74
EXPLORING SAML 2.0 SCI160 Exercises / Solutions Angel Dichev / SAP Labs, LLC Peter McNulty / SAP Labs, LLC Dimitar Mihaylov / SAP Labs Bulgaria Dong Pan / SAP Australia Joseph Zeinoun / SAP Mentor Stephan Zlatarev / SAP Labs Bulgaria

SCI160_Excercises-SAML 2.0

Embed Size (px)

Citation preview

Page 1: SCI160_Excercises-SAML 2.0

EXPLORING SAML 2.0

SCI160 Exercises / Solutions Angel Dichev / SAP Labs, LLC Peter McNulty / SAP Labs, LLC Dimitar Mihaylov / SAP Labs Bulgaria Dong Pan / SAP Australia Joseph Zeinoun / SAP Mentor Stephan Zlatarev / SAP Labs Bulgaria

Page 2: SCI160_Excercises-SAML 2.0

2

Boilit‘s supplier for technical measurement equipment is Measurit. Measurit has setup a supplier portal on

the Internet to provide an easy access to lookup products and their technical data, as well as shipment,

availability and pricing information. They have jointly configured a customized product catalague which

contains all measurement devices that are regularly use in our production processes, as well as information

on new upcoming technology. The new Measurit supplier portal provides a simplified access for users to

search for the required products and to place and complete orders under the terms and prices that have

negotiated with our supplier.

For accessing the new Measurit supplier portal we have setup Federated Single Sign-On, so you can simply

use your existing Boilit account.

Please be sure to use the fully qualified domain names (not localhost) in the urls when completing the exercises as it used in the metadata generation. URLs with localhost will not work

Page 3: SCI160_Excercises-SAML 2.0

3

Boilit Configuration (IDP)

1 Create Boilit Users Groups and Custom Attribute

1.1 Create Groups Engineers and Purchasers

Launch the SAP NetWeaver Application Server Java

http://<host>:<port>/

Important - Use the fully qualified domain name

Choose User Management

Login as user demo and password welcome.

Page 4: SCI160_Excercises-SAML 2.0

4

Select Group from the Search Criteria dropdown list

Click Create Group to create a new group

Input Engineers for the Unique Name.

Click Save.

Repeat the steps above to create a group with the Unique Name Purchasers

Add Custom Attribute Cost Center to the User Profile

Choose Configuration

Choose the User Admin UI tab.

Page 5: SCI160_Excercises-SAML 2.0

5

Click Modify Configuration.

Enter costcenter for the

Administrator-Managed Custom Attributes field

Click Save All Changes

Logoff and Login as user demo and password welcome

Page 6: SCI160_Excercises-SAML 2.0

6

1.2 Create user Angie Neer

1. Select User from the Search

Criteria dropdown list

2. Click Create User to create a

new user

In the Details view, on the General Information tab, enter the following data:

Logon ID angie

Password ********

Last Name Neer

First Name Angie

E-Mail Address [email protected]

Page 7: SCI160_Excercises-SAML 2.0

7

Add Angie to group Engineers

Choose the Assigned Groups tab.

Under Available Groups, search for

Engineers

Select from the available Engineers

group and Click the Add pushbutton

Assign Angie’s Cost Center

Choose the Customized Information

tab

Enter 1234567890 for the costcenter

field

Click Save

1.3 Create User Per Chaser

Repeat the instructions to create

user per

Page 8: SCI160_Excercises-SAML 2.0

8

Logon ID per

Password ********

Last Name Chaser

First Name Per

E-Mail Address [email protected]

Groups Purchasers

costcenter 9786543210

Add Per to group Purchasers

Choose the Assigned Groups tab.

Under Available Groups, search for

Engineers

Select from the available

Purchasers group and Click the

Add pushbutton

Assign Per’s Cost Center

Choose the Customized Information

tab

Enter 9786543210 for the costcenter field

Click Save

Page 9: SCI160_Excercises-SAML 2.0

9

1.4 Create User Bo

Repeat the instructions to

create user bo

Note: You do not need to assign Bo to any groups or assign a Cost Center

Logon ID bo

Password ********

Last Name Loit

First Name Bo

E-Mail Address [email protected]

Page 10: SCI160_Excercises-SAML 2.0

10

2 Initial SAML 2.0 setup

Choose

SAP NetWeaver Administrator from the Start Page

Choose Configuration tab

Choose Authentication and

Single Sign-On

Alternative Navigation

Start SAP NetWeaver

Administrator with the quick link

/nwa/auth

Choose the SAML 2.0 tab Click the “Enable SAML 2.0 Support” This will launch a wizard which will help you to configure the local provider

Page 11: SCI160_Excercises-SAML 2.0

11

Enter boilit for the provider name. Choose Identity Provider as operational mode from the dropdown list

Click on Next

Configure the settings for signature and encryption. Click Browse pushbutton

adjacent to the Signing Keypair field

Click Create.

The New Entry dialog appears.

Page 12: SCI160_Excercises-SAML 2.0

12

In the Entry Name field, specify boilit for the certificate Click Next.

Page 13: SCI160_Excercises-SAML 2.0

13

In Step 2 specify the following properties for the certificate:

countryName – specify the country two-letter code. (Example - DE, IN, or US) commonName – specify boilit as the common name Click the Finish pushbutton

Click the OK pushbutton .

Page 14: SCI160_Excercises-SAML 2.0

14

Uncheck Sign Metadata Click on Next

Click the Finish pushbutton

3 Export metadata

The metadata XML file includes the following:

Address and name of the identity provider

List of endpoint configurations the identity provider supports

Public-key certificates for decryption and checking of the identity provider’s digital signature

Click the Download Metadata pushbutton

Page 15: SCI160_Excercises-SAML 2.0

15

Click the Download Metadata link

Click the Save pushbutton

Save as file name as ##Boilit.xml Where ## represents your group number Click the Save pushbutton

Please verify that a file was transferred! Click the Close pushbutton (not pictured)

Page 16: SCI160_Excercises-SAML 2.0

16

4 Protect Boilit portal application

4.1 Set SAML2LoginModule, flag: SUFFICIENT to performs user authentication using the SAML assertions

Choose the Authentication tab

Choose type Web from the dropdown list to filter your selection

Enter boilit as the Policy Configuration Name and hit Enter to search Choose the table row entry sap.com/saml2_demo_apps*boilitportal

Click the Edit Select the 1st entry which is empty from the Used Template drop down list

Page 17: SCI160_Excercises-SAML 2.0

17

Click the Remove Click the Add Select SAML2LoginModule from the Login Module drop down list. Verify the flag is set to SUFFICIENT

Click the Save

4.2 Configure Boilit portal application custom logon screen

Configure custom logon screen Select Properties from the the Authentication tab

Click the Modify Set the Alias of the application for customizing the login pages to /boilit_logon_ui_resources Click the Save pushbutton and confirm your changes

Page 18: SCI160_Excercises-SAML 2.0

18

Choose Logoff located in the upper right hand corner of portal page

You now have a customized logon page for the Boilit portal. Login as user demo with password welcome

5 Import Measurit metadata

Please work with your corresponding Service Provider group to get the required metadata file

before continuing the exercise

Start SAP NetWeaver Administrator with the quick link /nwa/auth

or

You can use the search auth and Click the go pushbutton

Page 19: SCI160_Excercises-SAML 2.0

19

Choose the SAML 2.0 tab

Select Trusted Providers

Click the Add Pushbutton with the option Uploading Metadata File

Page 20: SCI160_Excercises-SAML 2.0

20

Step 1 - Select the ##measurit.xml as the Metadata File where ## is your corresponding group number. Provide the path to the metadata XML file of the service provider - Measurit Click the Next Pushbutton

You should see a message that the “Metadata has been successfully verified”. Click Next

Step 5 - Enter the required data for digital signatures and encryption Accept Defaults Click the Next Pushbutton

Page 21: SCI160_Excercises-SAML 2.0

21

Step 6 Configure the Assertion Consumer Endpoints Accept Defaults Click the Next Pushbutton

Step 7 Configure Single Log-Out Endpoints Accept Defaults Click the Next Pushbutton

Configure Artifact Endpoints to use HTTP Artifact and SOAP bindings as required Accept Defaults Click the Finish Pushbutton

Page 22: SCI160_Excercises-SAML 2.0

22

6 Identity federation

Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier

6.1 Configure Web Browser SSO with transient NameID format mapping profile attributes: first name and last name

Click the Edit

Click the Add from the Identity Federation tab

Select “Format Name” as Transient

Page 23: SCI160_Excercises-SAML 2.0

23

Note: For Transient Name ID Formats the name ID is a temporary opaque string generated by the identity provider for a service provider for the lifetime of a security session Click OK

Next, we’ll create a mapping between the SAML 2 attributes and UME attributes to send with the SAML assertion to the service provider.

Choose Profile Attributes tab Click Add

Enter fname for the SAML2 Attribute Choose First Name as the User Attribute from the drop down list Click OK

Create a 2nd

SAML2 attribute Enter lname for the SAML2 Attribute Choose Last Name as the User Attribute from the drop down list Click OK

Page 24: SCI160_Excercises-SAML 2.0

24

Click Save Click Enable Result Measurit is now Active

You can proceed to work with your corresponding service provider to Test Case 1

6.2 Provision user roles for Automatic account creation

Measurit the service provider is configured to support automatic account creation. It will use SAML 2 attributes and values sent by the identity provider to create user accounts. To support this option, you must negotiate with the administrator of the Measurit to determine what data the service provider requires and how to name the SAML 2 attributes carrying the data. We will allow members of Engineers and Purchasers to automatically be able to create accounts on the Measurit portal.

Page 25: SCI160_Excercises-SAML 2.0

25

Choose

SAP NetWeaver Administrator from the Start Page

Choose Configuration tab

Choose Authentication and

Single Sign-On Alternative Navigation Start SAP NetWeaver Administrator with the quick link /nwa/auth.

Choose SAML 2.0 ->Trusted Providers Click Edit

Choose Identity Federation tab

Choose the Authorization Attributes tab Click Add

Enter “memberof“ for the SAML 2 Attribute Click Modify (located in the table row of the Modify Column on the far right-hand side).

Page 26: SCI160_Excercises-SAML 2.0

26

Search for and Select Engineers and Click Add Repeat the process to add Purchasers Click OK

Result

As a result of this configuration, if a user belongs to group Engineers or Purchasers, the memberof attribute in the SAML2 assertion will contain the corresponding group that the user belongs to. If the user is a member of both groups, the memberof SAML2 attribute will contain both groups. If a user does not belong to either of the two groups, the memberof attribute in the SAML2 assertion will be empty.

6.3 Configuring Identity Federation with Persistent Pseudonyms

Use this procedure to enable identity federation when no previous linking between the accounts exists. Once authenticated by the identity provider, the service provider can enable users to link their account interactively themselves or the service provider can create a federated account automatically with SAML 2 attributes supplied

by the identity provider. If the accounts are already linked, logon occurs with the persistent name ID.

Choose Identity Federation tab Click Add

Page 27: SCI160_Excercises-SAML 2.0

27

Select “Format Name” as Persistent Note- The name ID is a permanent opaque string generated by the identity provider for a service provider or an affiliation of service providers Click OK

Enter opaqueid_measurit for the User

Attribute Choose Profile Attributes tab Click Add After successful identity federation, the user attribute opaqueid_measurit will store the user’s opaque ID for this specific SAML 2 Service Provider, i.e. measurit. Likewise, on the corresponding SAML 2 Service Provider (measurit), another user attribute will be storing the same opaque ID for this user; thus linking the user account on the Identity Provider and the Service Provider. This user attribute does not need to be manually created in UME.

Enter fname for the Profile Attribute Choose First Name as the User Attribute from the drop down list Click OK

Create a 2nd

Profile attribute Enter lname for the SAML2 Attribute Choose Last Name as the User Attribute from the drop down list Click OK

Page 28: SCI160_Excercises-SAML 2.0

28

Create a 3rd Profile attribute Enter email for the SAML2 Attribute Choose E-Mail as the User Attribute from the drop down list Click OK

Result – You should have 3 profile attributes create (see picture) Choose the Authorization Attributes tab

Click Add

Enter “memberof“ for the SAML 2 Attribute Click Modify (located in the table row of the Modify Column on the far right-hand side). Search for and Select Engineers and Click Add Repeat the process to add Purchasers Click OK

SAML 2 Attribute

Type Value

memberof Group Engineers, Purchasers

Page 29: SCI160_Excercises-SAML 2.0

29

Click Save Click Enable Result Measurit is now Active

To map user attributes other than the attributes that are part of user profile by default to SAML attributes in a SAML 2.0 authentication response, you must add them to the system In this exercise we will create a new custom attribute – Cost Center which will be used as part of the persistent federation

Choose Local Provider

Click Edit

Choose User Attributes tab

Click Add

Page 30: SCI160_Excercises-SAML 2.0

30

Enter Cost Center for the User Attribute Alias Enter costcenter as the User Attribute Name

Click OK

Click Save

Choose Trusted Providers

Click Edit

Choose Profile Attributes tab Click Add

Page 31: SCI160_Excercises-SAML 2.0

31

Enter ccenter for the SAML2 Attribute Choose Cost Center as the User Attribute from the drop down list Click OK

Result - You should have 4 Profile attribute for the Persistent federation

Click Save

Congratulations – Boilit Configuration is Completed!

You can proceed to work with your corresponding service provider to finish the remaining Test Cases

Page 32: SCI160_Excercises-SAML 2.0

32

Measurit Configuration (SP)

1 Create Measurit custom attribute, user, group, and

roles

1.1 Add Custom Attribute CostCenter to the User Profile

Launch the SAP NetWeaver Application Server Java

http://<host>:<port>/

Important - Use the fully qualified domain name

Choose User Management

Login as user demo and password welcome.

Choose Configuration

Page 33: SCI160_Excercises-SAML 2.0

33

Choose the User Admin UI tab.

Click Modify Configuration.

Enter costcenter for the

Administrator-Managed Custom Attributes field

Click Save All Changes

1.2 Create group (Boilit Users)

Page 34: SCI160_Excercises-SAML 2.0

34

Select Group from the Search Criteria dropdown list Click Create Group to create a new group Input Boilit Users for the Unique Name. Click Save

1.3 Create user boilit0789

Choose Create User to create a new user

Page 35: SCI160_Excercises-SAML 2.0

35

In the Details view, on the General Information tab, enter the following data:

Logon ID boilit0789

Password ********

Last Name boilit0789

Logoff

Page 36: SCI160_Excercises-SAML 2.0

36

login as user boilit0789 You will be prompted to change the password

Logoff and Login as user demo and password welcome

1.4 Create UME Roles and map to UME actions

Select Role from the Search Criteria dropdown list

Page 37: SCI160_Excercises-SAML 2.0

37

Click Create Role to create a new role

Input PermanentAccountRequester for the Unique Name and optionally for the description field Choose the Assigned Actions tab

Enter Request* as the available action to Get and Click Go Select the table row with the Service/Application saml2_demo_apps and the action RequestPermanentAccount Click Go Click Save

Result - the Role is created

Repeat the steps above to create 2 additional roles with the following actions

Role Assigned Action

OrderCreator CreateOrder

OrderApprover ApproveOrder

Result – You should have 3 roles created

Page 38: SCI160_Excercises-SAML 2.0

38

2 Initial SAML 2.0 setup

Provider name – “measurit”

Provider type – “Service Provider”

Generate signing/encryption keypair

Unselect “Sign metadata”

Selection mode: Automatic

Define default application path: “/measuritportal/index.jsp”

Start SAP NetWeaver Administrator with the quick link /nwa/auth Alternative Navigation Choose SAP NetWeaver Administrator from the Start Page Choose Configuration tab Choose Authentication and Single Sign-On (pictured)

Choose the SAML 2.0 tab

Page 39: SCI160_Excercises-SAML 2.0

39

If you have never configured your system for SAML 2.0, the system displays the following message: System not configured to support SAML 2.0. Click the Enable SAML 2.0 Support

Enter measurit for the provider name. Choose Service Provider as operational mode for the provider from the dropdown list Click Next

Configure the settings for signature and encryption. Click Browse pushbutton adjacent to the Signing Keypair field

Page 40: SCI160_Excercises-SAML 2.0

40

Click Create. The New Entry dialog appears

In the Entry Name field, specify measurit for the certificate Click Next.

In Step 2 specify the following properties for the certificate: countryName – specify the country two-letter code. (Example - DE, IN, or US) commonName – specify measurit as the common name Click the Finish pushbutton

Page 41: SCI160_Excercises-SAML 2.0

41

Click OK in the lower right hand side of the screen (not pictured).

Uncheck Sign Metadata Click Next

Select Automatic for the Identity Provider Discovery Selection Mode from the drop down list Click Finish

Page 42: SCI160_Excercises-SAML 2.0

42

Select the Service Provider Setting tab

Click Edit Define default application path as /measuritportal/index.jsp Click Save

3 Export metadata The metadata XML file includes the following:

Address and name of the identity provider

List of endpoint configurations the identity provider supports

Public-key certificates for decryption and checking of the identity provider’s digital signature

Click the Download Metadata pushbutton

Click the Download Metadata link

Page 43: SCI160_Excercises-SAML 2.0

43

Save as file name as ## Measurit.xml Where ## represents your group number Click the Save pushbutton

4 Protect Measurit portal application

4.1 Configure custom logon screen

Configure custom logon screen Select Properties from the the Authentication tab

Page 44: SCI160_Excercises-SAML 2.0

44

Click the Modify Set the Alias of the application for customizing the login pages to /measurit_logon_ui_resources Click the Save pushbutton and confirm your changes

4.2 Add SAML2LoginModule

Choose the Authentication tab Choose Components

Choose type Web from the dropdown list to filter your selection

Enter measurit as the Policy Configuration Name and hit the Enter key to search Choose the entry sap.com/saml2_demo_apps*measuritportal By selecting the row

Page 45: SCI160_Excercises-SAML 2.0

45

Click Edit Select the 1st entry which is empty from the Used Template drop down list

Change the flag for the BasicPasswordLoginModule from SUFFICIENT to REQUISITE Click Add SAML2LoginModule from the Login Module drop down list. Verify the flag is set to SUFFICIENT Click Move Up to move the SAML2LoginModule before the BasicPasswordLoginModule Click Save The Login Modules order should be 1. SAML2LoginModule

SUFFICIENT 2. BasicPasswordLoginModule

REQUISITE (see picture)

Page 46: SCI160_Excercises-SAML 2.0

46

5 Import Boilit metadata

Please work with your corresponding Identity Provider group to get the required metadata file

before continuing the exercise

Choose the SAML 2.0 tab Select Trusted Providers

Click Add with the option Uploading Metadata File

Page 47: SCI160_Excercises-SAML 2.0

47

Step 1 - Select the ##boilit .xml as the Metadata File where ## is your corresponding group number Provide the path to the metadata XML file of the service provider - boilit Click Next

You should see a message that the “Metadata has been successfully verified”. Click Next

Step 5 - Enter the required data for digital signatures and encryption Accept Defaults Click Next

Page 48: SCI160_Excercises-SAML 2.0

48

Step 6 Configure the Assertion Consumer Endpoints Accept Defaults Click Next

Step 7 Configure Single Log-Out Endpoints Accept Defaults Click Next

Configure Artifact Endpoints to use HTTP Artifact and SOAP bindings as required Accept Defaults Click Next

Page 49: SCI160_Excercises-SAML 2.0

49

Authentication Requirements Accept Defaults Click Finish

6 Identity federation Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier

6.1 Configure Web Browser SSO with transient NameID format mapping profile attributes: first name and last name

Click Edit

Click Add from the Identity federation tab

Page 50: SCI160_Excercises-SAML 2.0

50

Select “Format Name” as Transient

Note: For Transient Name ID Formats the name ID is a temporary opaque string generated by the identity provider for a service provider for the lifetime of a security session Click OK

Next, we’ll create a mapping between the SAML 2 attributes and UME attributes received in the SAML assertion from the identity provider.

Choose Profile Attributes tab Click Add

Enter fname for the SAML2 Attribute Choose First Name as the User Attribute from the drop down list Check Is Mandatory Click OK

Page 51: SCI160_Excercises-SAML 2.0

51

Create a 2nd

SAML2 attribute Enter lname for the SAML2 Attribute Choose Last Name as the User Attribute from the drop down list Check Is Mandatory Click OK Result (pictured)

Click Save Click Enable Bolitit is now Active

You can proceed to work with your corresponding identity provider to Test Case 1

Page 52: SCI160_Excercises-SAML 2.0

52

6.2 Provision user roles for Automatic account creation

Measurit will use SAML 2 attributes and values sent by the identity provider to create user accounts. To support this option, you must negotiate with the administrator of the Boilit to determine what data the identity provider will send and how SAML 2 attributes carrying the data are named. We will allow Boilit users that are members of Engineers and Purchasers to automatically be able to create accounts on the Measurit portal.

Choose SAML 2.0 ->Trusted Providers Click Edit

Choose Identity Federation tab

Choose the Calculated Roles tab Click Add Click Modify (located in the table row of the Modify Column on the far right-hand side).

Page 53: SCI160_Excercises-SAML 2.0

53

Click Add Enter “memberof“ for the SAML 2 Attribute Enter Engineers for the value field Note values are case sensitive Choose OK

Choose Browse (located in the table row of the Browse Column on the far right-hand side).

Search for and Select PermanentAccountRequester from the Available Roles Click Add

Repeat the same steps for Purchasers assigning role PermanentAccountRequester

SAML 2 Attribute

Value Role

memberof Purchasers

PermanentAccountRequester

Result Choose Save (not pictured)

Page 54: SCI160_Excercises-SAML 2.0

54

6.3 Configuring Identity Federation with Persistent Pseudonyms

Use this procedure to enable identity federation when no previous linking between the accounts exists. Once authenticated by the identity provider, the service provider can enable users to link their account interactively themselves or the service provider can create a federated account automatically with SAML 2 attributes supplied by the identity provider. If the accounts are already linked, logon occurs with the persistent name ID

Choose Edit Identity Federation tab Choose Add

Select “Format Name” as Persistent Note- The name ID is a permanent opaque string generated by the identity provider for a service provider or an affiliation of service providers Click OK

Enter opaqueid_boilit for the User Attribute Check all 4 check boxes Choose Add from the Profile Attributes tab After successful identity federation, the user attribute opaqueid_boilit will store the user’s opaque ID for this specific SAML 2 Identity Provider, i.e. boilit. Likewise, on the corresponding SAML 2 Identity Provider (boilit), another user attribute will be storing the same opaque ID for this user; thus linking the user account on the Identity Provider and the Service Provider.

Page 55: SCI160_Excercises-SAML 2.0

55

This user attribute does not need to be manually created in UME.

Enter fname for the Profile Attribute Choose First Name as the User Attribute from the drop down list Check is Mandatory Click OK

Create a 2nd

Profile attribute Enter lname for the SAML2 Attribute Choose Last Name as the User Attribute from the drop down list Check is Mandatory Click OK

Create a 3rd Profile attribute Enter email for the SAML2 Attribute Choose E-Mail as the User Attribute from the drop down list Check is Mandatory Click OK

Result – You should have 3 profile attributes create (see picture) Choose Save

To map user attributes other than the attributes that are part of user profile by default to SAML attributes in a SAML 2.0 authentication response, you must add them to the system In this exercise we will create a new custom attribute – Cost Center which will be used as part of the persistent federation

Page 56: SCI160_Excercises-SAML 2.0

56

Choose Local Provider tab Choose Edit Choose User Attributes tab Choose Add

Enter Cost Center for the User Attribute Alias Enter costcenter as the User Attribute Name Click OK Click Save

Choose Trusted Providers

Click Edit

Choose Profile Attributes tab Click Add

Page 57: SCI160_Excercises-SAML 2.0

57

Enter ccenter for the SAML2 Attribute Choose Cost Center as the User Attribute from the drop down list Not mandatory Click OK Click Save

Result

The calculated role allows you to dynamically allocate roles to an identity. In this case, a persistent identity is being created on the MeasurIt server with roles dynamically created based on the group at Boilit for the same identity

Choose Calculated Roles Click Add Click Modify

Page 58: SCI160_Excercises-SAML 2.0

58

Click Add Add the condition (pictured) Click OK

SAML 2 Attribute Value

memberof Engineers

Now we need to enter which role needs to be given if the condition is met that the employee is member of group “Engineers“

Under the column “Selected Roles”, click the button “Browse”. In the window that opens, type OrderC* and then select the role “OrderCreator”. Click “Ok”.

Repeat the process to add a Calculated Roles for Purchasers

Page 59: SCI160_Excercises-SAML 2.0

59

SAML 2 Attribute Value

memberof Purchaser

Assign role OrderApprover

Result

We now have to specify which group will have identities federated from the BoilIt portal to the MeasurIt portal. We want all BoilIt employees to be able to access the MeasuIt portal, but only engineers and purchasers should be able to log in and place orders/approve orders

Choose Default Groups tab Choose Modify

Search for available groups”, type BoilIt* and hit “Go”. Select “BoilIt Users”, click on “Add” and then click “Ok”.

Result (pictured) Choose Save

Page 60: SCI160_Excercises-SAML 2.0

60

Congratulations – Measurit Configuration is Completed!

You can proceed to work with your corresponding identity provider to finish the remaining Test Cases

Page 61: SCI160_Excercises-SAML 2.0

61

Testing

Test Case 1 The Transient identifier provides anonymity in that the service provider – MeasurIt does not persist data about the Boilit visiting users

Logon to the Boilit portal https://<Fully qualified hostname>:50001/boilitportal/index.jsp as user Bo. You

may be prompted to change your password if this is the first logon attempt

After successful login The Boilit Portal home page is displayed. You can see the technical information on the right hand side indicating the principal, identity provider, assigned group and roles.

Page 62: SCI160_Excercises-SAML 2.0

62

Now click the link to Measurit Portal

The Measurit Portal home page is displayed and the principal is not BO. It is a transient Id generated by the

Identity Provider – Boilit. All Boilit users with a first and last name can access (are trusted by) the MeasurIt

portal to see the catalog.

Page 63: SCI160_Excercises-SAML 2.0

63

Transient Name ID Formats the name ID is a temporary opaque string generated by the identity provider for

a service provider for the lifetime of a security session. You can see this is captured in the Measurit

Authentication log files .

Optional - To access Measurit log files Open SAP NetWeaver Administrator (http://<hostname>:<port>/nwa).

SAP NetWeaver Administrator Problem management Logs and Traces Log Viewer .

You can alternatively use the quick link: http://<host>:<port>/nwa/logs.

Use the predefined views in Log Viewer to access the Authentication Logs

You can cut-n-paste the Transient ID from the Technical Info section of the Measurit Portal into the User filter field to see the log information

Page 64: SCI160_Excercises-SAML 2.0

64

Test Case 2

Logon to the Boilit portal https://<Fully qualified hostname>:50001/boilitportal/index.jsp as user Angie

You can see from the Technical Info that Angie is assigned to group Engineers

Page 65: SCI160_Excercises-SAML 2.0

65

Click on Measurit Portal

User attributes and access rights are generated based on rules applied to attributes sent in SAML messages Angie can request a permanent account because she is a member of Engineers

Click Logon

Page 66: SCI160_Excercises-SAML 2.0

66

Select Register Now and Federate Accounts

Angie is a member of the default group – Boilit Users and she has the role OrderCreator

Select a few items into your shopping cart and place an order

Page 67: SCI160_Excercises-SAML 2.0

67

Sample Result

Close the MeasurIt Portal page and return to the Boilit homepage (It should still be open) and click Logout

Verify that Angie’s account was provisioned in the Measurit Portal by using the Advanced Search

Page 68: SCI160_Excercises-SAML 2.0

68

Verify that Angie’s costcenter was federated by clicking on the Customized Information tab

Page 69: SCI160_Excercises-SAML 2.0

69

Test Case 3

Now Login as Per

Click on Measurit Portal

Page 70: SCI160_Excercises-SAML 2.0

70

Request to link Per’s account with boilit0789

Approve or reject any pending orders

Page 71: SCI160_Excercises-SAML 2.0

71

Logoff Per

Logon to the Measurit Portal and verify the boilit0789 is linked to Per

Page 72: SCI160_Excercises-SAML 2.0

72

If time permits promote Bo to the Engineers group in the Boilit Portal. What is the expected behavior of the

identity federation with Measurit Portal? Test your assumptions

Thank you for your participation and enjoy TechEd 2010!

Page 73: SCI160_Excercises-SAML 2.0

73

Supplement

You can also make your metadata publically accessible by selecting Enabled from the Public Access. Don’t forget to Save. Now your corresponding group can access your metadata from a url.

https://<host>:<port>/java/saml2/metadata

Your corresponding group can specify the Metadata URL instead of uploading a file

Page 74: SCI160_Excercises-SAML 2.0

© 2010 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.