Next Generation SSO for SAP Applications with SAML 2.0. SAP TG Solution Management Security April 2010

Next Generation SSO for SAP Applications

with SAML 2.0

SAP TG Solution Management Security

April 2010

Disclaimer

This presentation outlines our general product direction and should not be relied on in

making a purchase decision. This presentation is not subject to your license

agreement or any other agreement with SAP. SAP has no obligation to pursue any

course of business outlined in this presentation or to develop or release any

functionality mentioned in this presentation. This presentation and SAP's strategy and

possible future developments are subject to change and may be changed by SAP at

any time for any reason without notice. This document is provided without a warranty

of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP assumes no responsibility for errors or omissions in this document, except if

such damages were caused by SAP intentionally or grossly negligent.

© SAP AG 2009. All rights reserved. / Page 3

Agenda

1.

Authentication, SSO, and Identity Federation

2.

SAML 2.0 for SAP: SSO and Identity Federation Agreements

3.

SAML 2.0: Capabilities Bundled in the Standard

Key Differentiators of User Authentication and

Single Sign-On Technologies

Direct User Involvement

Must the user interactively prove their identity with

something they know, have or are? Must an

application act on behalf of the user?

User Agent

Which type of user agent (e.g. Web Browser, Web

Service Consumer, Mobile Clients, NW BC,

SAPGUI) is supported by the SSO technology?

Cross-Platform

Platform support by the SSO technology? Is it a

widely adopted standard in the industry or a

vendor-specific technology?

Cross-Domain

Use of SSO technology within a security domain

(i.e. the corporate Intranet) or across different

domains (e.g. in a B2B scenario)?

Domain A

Domain B

SSO

Platform A

SSO

Platform B

SSO

Private

© SAP AG 2009. All rights reserved. / Page 5

SSO as Means to an End for Security

Administration …

Centralizing User Access Management



Single point of access administration via SSO token issuers



Assign user rights in various applications with one keystroke based on the

propagation of user identity information between trusted systems



Use system trust configuration to designate and enforce the use of application

servers as trusted gateways into trusted system networks

Central User Identity Management



Consolidate user information in shared user stores



Avoid redundant user information



Ease identity

de-provisioning



Lock or delete users

centrally

User Identity Federation Defined – SSO Across

Business and Application Boundaries

© SAP AG 2009. All rights reserved. / Page 7

Identity Federation Models Outside of

Software Applications



Governments as Identity Provider



Governments are an “Identity Provider” because they issue a Passport as proof of

identification



Every country vouches for its citizens



Governments as Service Provider



When an USA citizen travels to Germany, Germany verifies the identity of the USA

citizen by checking its passport



Germany trusts the Identity Provider (USA) to “vouch” for all its citizens. It still makes its

own access control decision (to let the person in or not) based on identity data

(including attributes) that is being asserted

USA Government

(Identity Provider)

German Government

(Service Provider)

Web User SSO to SAP Interactive Applications

Today

Portal or SAP NetWeaver

application server



Initial user authentication



Trusted SSO ticket issuer

SSO

Web user’s browser

:



Further distribution of issued SSO ticket

Initial

logon

BI

CRM

Other...

ERP

Intranet

Groupware

Send SSO ticket

to user browser

SAP applications:



Pre-configured as SSO ticket acceptors

Synchronization of user information in local identity management required

SSO capabilities limited technically to DNS domains borders

© SAP AG 2009. All rights reserved. / Page 9

Web User Authentication and SSO to User

Interactive SAP Applications

1 _{Requires Portal or AS Java}

2_{SAP SAML 2 IDP planned to be licensed with SAP NetWeaver Identity Management 7.1 and requires SAP NetWeaver 7.2 Java and higher AS platform} SAP SAML 2 SP capability planned for release with SAP Business Suite 7.02e, SAP NetWeaver CE 7.2 and AS Java 7.2 Web applications

S

A

P

Ne

tW

ea

v

er

applicatio

ns

Anonymous access



Named anonymous users

with SAP NetWeaver Portal

Interactive user

authentication



SAP user ID / password

PKI-based

authentication



X.509 client certificates

–

Rule based client authentication

–

Certificate filtering

–

Automated certificate mapping

–

CRL support

External

authentication



SPNego

–

user authentication against a Kerberos infrastructure



Header variables

SSO via trusted

application system



SSO Logon tickets

–

Principal solution for SSO in SAP landscapes



SAML 1.1 Browser Artifact

–

Interoperable SSO from trusted non-SAP token issuers

Identity Federation,

interoperable SSO

and Single Log-out



SAML 2

–

Identity Provider (IDP)

for centralized user authentication and

SAML 2 SSO token issuing authority

–

Service Provider (SP)

for accepting SAML 2 SSO token to grant

user access to Web enabled content

Custom

authentication



JAAS Login Module

–

Standardized extensions to out-of-the-box authentication

mechanisms

W

eb

brow

SAP GUI User SSO to SAP Interactive

Applications

Uses SNC components and external security product – both specific to

SAP GUI as user access channel

SAP makes available:



NTLM SSO library for Windows OS environments (gssntlm.dll)



Kerberos SSO library for Windows 2000 OS environments (gsskrb5.dll)

SAP certification available for partner SNC products

SAP GUI for

Windows

External SNC

security product

More Information :

SNC User Guide

in SAP Help Portal (http://help.sap.com)

AS ABAP Installation and Configuration Guide in SAP Service Marketplace (http://service.sap.com)

External SNC

security product

© SAP AG 2009. All rights reserved. / Page 11

User Client

Functionality

integration

Service and protocol specific service enabling components



Shares some trust and identity management infrastructure with Web and

GUI user access channels

Run over various low level communication protocols

Except Web services, low level protocols service protocols offer

limited interoperability and security configuration scalability

Service Provider

Content

display

Service Consumer

Authenticates user

Issues SSO token on

their behalf

Evaluates credentials

from Service

Consumer

SSO Options for System-Centric Service

Applications Today

Options for Service Authentication and SSO in

SAP’s Service-Centric Applications

Authentication and SSO information exchanged via:

SOAP Protocol

for secure interoperability and authentication/SSO in cross-vendor

Web service-based enterprise applications

Transport Protocol

for performance, backward compatibility and security in SAP centric

service-enabled enterprise applications

Se

rv

ice

Consumer

A

pp

li

ca

tio

n

(e.

g

.

Po

rtal

,

C

E,

PI

,

B

PM

,

B

u

si

n

ess

Su

ite,

n

o

n

-SA

P)



WSS Username Token Profile *



User ID and Password

Authenticate service user

WSS X.509 Certificate Token Profile *

X.509 client certificate

Securely authenticate

consumer application

WSS SAML Token Profiles 1.0 *

SSO tickets

Propagate authenticated

user identity

© SAP AG 2009. All rights reserved. / Page 13

SAP’s Next Generation Support for Web User

SSO and Identity Federation

Trust

Relationship

SAP Applications

3

Party

Applications

SSO

Federation

SOA SSO

Federation

This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement

SAP NetWeaver Identity

Management

with SAML 2 Identity Provider (IDP) and

Security Token Service (STS)*

Standardized SAML 2 SSO and Single Log-out

Shared infrastructure in user interactive and

service applications on the Web



Identity management



Trust management

Efficient user productivity enablement of secure

cross-business scenarios

Application Service Providers

(SPs)

* SAML 2 IDP planned for release with a SAP NetWeaver IDM 7.1 license, STS support planned for later SAP NetWeaver IDM releases

Agenda

1.

Authentication, SSO, and Identity Federation

2.

SAML 2.0 for SAP: SSO and Identity Federation Agreements

© SAP AG 2009. All rights reserved. / Page 15

SAML 2 in a B2B Application Scenario

HRA

ITeIO

Must do:



Manage employees’ full

range of user identity

information in compliance

with data privacy legislation



Enable access to partner

applications in compliance

with the partner’s access and

security policy

Must do:



Define access policy

requirements



Maintain application

authorizations for segregation

of duty and least privilege



Offer self-service options to

HRA partner employees, using

ITeIO services (shuttles,

lunch, etc.)

Enable user access and

productivity at

SSO Agreement Under Aligned User Logon

Identifiers with SAML 2

HRA as IDP

ITeIO as SP

Identifier source:



Logon Id



Logon Alias



Profile attribute

Identifier source:



Logon Id



Logon Alias



Profile attribute

Adam Bufford

User identity management

prerequisites:

–

Logon id formats and values

aligned

–

User authorizations aligned

© SAP AG 2009. All rights reserved. / Page 17

Linking User Accounts with Misaligned User

Identifiers for SAML 2 SSO

HRA as IDP

ITeIO as SP

abufford

adam.bufford

User identifier

maintained in



e-mail



KPN



Windows name



X.509 Subject Name

user profile attribute

To enable SSO, matching

user profile attribute must

be provisioned in



e-mail



KPN



Windows name



X.509 Subject Name

user profile attribute

Adam Bufford

User identity management

prerequisites:

–

Logon id formats and values

aligned

Linking Federated SSO Accounts with

Persistent Federation

HRA as IDP

ITeIO as SP

abufford

Logon id alignment

bundled in the SAML 2

federated SSO

Agreement to federated

SSO established:



with interactive user

agreement



triggered by admin with

identity provisioning

Logon id alignment

bundled in the SAML 2

federated SSO

Consent to federated SSO

established:



with interactive user

agreement



triggered by admin with

identity provisioning



automatic new user account

creation

Adam Bufford

User identity management

prerequisite:

–

User authorizations aligned

© SAP AG 2009. All rights reserved. / Page 19

Serv

ice

Prov

id

er

Authorization Element

Count

Iden

tit

y

Pr

ov

ider

Count

Authorization Element

Structuring User Authorization Profiles Under the

SAML 2 SSO Agreements, Discussed up to This Point…

Permissions

Actions/App

Roles

User Roles

User Groups

SAP User IDs

p

r

m

l

k

Permissions

Actions/App

Roles

User Roles

User Groups

SAP User IDs

(misaligned)

x

v

t

s

k

1:1 record relation

SPs and IDP have to

manage an overall

equivalent number of

federated user accounts

Federated SSO with User Attribute Information

HRA as IDP

ITeIO as SP

abufford

employee@IDP

Issued SAML 2

assertion contains

only attributes

describing user

User profile for application

access determined from user

attribute values in assertion

Contractual prerequisite:

– Agree on user attributes to

exchange

© SAP AG 2009. All rights reserved. / Page 21

Ser

v

ice

Pr

ov

ider

Authorization Element

Count

Structuring of User Authorization Profiles with

Transient Federation Agreements

Permissions

Actions/App

Roles

User Role /

Group

User ID

x

v

t

t

1

Iden

tit

y

Pr

ov

ider

Count

Authorization Element

Permissions

Actions/App

Roles

User Roles

User Groups

SAP User IDs

p

r

m

l

k

n

N:1 record relation

SP manages 1

account per multiple

IDP user records.

Only IDP must

manage full user

Identity Federation and B2B SSO –

The Small Script



Contracts must define what can be shared to technically enable a

federation agreement



Contract provides a skeleton about the information that can/must be

shared:



not all identity information may be shared due to business or compliance reasons .



Contract may include special agreements per target application

system or target application system group:



facilitate trust established indirectly via intermediary identity provider “brokers”



For data protection and privacy reasons, users (administrative or

end) can:



agree to sharing the requested data by the accessed via federation resource (SP) from

the federation authority (IdP)



enforce contractual agreement, with deployment of integrity and confidentiality

protection

© SAP AG 2009. All rights reserved. / Page 23

Agenda

1.

Authentication, SSO, and Identity Federation

2.

SAML 2.0 for SAP: SSO and Identity Federation Agreements

SAML 2.0 – Overview



Industry standard for cross-vendor SSO and SLO with wide

adoption



XML-based framework for marshaling security and identity

information and exchanging it across administrative and technical

domain boundaries



SAML profiles describe a variety of end use cases for framework



SAML Core technology:

Assertions (or claims) about end user subjects



Contain statements:

authentication, attribute, authorization



Issued from a trusted system provider:

an active element of a computer/network

system



Securely identify a principal:

an user whose identity can be authenticated

© SAP AG 2009. All rights reserved. / Page 25

SAML 2.0 deliverables for interactive Web user federation

Profiles

Combinations of assertions, protocols and

bindings to support a specific use case

Bindings

Mappings of the SAML Protocol messages

onto standard messaging and communication

protocols

Protocols

Requests and Responses for obtaining

assertions and managing user identifiers

Assertions

Authentication, Attribute and entitlement

information

Authentication Context

Enables Service providers to

require a type and strength of

initial authentication at IDP

Metadata

Supports automated

configuration data import and

discovery for Identity and Service

providers

WSS SAML Token

Profile

Place a SAML 2.0 Assertion

in a SOAP Envelope

WS Security deliverables for federation with Web services

WS Policy

Declare and propagate

requirement for a SAML 2.0

Assertion in a SOAP Envelope

WS Trust

defines mechanisms to negotiate

keys and issue, cancel, renew and

amend security tokens

Lite Protocol Interoperability Matrix from Liberty

http://www.projectliberty.org/liberty/liberty_interoperable

Feature

IDP

IDP-Lite

SP

SP-Lite

Web SSO, <AuthnRequest>, HTTP redirect

MUST

MUST

MUST

MUST

Web SSO, <Response>, HTTP POST

MUST

MUST

MUST

MUST

Web SSO, <Response>, HTTP POST

MUST

MUST

MUST

MUST

Artifact Resolution, SOAP

MUST

MUST

MUST

MUST

Enhanced Client/Proxy SSO, PAOS

MUST

MUST

MUST

MUST

Name Identifier Management, HTTP redirect

(IDP-initiated)

MUST

MUST NOT

MUST

MUST NOT

Name Identifier Management, SOAP

(IDP-initiated)

MUST

MUST NOT

OPTIONAL

MUST NOT

Name Identifier Management, HTTP redirect

MUST

MUST NOT

MUST

MUST NOT

Name Identifier Management, SOAP

(SP-initiated)

MUST

MUST NOT

OPTIONAL

MUST NOT

Single Logout (IDP-initiated), HTTP redirect

MUST

MUST

MUST

MUST

Single Logout (IDP-initiated) , SOAP

MUST

OPTIONAL

MUST

OPTIONAL

Single Logout (SP-initiated) , HTTP redirect

MUST

MUST

MUST

MUST

Single Logout (SP-initiated) , SOAP

MUST

OPTIONAL

MUST

OPTIONAL

© SAP AG 2009. All rights reserved. / Page 27

Further Information



Related SAP Education and Certification Opportunities

http://www.sap.com/education/



SAP Public Web:

SAP Developer Network (SDN): www.sdn.sap.com

© SAP AG 2009. All rights reserved. / Page 29

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POW ER6+, POWER6, POWER5+,

POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warrant.

Copyright 2009 SAP AG

All Rights Reserved