SAP NetWeaver Cloud Security Tutorial - a248.g.· SAP NetWeaver Cloud Security Tutorial. Single Sign-On

  • View
    213

  • Download
    0

Embed Size (px)

Text of SAP NetWeaver Cloud Security Tutorial - a248.g.· SAP NetWeaver Cloud Security Tutorial. Single...

  • SAP NetWeaver Cloud Security Tutorial Single Sign-On and Identity Federation with SAP NetWeaver Single Sign-On

  • SAP NetWeaver Cloud Security Tutorial

    2

    TABLE OF CONTENTS

    OVERVIEW ....................................................................................................................................................... 3

    PREREQUISITES AND REQUIREMENTS....................................................................................................... 4

    GETTING STARTED ......................................................................................................................................... 4

    STEP 1: ESTABLISH TRUST TO SAP NETWEAVER CLOUD IN ITELOS CORPORATE IDP ................... 6

    STEP 2: CREATE TEST USERS AND GROUPS IN THE CORPORATE USER DIRECTORY ...................... 9

    STEP 3: ESTABLISH TRUST TO ITELOS CORPORATE IDP IN SAP NETWEAVER CLOUD ................. 13

    STEP 4: CONFIGURE IDENTITY FEDERATION IN ITELOS CORPORATE IDP ........................................ 15

    STEP 5: CONFIGURE IDENTITY FEDERATION IN SAP NETWEAVER CLOUD ....................................... 19

    STEP 6: TEST THE END-TO-END SCENARIO ............................................................................................. 22

    TROUBLESHOOTING TIPPS ......................................................................................................................... 24 IdP Debug Logs ............................................................................................................................................. 24 SP Debug Logs .............................................................................................................................................. 24 User Agent SAML Message Trace ............................................................................................................... 25

    REFERENCES ................................................................................................................................................ 26

  • SAP NetWeaver Cloud Security Tutorial

    3

    This tutorial is part of a series on how to setup Single Sign-On (SSO) and Identity Federation

    between the SAP NetWeaver Cloud platform and existing identity and access management (IAM)

    systems. In this document, a complete end-to-end scenario for integrating SAP NetWeaver Cloud

    with SAP NetWeaver Single Sign-On will be implemented based on the Security Assertion Markup

    Language (SAML) 2.0 protocol.

    OVERVIEW

    Based on the enterprise scenario in the SAP NetWeaver Cloud SSO and Identity Federation whitepaper [1], the sample application for leave request management (xLeave) running on the SAP NetWeaver Cloud platform acts as the SAML Service Provider (SP) that requires user authentication to obtain access to

    protected resources. As specified by the SAML protocol [2], the system responsible to verify the identity of authorized users is the Identity Provider (IdP). In this tutorial, the IdP is an existing system running on-premise in the corporate network. The IdP is connected to the corporate directory server which manages the accounts for all users that are allowed to access the SP in the Cloud. In this role, the IdP can verify the username and password entered by the user to login to the SAP NetWeaver Cloud application against the credentials stored in the corporate directory. Upon successful login, the IdP confirms the users identities to the trusted SP in the Cloud, and the user is logged on without being asked again for the username and password.

    Figure 1 Federation Scenario Overview

    Figure 1 illustrates the setup based on the enterprise scenario in [1] of the fictitious company ITelO. In this

    tutorial, ITelO runs SAP NetWeaver Single Sign-On 1.0 [3]. For Identity Federation with SAML, SAP NetWeaver Single Sign-On offers a SAML 2.0 compliant Identity Provider, which uses the underlying User Management Engine (UME) as the user store. UME can be configured to either use its own persistency, or

    connect to an LDAP Directory as Data Source [4]. In the scenario setup, ITelO employees have an account in UMEs local database which runs on SAP Sybase Adaptive Server Enterprise, and are assigned to UME roles. Using the SAML 2.0 protocol in the scenario, ITelO employees will be able to (single) sign-on to the xLeave leave request application in the SAP NetWeaver Cloud using their corporate credentials. With Kerberos/SPNEGO in place for SSO in the ITelO corporate network, the user is actually only required to enter the domain username and password once in the morning when she logs on to ITelOs Kerberos

    Domain. Any subsequent logons including authentication at ADFS during a SAML-based sign-on to the SAP

    NetWeaver Cloud will happen completely transparently from the users perspective. As SAP NetWeaver Cloud has no permanent user storage, SAP NetWeaver Single Sign-On must issue additional user profile data required by the xLeave application in the Cloud. Along with the user name used to login at the IdP, attributes such as the employees first name, last name and company employee id are

  • SAP NetWeaver Cloud Security Tutorial

    4

    also added to the authentication statement (SAML Assertion) in the SAML Response sent back to the SP running on SAP NetWeaver Cloud. This also includes the employees internal role assignments in UME which are required to authorize certain actions of the logged in user in the Cloud. To avoid complex and error-prone data synchronization and double maintenance of group or role assignments in the on-premise IAM system and the xLeave application, permissions in the Cloud are calculated dynamically using the information obtained from the SAML Assertion that the IdP issues for each authenticated user. The NetWeaver Cloud account administrator can define a set of rules for mapping each authenticated user to roles used by the applications running on SAP NetWeaver Cloud. Such a rule, translated in human-readable form, could be something like this: "If a user authenticated by the trusted corporate IdP idp.itelo.corp has a SAML 2.0 assertion with the attribute role which contains the value Manager, assign this user to the group Managers on SAP NetWeaver Cloud", or "Any user authenticated by the trusted corporate IdP idp.itelo.corp will be assigned to the group iteloEmployees" (assuming that IdP idp.itelo.corp only manages accounts from company ITelO).

    As described in [1], the xLeave application defines two web roles in its web.xml file following standard Java EE conventions: Employee and Manager (see Figure 2).

    Figure 2 xLeave web role definitions in web.xml

    Those roles will be mapped based on a role attribute in the SAML response which contains the current group assignment in UME of the logged-in employee. PREREQUISITES AND REQUIREMENTS

    To deploy the xLeave application on the Cloud, you need a trial [7] or productive account on the SAP

    NetWeaver Cloud platform. For more information, see [8].You can download the complete source code from

    [6], import it as a project in Eclipse, and deploy from there using the SAP NetWeaver Cloud Eclipse tools.

    For more information about installing and configuring these tools, see [9]. Alternatively, the download also contains a WAR file of the application, which can be deployed with the SAP NetWeaver Cloud Console Client neo and the deploy command, e.g. neo deploy -s c:\xleave.war -a -h netweaver.ondemand.com -u

    -b xleave

    In addition, an instance of the SAP SAML 2.0 Identity Provider is required, which is part of SAP NetWeaver Single Sign-On 1.0 or higher. To successfully implement the scenario in this tutorial, the underlying SAP NetWeaver AS Java has to be on one of the following release levels:

    7.2 SP8 or later

    7.3 SP7 with SAP Note 1704179

    7.3 SP8 or later versions. The DNS name of the IdP instance is idp.itelo.corp running on port 50001 (HTTPS). The operating system is SUSE Linux Enterprise Server 11 SP1.

  • SAP NetWeaver Cloud Security Tutorial

    5

    GETTING STARTED

    Setting up the federation scenario comprises in total of six steps, which are explained in more detail in the following sections: 1. Establish trust to SAP NetWeaver Cloud in ITelOs corporate IdP 2. Create test users and groups in the corporate user directory 3. Establish trust to ITelOs corporate IdP in SAP NetWeaver Cloud 4. Configure identity federation in ITelOs corporate IdP 5. Configure identity federation in SAP NetWeaver Cloud 6. Test the end-to-end scenario

  • SAP NetWeaver Cloud Security Tutorial

    6

    STEP 1: ESTABLISH TRUST TO SAP NETWEAVER CLOUD IN ITELOS CORPORATE IDP

    The first step in this tutorial is about adding a new Trusted Provider in SAP NetWeaver Single Sign-On for the xLeave application on SAP NetWeaver Cloud. Before you can create the new Trusted (Service) Provider, the SAP NetWeaver Cloud account administrator must maintain the SP configuration for his account. After completing this step, SAP NetWeaver Single Sign-On will accept SAML Authentication Requests from the SAP NetWeaver Cloud platform.

    What to do What you will see

    Before establishing the trust relationship in SAP NetWeaver Single Sign-On to the xLeave application, the Service Provider (SP) of your account in SAP NetWeaver Cloud must be configured. Open the Account Page at https://account.netweaver.ondemand.com (or https://account.nwtrial.ondemand.com if you have a trial account) and log in as an administrator for your SAP NetWeaver Cloud account. Go to Trust Local Service Provider, click on the Edit button, and

    make the following changes: