt0ERDvDKCpog8<br />
9q5n%2B5ahpQQCw%3D%3D;<br />
JSESSIONID=(J2EE6527300)ID6527350DB307014776305034697End; sapssolist=O3I9cHdkZjA5NjJfY3BwXzQ0<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 16
What is a SAP Logon Ticket<br />
• SAP Logon Ticket is represented as cookie in the Browser<br />
• Content of the SAP Logon Ticket is BASE64 encoded<br />
• SAP Logon Tickets contain:<br />
User ID(s)<br />
<strong>Authentication</strong> scheme<br />
Validity period<br />
Issuing system<br />
Digital signature<br />
SAP Logon Tickets do NOT contain any passwords!<br />
SSOv2<br />
• Problems?<br />
SAP Note 701205 (EP6.0: <strong>Single</strong> <strong>Sign</strong>-On using SAP Logon Tickets)<br />
SAP Note 654982 (URL requirements due to Internet st<strong>and</strong>ards )<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 17
SAP Logon Tickets – Prerequisites<br />
Prerequisites<br />
• At least same user IDs in connected backend systems<br />
(portal user ID can be different)<br />
• In case portal user ID is different than backend user ID, you need<br />
to maintain a user mapping for the ”SAP Reference System”<br />
• Trust configured<br />
Public key certificate of issuing system is available in verifying system<br />
( necessary for verification of digital signature)<br />
Trust access control lists maintained (ABAP: strustsso2)<br />
SAP Reference System User Mapping<br />
• St<strong>and</strong>ard user mapping functionality<br />
• PLUS: Retrieval of user ID from LDAP Directory Server<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 18
SSO to Non-SAP Components Using SAP Logon Tickets<br />
Portal<br />
WebAS<br />
ITS<br />
3rd party<br />
application<br />
5<br />
mySAP.com<br />
user ID<br />
Application<br />
user ID<br />
Initial<br />
logon<br />
Access<br />
1<br />
2<br />
3<br />
Ticket Verification Library<br />
SAPSSOEXT<br />
Security product<br />
(SAPSECULIB)<br />
4<br />
Access Control List<br />
Workplace server <br />
<br />
Public address book<br />
(if not SAPSECULIB)<br />
SAP Logon Ticket<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 19
Ticket Verification for Non-SAP Components<br />
Web Server Filter<br />
• SSO with SAP Logon Tickets to Web applications<br />
• Application needs to support authentication with an HTTP header<br />
variable<br />
Web Server Filter with Delegation for Windows Server 2003<br />
• SSO with SAP Logon Tickets to a Microsoft Web-based application<br />
Java Ticket Verification Library<br />
• SSO with SAP Logon Tickets to non-SAP Java applications<br />
• Development required<br />
C Ticket Verification Library<br />
• SSO with SAP Logon Tickets to non-SAP C applications<br />
• Development required<br />
Dynamic Link Library SAPSSOEXT<br />
• SSO with SAP Logon Tickets to Java <strong>and</strong> C applications<br />
• Available for most kernel platforms<br />
• Development required<br />
Remark: Platform limitations may apply!<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 20
Multi Domain SSO<br />
Recommendation:<br />
• Use one DNS (sub-) domain for SSO purposes ( increased security!)<br />
• E.g. portal.sso.company.com, its.sso.company.com, …<br />
• Set UME property ”domainrelaxlevel” accordingly<br />
Alternative: Configure SAP EP for multi domain SSO<br />
• Ticket sending instances required in every domain<br />
• Portal sends SAP Logon Ticket content via client redirects to every<br />
ticket sending instance.<br />
• Client will get as many cookies as domains (also see SAP Note 654982)<br />
• Configuration details:<br />
http://help.sap.com Netweaver '04 documentation Security User<br />
<strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong>-On <strong>Authentication</strong> on the Portal <strong>Single</strong><br />
<strong>Sign</strong>-On <strong>Single</strong> <strong>Sign</strong>-On with SAP Logon Tickets<br />
• EP6 SP2 only supported on per project basis, see SAP note 673824<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 21
HTTP Header <strong>Authentication</strong> – SSO Process<br />
<strong>Authentication</strong> Authority<br />
(intermediate)<br />
Intranet<br />
CRM<br />
Initial<br />
logon<br />
Access<br />
ERP<br />
Internet<br />
Groupware<br />
Other...<br />
Identity information within header variable<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 22
Adding the User Name Header<br />
• The authentication takes place on the intermediate server<br />
• The intermediate adds identity information to the request data<br />
• The application servers get the identity information from the<br />
request data<br />
GET /someresource HTTP/1.1<br />
[ … ]<br />
GET /someresource HTTP/1.1<br />
[ … ]<br />
HTTP-USER: MyUser<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 23
Integrated Windows <strong>Authentication</strong><br />
Initial authentication is done to the local system (Windows)<br />
Two methods of Integrated Windows authentication<br />
possible<br />
• NTLM<br />
• Kerberos<br />
Requirement:<br />
• Applications need to run on an IIS<br />
or<br />
• authentication needs to be done on an intermediate IIS (using IIS Proxy<br />
module from SAP) available for SAP WebAS Java 6.40<br />
Coming soon:<br />
SAP Consulting solution for Kerberos <strong>Authentication</strong> directly on WebAS 6.40 Java<br />
please contact your local SAP consulting organization<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 24
Header Based <strong>Authentication</strong> Best Practices<br />
• Block risk of user impersonation!<br />
Be aware of Header Spoofing<br />
• Safeguard J2EE engine HTTP(S) ports from direct access by<br />
users<br />
Prevent opportunity to bypass the proxy for J2EE engine access<br />
• Configure SSL with mutual authentication between the web server<br />
<strong>and</strong> the J2EE engine<br />
See documentation on ‘Using SSL with an Intermediary Server’<br />
Intermediate<br />
SSL<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 25
Security Assertion Markup Language (SAML)<br />
SAML is a protocol for encoding security related information (assertions)<br />
into XML <strong>and</strong> exchanging this information in a request/response fashion<br />
SAML does not authenticate users – comparable to SAP Logon Ticket<br />
SAML relies for message exchange on st<strong>and</strong>ard security protocols like SSL,<br />
TLS <strong>and</strong> uses XML signatures<br />
SAML authorities produce “assertions” in response to client requests. An<br />
assertion can be either an authentication or an authorization assertion<br />
• <strong>Authentication</strong> assertion: piece of data that represents an act of authentication<br />
performed on a subject (user) by the authority<br />
• Authorization assertion: piece of data that represents authorization permissions<br />
for a subject (user) on a resource<br />
SAML can be used for authentication <strong>and</strong> authorization requests <strong>and</strong><br />
assertions<br />
SAML is an emerging OASIS st<strong>and</strong>ard<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 26
SAML – SSO Process<br />
<strong>Authentication</strong> Authority<br />
(Source Web Site)<br />
5. Assertion<br />
Intranet<br />
ERP<br />
4. Pull assertion<br />
Initial<br />
logon<br />
1. Call transfer URL<br />
2. Redirect URL + artifact<br />
Internet<br />
ESS<br />
3. Access<br />
6. Resource<br />
Authenticate<br />
once<br />
Access<br />
Groupware<br />
...<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 27
Support of SAML in the SAP WebAS 640 Java<br />
Only SAML client for authentication available at destination<br />
site is available<br />
Support limited<br />
• Only browser artifact scenario supported<br />
• Digital signatures for SOAP documents are ignored<br />
• No support for additional “Condition” elements<br />
• The received assertion may only contain one authentication statement<br />
• The authentication statement must contain the NameIdentifier<br />
• AuthorizationDesicionStatement <strong>and</strong> AttributeStatement are ignored<br />
Nevertheless SAML is strategic within SAP.<br />
In the future there will be further support for SAML.<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 28
Pluggable <strong>Authentication</strong> Service (PAS)<br />
Requires the external (st<strong>and</strong>alone) version of the Internet<br />
Transaction Server (ITS)<br />
Provides the following authentication variants:<br />
• Windows NT LAN Manager protocol (NTLM)<br />
• Verifying user ID <strong>and</strong> password on the Windows domain controller<br />
• SSL <strong>and</strong> X.509 client certificates<br />
• Arbitrary mechanism on the Web server or an intermediate that sets<br />
HTTP header variable<br />
• LDAP bind<br />
• Arbitrary mechanisms provided by a partner product like<br />
Radius<br />
RSA SecureID<br />
Netegrity Siteminder<br />
...<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 29
Pluggable <strong>Authentication</strong> Service: WGate<br />
Windows NT LAN Manager (NTLM)<br />
SSL <strong>and</strong> X.509 client certificates<br />
Arbitrary mechanism on the Web server that sets HTTP header<br />
variable<br />
User External ID Mapping<br />
Table (USREXTID)<br />
External<br />
Auth.<br />
Mech.<br />
User ID<br />
SAP<br />
System<br />
User ID<br />
<strong>Authentication</strong><br />
(User ID <strong>and</strong> Password)<br />
Alice<br />
Web<br />
server<br />
WGate<br />
Alice<br />
AGate<br />
sapextauth<br />
User ID<br />
SAP<br />
System<br />
User ID<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 30
Pluggable <strong>Authentication</strong> Service: AGate<br />
Verifying user ID <strong>and</strong> password on the Windows domain controller<br />
LDAP bind<br />
Arbitrary mechanisms provided by a partner<br />
User External ID Mapping<br />
Table (USREXTID)<br />
External<br />
Auth.<br />
Mech.<br />
User ID<br />
SAP<br />
System<br />
User ID<br />
Alice<br />
<strong>Authentication</strong><br />
(User ID <strong>and</strong> Password)<br />
Web<br />
server<br />
WGate<br />
Alice<br />
AGate<br />
sapextauth<br />
User ID<br />
SAP<br />
System<br />
User ID<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 31
Pluggable <strong>Authentication</strong> - JAAS<br />
Interface defined by Java <strong>Authentication</strong> <strong>and</strong> Authorization Service<br />
(JAAS) st<strong>and</strong>ard<br />
As of JDK 1.4 integral part of J2SE<br />
Access control based on user credentials<br />
User-centric approach with two components:<br />
• <strong>Authentication</strong> (-> login modules)<br />
• Authorization<br />
http://java.sun.com/products/jaas<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 32
JAAS <strong>Authentication</strong><br />
J2EE<br />
Browser<br />
Window<br />
External<br />
security product<br />
(optional)<br />
External<br />
security product<br />
JAAS uses login modules for authentication<br />
• Login modules get user information via callbacks<br />
• SAP proprietary h<strong>and</strong>lers can be used to gather additional information:<br />
HttpGetterCallback – used to obtain information from the request (header/cookies)<br />
HttpSetterCallback – used to attach information to the response<br />
• St<strong>and</strong>ard information available is only User/Passphrase, all other information<br />
requires a Callback<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 33
Agenda<br />
<strong>Authentication</strong> <strong>and</strong> Identities<br />
<strong>Authentication</strong> with SAP<br />
• in a Web Based Scenario<br />
• At the SAP GUI for Windows<br />
Summary<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 34
<strong>Single</strong> <strong>Sign</strong>-On for SAP GUI for Windows<br />
SAP GUI for<br />
Windows<br />
External<br />
security product<br />
Use SNC <strong>and</strong> external security product<br />
• <strong>Authentication</strong> takes place outside of SAP system<br />
Use SAP-certified SNC product<br />
Also available:<br />
• Windows NTLM (gssntlm.dll)<br />
• Windows 2000 Kerberos (gsskrb5.dll)<br />
External<br />
security product<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 35
Two Worlds: SAP GUI for Windows <strong>and</strong> Web<br />
Traditional<br />
SAP GUI for Windows<br />
Secure Network Communications (SNC)<br />
• SNC partner product<br />
• SNC: Microsoft NTLM or Kerberos<br />
• SAP Shortcut Method (SAP Logon Ticket)<br />
Web<br />
SAP GUI for HTML<br />
X.509 client certificate<br />
SAP Logon Ticket<br />
Pluggable <strong>Authentication</strong> Service (PAS)<br />
Use external authentication<br />
mechanisms<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 36
SSO From Web to Traditional - ITS<br />
• Using logon tickets, ITS, <strong>and</strong> SAP Shortcuts<br />
• Logon ticket is passed to SAP Shortcut using ITS service wngui<br />
SAPGUI for<br />
HTML<br />
Web<br />
server<br />
WGate<br />
Alice<br />
AGate<br />
sapextauth<br />
https://host1.mycompany.com/scripts/wgate/wngui/!?~transaction=SU01<br />
Alice<br />
R/3<br />
Alice<br />
Start SAP<br />
Shortcut<br />
Alice<br />
SAPGUI for<br />
Windows<br />
Only supported on external ITS up to release 6.10 !<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 37
SSO From Web to Traditional – Enterprise Portal<br />
• Using logon tickets, Enterprise Portal <strong>and</strong> SAP Shortcuts<br />
• Logon ticket is passed to SAP Shortcut using a portal iView<br />
Browser<br />
Window<br />
Alice<br />
EP<br />
https://host1.mycompany.com/irj/...<br />
Alice<br />
Start SAP<br />
Shortcut<br />
Alice<br />
R/3<br />
SAPGUI for<br />
Windows<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 38
Prerequisites<br />
1) Users have the same user ID in all of the systems they access using the logon<br />
ticket. Passwords do not have to be the same in all systems.<br />
2) The user has an account in the active user store on the SAP J2EE Engine.<br />
3) The end users Web browsers accept cookies. In Internet Explorer 5.0, accept<br />
session cookies for the local intranet zone.<br />
4) Any Web servers or SAP Web AS servers (to include the SAP J2EE Engine) that<br />
are to accept the logon ticket as the authentication mechanism are located in the<br />
same DNS domain as the issuing server. The logon ticket cannot be used for<br />
authentication to servers outside of this domain.<br />
5) The clocks for the accepting systems are synchronized with the ticket-issuing<br />
system.<br />
If you do not synchronize the clocks, then the accepting system may receive a logon<br />
ticket that is not yet valid, which causes an error.<br />
6) The issuing server must possess a public <strong>and</strong> private key pair <strong>and</strong> public-key<br />
certificate so that it can digitally sign the logon ticket.<br />
7) Systems that accept logon tickets must have access to the issuing server's publickey<br />
certificate so that they can verify the digital signature provided with the ticket.<br />
8) The UMEs of the Portal <strong>and</strong> Web Dynpro systems are set up to authenticate users<br />
against the ABAP system.<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 39
SSO EP to ABAP Process Overview<br />
Import Portal public key into WebAS ABAP<br />
Configure trust from ABAP to EP<br />
Set profile parameters of ABAP system to accept logon tickets<br />
Restart SAP WebAS ABAP system<br />
Create <strong>and</strong> configure iView for the target system<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 40
System Preparation<br />
1. Export Portal Public Key using Keystore<br />
• Go to the keystore view in visual admin<br />
• Select TicketKeystore<br />
• Choose Download verify.der<br />
2. Import public key into WebAS ABAP<br />
• Start STRUSTSSO2<br />
• Click on Import Certificate<br />
• Specify the location of the file verify.der<br />
• Set the file format to DER coded <strong>and</strong> confirm<br />
• In the Trust Manager, choose Add to PSE<br />
• Save the new certificate list<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 41
IView Creation<br />
1. Create an iView using the 'SAP Transaction iView' Template.<br />
• In the Portal choose Content Administration -> Portal Content.<br />
• In the Content Catalog on the left, right-click on the folder in which you<br />
wish to create the iView <strong>and</strong> choose 'New -> iView'.<br />
• In the iView wizard, choose 'SAP Transaction iView', then 'Next'.<br />
• Enter iView name etc, then choose Next.<br />
• Choose 'SAP GUI for Windows', then Next.<br />
• In the 'System' field, choose the system alias for the system object you<br />
created, enter a transaction code, then choose Next.<br />
• And Finish.<br />
2. Integrate the iView in a role <strong>and</strong> assign the role to your user.<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 42
Agenda<br />
<strong>Authentication</strong> <strong>and</strong> Identities<br />
<strong>Authentication</strong> with SAP<br />
• in a Web Based Scenario<br />
• At the SAP GUI for Windows<br />
Summary<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 43
Communication in Integration Scenarios<br />
User Id / Password<br />
Kerberos<br />
NTLM<br />
Web access<br />
management<br />
products<br />
SAP<br />
Enterprise<br />
Portal<br />
Applications<br />
SAP Logon Ticket<br />
X.509 Certificate<br />
SAML Artifact<br />
WAM Token<br />
- Plug-In / Agent<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 44
<strong>Single</strong> <strong>Sign</strong>-On Possibilities<br />
<strong>Authentication</strong> Type SSO to non-SAP Applications SSO to SAP Applications<br />
User ID / Password<br />
•EP User Mapping<br />
•EP User Mapping<br />
X.509 Digital<br />
Certificates<br />
SAP Logon Tickets<br />
Integrated Windows<br />
<strong>Authentication</strong><br />
EAM-<strong>Authentication</strong><br />
SAML<br />
•Direct client connection<br />
•SAP Web Server Filter<br />
•SAP Ticket Verification Library<br />
•NTLM/Kerberos via direct client<br />
connection to IIS applications<br />
•Using EAM SSO Agent<br />
Software<br />
•Application specific<br />
•Direct Client Connection<br />
•Certificate sent by EP Server<br />
•SAP Application configuration<br />
•NTLM/Kerberos via IIS (plus<br />
IISProxy) to WebAS Java 6.40 or<br />
SAP EP 6.0<br />
•Using WAM SSO Agent plus<br />
HTTP Header <strong>Authentication</strong> to<br />
WebAS Java 6.40 or SAP EP 6.0<br />
•WebAS Java 6.40<br />
Other<br />
•Application specific<br />
•JAAS (Custom <strong>Authentication</strong><br />
Modules)<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 45
Selecting SSO Possibilities for Applications …<br />
PKI<br />
X.509 certs?<br />
Use PKI<br />
Integrated<br />
Windows<br />
Auth.?<br />
Use Integrated Windows authentication<br />
EAM in use?<br />
Use EAM Integration<br />
SAP Logon<br />
tickets?<br />
Use SAP Logon tickets<br />
Use SAP EP User Mapping<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 46
Further Information<br />
<br />
Public Web:<br />
www.sap.com<br />
SAP Developer Network: www.sdn.sap.com SAP NetWeaver Security<br />
<br />
Related SAP Education Training Opportunities<br />
http://www.sap.com/education/<br />
ADM960 Security in SAP System Environment<br />
Related Workshops/Lectures at SAP TechEd 2004<br />
SCUR352 Leveraging External <strong>Authentication</strong> Based on Industry St<strong>and</strong>ards<br />
SCUR201 SAP Infrastructure Security<br />
SCUR102 User Management <strong>and</strong> Authorizations: Overview<br />
SCUR351 User Management <strong>and</strong> Authorizations: The Details<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 47
Copyright 2005 SAP AG. All Rights Reserved<br />
• No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information<br />
contained herein may be changed without prior notice.<br />
• Some software products marketed by SAP AG <strong>and</strong> its distributors contain proprietary software components of other software vendors.<br />
• Microsoft, Windows, Outlook, <strong>and</strong> PowerPoint are registered trademarks of Microsoft Corporation.<br />
• IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,<br />
Intelligent Miner, WebSphere, Netfinity, Tivoli, <strong>and</strong> Informix are trademarks or registered trademarks of IBM Corporation in the United States <strong>and</strong>/or other<br />
countries.<br />
• Oracle is a registered trademark of Oracle Corporation.<br />
• UNIX, X/Open, OSF/1, <strong>and</strong> Motif are registered trademarks of the Open Group.<br />
• Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, <strong>and</strong> MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.<br />
• HTML, XML, XHTML <strong>and</strong> W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.<br />
• Java is a registered trademark of Sun Microsystems, Inc.<br />
• JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented <strong>and</strong> implemented by Netscape.<br />
• MaxDB is a trademark of MySQL AB, Sweden.<br />
• SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver <strong>and</strong> other SAP products <strong>and</strong> services mentioned herein as well as their respective logos are<br />
trademarks or registered trademarks of SAP AG in Germany <strong>and</strong> in several other countries all over the world. All other product <strong>and</strong> service names mentioned<br />
are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may<br />
vary.<br />
• The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose<br />
without the express prior written permission of SAP AG.<br />
• This document is a preliminary version <strong>and</strong> not subject to your license agreement or any other agreement with SAP. This document contains only intended<br />
strategies, developments, <strong>and</strong> functionalities of the SAP® product <strong>and</strong> is not intended to be binding upon SAP to any particular course of business, product<br />
strategy, <strong>and</strong>/or development. Please note that this document is subject to change <strong>and</strong> may be changed by SAP at any time without notice.<br />
• SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics,<br />
links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited<br />
to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.<br />
• SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of<br />
these materials. This limitation shall not apply in cases of intent or gross negligence.<br />
• The statutory liability for personal injury <strong>and</strong> defective products is not affected. SAP has no control over the information that you may access through the use of<br />
hot links contained in these materials <strong>and</strong> does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web<br />
pages<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 48