Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 1
Eliminating Authentication Pop-Ups in SAP LandscapesCristina Buchholz, Patrick HildenbrandProduct Security, SAP
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 2
Learning Objectives
As a result of this workshop, you will be able to:
Understand Authentication and Single Sign-On options with or without the Enterprise PortalUnderstand Authentication Delegation via Pluggable Authentication Service
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 2
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 3
Agenda
Introduction
Why use single sign-on?
Single sign-on with SAPWithout Enterprise PortalWith Enterprise Portal
Outlook
Summary
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 4
SAP NetWeaver: Introduction
Integration Broker
Business Process Management
Portal
Collaboration
Multi-channel Access
Enable the Enterprise Services Architecture
BusinessIntelligence
Knowledge Management
Master Data Management
SAP NetWeaver is the application and integration platformto unify and align people information and processes across technologies and organizations.
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 3
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 5
SAP NetWeaver™
DB and OS Abstraction.NET WebSphere
People IntegrationC
ompo
site
App
licat
ion
Fram
ewor
k
Process IntegrationIntegration
BrokerBusiness Process
Management
Information Integration
BusinessIntelligence
KnowledgeManagement
Life Cycle M
anagement
Portal Collaboration
J2EE ABAP
Application Platform
Multi-Channel Access
SAP NetWeaverSAP NetWeaver™™
DB and OS Abstraction
Master Data Management
……
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 6
Agenda
Introduction
Why use single sign-on?
Single sign-on with SAPWithout Enterprise PortalWith Enterprise Portal
Outlook
Summary
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 4
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 7
Single Sign-On
OpenInternet
standards
Enterprise boundary Market-place
3.1H
R/3 4.6FIFI
LOLOHRHR
CRMCRMKWKW
BBPBBPSEMSEM
APOAPO
BWBW
CFMCFM
mySAP components
R/2R/2
non mySAP.com3rdparty
Partner
SAPSAP
Inside
Outside
mySAP Internet servicesVarious Internet services
Different ERP
systems
Single Sign-On
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 8
Why Use Single Sign-On?
Complex system landscapes with many user IDs and different passwords -> Procedures for each system to roll-out, reset and change new/existing passwords
⇒ High administration cost and effort
⇒ Users find continuous password changing for many systems annoying
⇒ Users write passwords down and store them where they can easily be found -> security risk
Solution: Single Sign-On
Users only have to remember one password to gain access to every system
Administration costs and effort are drastically reduced
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 5
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 9
Agenda
Introduction
Why use single sign-on?
Single sign-on with SAPWithout Enterprise PortalWith Enterprise Portal
Outlook
Summary
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 10
Single Sign-On mechanisms available for SAP systems
SNC
SSL and X.509 client certificates
SAP Logon Tickets
Pluggable Authentication Services
What authentication mechanisms are possible?
Single Sign-On
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 6
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 11
Single Sign-On Variants Depending on GUI
When using partner, additional costs
PAS (+ Partner)
SAP proprietaryNo additional costs
Logon tickets
Based on standardsAvailable in Internet scenariosConfiguration of SSL necessary
X.509 client certificates
SAP GUI for HTML
SAP proprietaryInitial access via ITS
Logon tickets in SAP Shortcuts
No additional costsMicrosoft-only environment
SNC: Microsoft NTLM or Kerberos
Additional costsSNC: Partner Product
SAP GUI for Windows
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 12
Two Worlds: SAP GUI for Windows and Web
SAP GUI for HTMLSAP GUI for HTML
Web
SAP GUI for WindowsSAP GUI for Windows
TraditionalSecure Network Communications (SNC)
X.509 client certificate
Logon ticket
Pluggable Authentication Service (PAS)Use external authentication mechanisms
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 7
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 13
Single Sign-On for SAP GUI for Windows
Use SNC and external security productAuthentication takes place outside of SAP system
Use SAP-certified SNC product
Also available:Windows NTLM (gssntlm.dll)Windows 2000 Kerberos (gsskrb5.dll)
SAP GUI for Windows
SAP GUI for Windows
External security product
External security product
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 14
SAP Logon Tickets – SSO Process
Any otherWeb page
Internet
SAP Logon Ticket
Externalsystem
Intranet
SAP System
Initial logon
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 8
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 15
Verifying the SAP Logon Ticket: SAP Systems
Component system
Step 2: Logon using the user ID which is stored in the SAP Logon
Ticket. No additional authentication using password or certificate
necessary.
Step 1: Verification of the digital signature provided with the SAP
Logon Ticket.
SAP
Server’s public-key certificate
SAP Logon Ticket
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 16
SAP Logon Ticket
Alice / ******Alice / ******
Alice
Alice
Alice
Initial authentication (user ID / password) on ticket-issuing system
System issues user logon ticket
Digitally signed by ticket-issuing serverProvides for integrity and authenticity protection
Accepting systems check logon ticket for validity
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 9
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 17
Issuing Logon Tickets
Alice / ******Alice / ******
Alice
Set up one system as ticket issuer
System must be >= Release 4.6D
System must possess public and private key pair
Stored in system PSE
system
System PSE
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 18
system
Verifying Logon Tickets
Alice / ******Alice / ******
Alice
Alice
Alice
Step 1: Verify digital signature
Step 2: Check access control list
Step 3: Log user on to system
1
SSO Access Control List
Ticket-Issuing Server <SID> <client>
system
System PSE
2
3
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 10
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 19
Configuring the Use of Logon Tickets
Step 1: Configure the ticket-issuing system: application server
Step 2: Configure the ticket-issuing system: ITS
Step 3: Configure accepting system: application server
Step 4: Configure accepting system: ITS
Step 5: Test the connection
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 20
Step 1: Configure the Ticket-Issuing System
.
.
.
# SAP logon ticket parameters
login/create_sso2_ticket = 1
login/accept_sso2_ticket = 1
login/ticket_expiration_time = 60
.
.
.
ProfileApplication Server
Set profile parameters
Restart application server
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 11
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 21
Step 2: Configure the Ticket-Issuing System
~login
~password
~cookies 1
.
.
.
.
.
.
~mysapcomgetsso2cookie 1
~mysapcomusesso2cookie 1
~mysapcomnosso1cookie 1
~mysapcomnoits 1
.
.
.
ITS
Global service file parameters
Individual service file parameters
global.srvc
systeminfo.srvc
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 22
Step 3: Configure the Accepting Systems
Activate!
Application Server
Also applies to ticket-issuing system
Profile parameter: login/accept_sso2_ticket
Access Control List TWPSSO2ACLContains entry for ticket-issuing system
Certificate ListContains ticket-issuing system‘s public-key certificate (if login/create_sso2_ticket = 2 on ticket-issuing system)
Maintenance transaction SSO2
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 12
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 23
Step 4: Configure the Accepting Systems
~login
~password
~mysapcomusesso2cookie 1
.
.
.
ITS
Service file parameters
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 24
Step 5: Test the Configuration
Set Web browser to prompt for cookies
Access ticket-issuing application server using service (for example, systeminfo)
Logon ticket is cookie named MYSAPSSO2
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 13
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 25
Web AS
Web AS
X.509 Client Certificates
Authentication occurs using SSL with mutual authentication
User possesses a private and public key pair and public-key certificate
Access to Web-based SAP systems, for example, the SAP Web AS or non-SAP systems that support SSL
SSL
SSL
non-SAP
SSL
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 26
Pluggable Authentication Service (PAS)
~~~~~~~~
Authentication using an external authentication service
Windows NTLM ProtocolWindows user ID / password checking using the domain controllerLDAP bindRadius / SecureIDHTTP header variables......
After authentication the user is issued a Logon Ticket for use with SAP services
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 14
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 27
Pluggable Authentication Service
External Authentication Mechanisms
Examples:Windows NT LAN Manager (NTLM)Verifying user ID and password on the Windows domain controllerLDAP bindSSL and X.509 client certificatesArbitrary mechanism on the Web server that sets HTTP header variableArbitrary mechanisms provided by a partner
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 28
Pluggable Authentication Service: AGate
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
Verifying user ID and password on the Windows domain controller
LDAP bind
Arbitrary mechanisms provided by a partner
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 15
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 29
Pluggable Authentication Service: WGate
Windows NT LAN Manager (NTLM)
SSL and X.509 client certificates
Arbitrary mechanism on the Web server that sets HTTP header variable
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 30
Pluggable Authentication Service: SNC
SNC
Required between AGate and ticket-issuing application server
Recommended between AGate and accepting systems
If authentication mechanism occurs on the Web server, then also recommended between the AGate and the WGate
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
SNC
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 16
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 31
Pluggable Authentication Service: Process
SNC
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
SNC
The user enters the URL for the PAS service.
1
https://host1.mycompany.com/scripts/wgate/<service>/!
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 32
Pluggable Authentication Service: Process
SNC
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
SNC
2The user provides authentication information (user ID and password)
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 17
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 33
Pluggable Authentication Service: Process
SNC
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
SNC
3The external authentication mechanism verifies the user’s information.
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 34
Pluggable Authentication Service: Process
SNC
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
SNC
4 The ticket-issuing system maps the external user ID to the SAP user ID.
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 18
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 35
Pluggable Authentication Service: Process
SNC
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
SNC
5 The user is issued a logon ticket.
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 36
Pluggable Authentication Service: Process
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
6 The AGate redirects the user to the initially desired service (myservice).
https://host1.mycompany.com/scripts/wgate/myservice/!
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 19
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 37
Configuring Pluggable Authentication Services
Step 1: Install PAS module
Step 2: Set service file parameters
Step 3: Maintain user mapping
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 38
Step 1: Install PAS Module
Program Files
D:
SAPITS
2.0<SID>
AGate
services
templates
login.htmlextautherror.htmlredirect.html
sapntauth.srvc
sapntauth99
Copy and rename if necessary (for example, sapntpasswd, sapldap, saphttp, etc.
PAS package ntauth.sar
Attached to SAP Note 493107Contains sample service files and template filesInstall in \services and \templates directories
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 20
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 39
Step 2: Set the Service File Parameters
~xgateway sapextauth
~extauthtype NTLM
~extid_type NT
~mysapcomgetsso2cookie 1
~dont_recreate_ticket 1
~redirectHost host1
~redirectPath /scripts/wgate/webgui/!
~redirectQS ~client=000&~language=en
~redirectHttps 1
~login_to_upcase 1
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 40
Step 3: Maintain The User Mapping
External IDMYDOMAIN/ALICE ALICE
User Activ.
TypeNT
000Seq. No.
01/01/2002
Min.date
User’s external ID must correspond to an SAP system user IDMaintain in table USREXTID (Report RSUSREXTID)
Type = ITS parameter
~extid_type
User’s external ID
User’s SAP sytem ID
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 21
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 41
Pluggable Authentication Service: Digital Certificates
SSL and X.509 client certificates
User ID
User IDSAP
system user ID
SAP system user ID
User external ID mappingtable (USREXTID)
Authentication
AGateWeb
serverWGate
Optional revocation
Third Party
sapextauthAlice Alice
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 42
Obtaining a Digital Certificate
Digital certificates must be X.509v3 compliant
Various options possible:Using SAP Trust Center Service
For SAP users onlyFree of chargePortal server acts as Registration Authority (RA)
Setting up internal PKI systemBuy software from CA product vendor
Using external PKI systemContract with Trust Center Service
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 22
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 43
Log on using SAP user ID and password and initiate the SAP Passport request1
Specify naming convention and trigger key generation
2
Webbrowser
PortalServer
SAP Trust Center Service: Enrollment Process
Log on using the SAP Passport6
Web browser generates key pair and sends the SAP Passport request
3
SAP Trust CenterService
Send approved certificaterequest4Verifies naming conventions
and issues certificate
5
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 44
Combining the Two Worlds
SAP GUI for WindowsSAP GUI for Windows
SAP GUI for HTMLSAP GUI for HTML
Web
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 23
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 45
SSO From Web to Traditional
Using logon tickets, ITS, and SAP ShortcutsLogon ticket is passed to SAP Shortcut using ITS service wngui
AGateWeb
serverWGate
sapextauth
Alice
https://host1.mycompany.com/scripts/wgate/wngui/!?~transaction=SU01
Alice
Start SAP Shortcut
SAPGUI for HTML
SAPGUI for HTML
SAPGUI for Windows
SAPGUI for Windows
Alice
Alice
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 46
Logon Ticket: Non-SAP Systems
The Logon Ticket contains public information only:User IDValidity periodIssuing systemDigital signature
Therefore we can offer a library which can be linked to other systems. These systems can verify the user’s Logon Ticket and use the stored information for their own logon.
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 24
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 47
SSO to Non-SAP Components Using Logon Tickets
Non-SAP Web-based application
Ticket Web server
Ticket Verification LibrarySAPSSOEXT
Security product (SAPSECULIB)
Public address book(if not SAPSECULIB)
Access Control List
Workplace server <SID> <client>
Applicationuser ID
1
2
3
4
5
mySAP.com user ID
Legend
ticket Digitally-signed mySAP.com Logon Ticket
Workplace server’s public key if not issued by the SAP CA
Workplace server’s public-key certificate issued by the SAP CA
Services/objects to be provided by application
Services/objects provided by SAP
Ticket
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 48
Agenda
Introduction
Why use single sign-on?
Single sign-on with SAPWithout Enterprise PortalWith Enterprise Portal
Outlook
Summary
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 25
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 49
Authentication – Initial Logon Procedure
Verification of the user’s identity
Initial logon procedure to authenticate user
Various authentication methodsUser ID / passwordX.509 digital certificatesThird-party authentication
Windows authenticationWeb Access Management (WAM) productsOthers through JAAS interface(pluggable JAAS login modules)
Anonymous user concept
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 50
Authentication Process
User ID / PW User ID / PW
verification
SSL
User ID mapping
PortalServer
Portal Database
User Persistence
Store
SAP Logon Ticket
SSL
SAP Logon Ticket User ID mapping
PortalServer
Portal Database
User Persistence
Store
X.509Certificate
Comparison
X.509Certificate
SSLSSL
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 26
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 51
Two alternatives:
SSO to Non-SAP Components Using SAP Logon Tickets
Non-SAP component
system
1
Portal Server’s public-key certificate
2
HTTP header field:
Application user ID
Filte
r
Web Server Filter
Webserver
SAP Logon Ticket
Application Programming Interface (API)
Ticket verificationlibrary(DLL)
1
Portal Server’s public-key certificate
2
3
Applicationuser ID
Non-SAP component
system
SAP Logon Ticket
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 52
SSO – Account Aggregation
If the external system does not support SAP logon tickets
Portal components connect to the external system with the user’scredentials (user ID and password)
User mapping and credentials are stored in the Portal Database
Administrator maps user using administration iView
User maps own credentials using portal personalization function
Portal User: SAP User: Siebel UserID/Password:Michael_Schumacher d040011 903845233, {yu323ab}___Anna_Kournikova i052340 230982029, {34u0nap}___Tiger_Woods i043536 324098211, {wq9itxm1}__Cathy Freeman i048347 202377724, {12onxc85}__
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 27
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 53
Agenda
Introduction
Why use single sign-on?
Single sign-on with SAPWithout Enterprise PortalWith Enterprise Portal
Outlook
Summary
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 54
Outlook
JAAS logon modules
SAML tickets
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 28
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 55
Agenda
Introduction
Why use single sign-on?
Single sign-on with SAPWithout Enterprise PortalWith Enterprise Portal
Outlook
Summary
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 56
Authentication Mechanisms
• NTLM• LDAP bind• Radius• ....
Applications
External authentication
Pluggable authentication
adapterWeb accessmanagement
products
SAP Enterprise Portal
•User ID / password• X.509 certificates‘•Logon Tickets
•Jaas login module• HTTP header variables
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 29
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 57
Summary
You have learned to understand authentication and single sign-on options for SAP solutions with and without the Enterprise Portal
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 58
Further Information
Public Web:www.sap.com/netweaver Key Capabilities Security SAP Customer Services Network: www.sap.com/services/
Related SAP Education Training Opportunitieshttp://www.sap.com/usa/education/ADM960 Security in SAP System Environment
Consulting ContactFrank Rambo, NetWeaver Security Consulting ([email protected])
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 30
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 59
Q&A
Questions?
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 60
Please complete your session evaluation anddrop it in the box on your way out.
Feedback
Thank You !
The SAP TechEd ’03 Basel Team
SAP TechEd ‘03 Basel
© 2003 SAP AG SCUR251, Cristina Buchholz; Patrick Hildenbrand 31
SAP AG 2003, TechED EMEA, SCUR251, Cristina Buchholz; Patrick Hildenbrand/ 61
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well astheir respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.
Copyright 2003 SAP AG. All Rights Reserved