Upload
faraj9
View
214
Download
2
Tags:
Embed Size (px)
DESCRIPTION
bnvn
Citation preview
Miroslav Jokic, Roy Tronstad TechEd 2012
SIS200
SAP NetWeaver Identity Management Virtual Directory Server and Identity Service
2012 SAP AG. All rights reserved. 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
2012 SAP AG. All rights reserved. 3
Agenda
Introduction
Heterogeneous environment
Basic challenge
Synchronization approach
Virtual Directory approach
SAP NetWeaver Identity Management Virtual Directory Server - VDS
VDS in SAP NetWeaver Identity Management
Inbound / outbound scenarios
Identity Service
Configuration
Basic properties
Deployment
Usage
Introduction
2012 SAP AG. All rights reserved. 5
Heterogeneous environment Basic challenge
Access to information stored in multiple data sources
Access
Back-ends support many protocols
Not the one that we need or consider as simple/accessible
Efficiency
Not only with respect to performance
Depends on connector, amount of data, etc
Minimizing number of connection points
?
?
?
2012 SAP AG. All rights reserved. 6
Move all relevant data into a central repository
Typically - Directory server
SAP NW IdM - Identity Center database
Synchronize data regularly
Scheduled synchronization
Use delta mechanisms to minimize load
Heterogeneous environment Synchronization approach
Central Repository
Access using
standard protocol
Pull and regularly
synchronize
2012 SAP AG. All rights reserved. 7
Synchronization approach Advantages
Processing of data may be implemented as multi-stage process
The quality of data may be gradually improved
Data cleansing
Attribute mapping
Complex joins across data sources based on rules
Provisioning
Up-time of the back-ends
Only when synchronizing
2012 SAP AG. All rights reserved. 8
Synchronization approach Issues
Synchronization frequency vs. data change frequency
Keeping central repository up to date is challenging
Data is always old
Moving data from native back-end is not always allowed
Political issues
Security issues
2012 SAP AG. All rights reserved. 9
Virtual Directory
Server
Leave data where they are
Connect to back-ends on demand
Requirement
On-the-fly translation of the requests from inbound protocol to proprietary back-end protocols and back
Heterogeneous environment Virtual Directory Approach
LDAP access point
LDAP, JDBC, various APIs
2012 SAP AG. All rights reserved. 10
Virtual Directory approach Advantages
Real time access
What you see is real and up-to-date
Less political issues
No hustle with data ownership
Non-intrusive solution
No changes in existing repositories
Faster implementation
Easier and cheaper installation and maintenance
Cost of ownership
No additional data sources needed
No need for back-up, training
Virtual Directory
Server
LDAP access point
LDAP, JDBC, various APIs
SAP NetWeaver Identity
Management Virtual Directory
Server - VDS
2012 SAP AG. All rights reserved. 12
SAP NetWeaver Virtual Directory Server
Acts as a single access point for various client applications
Provides real-time access to numerous disparate target
system
Without moving the data
Offer fast, flexible and reliable service
Authentication
Authorization
Provisioning
Quick and non-intrusive configurations
2012 SAP AG. All rights reserved. 13
The scope of the presentation
Not a detailed training on SAP NW IdM VDS
White papers, tutorials
Schema adjustments
Authentication and authorization
Extensibility
Some basic concepts will be touched
Architecture
Basic configuration
Running modes
2012 SAP AG. All rights reserved. 14
VDS Architecture
VDS in SAP NetWeaver Identity
Management
2012 SAP AG. All rights reserved. 16
Versatility of VDS
Inbound usage
Connection protocol to the back-end
Well known
Standard
Accessible
Need access via standard protocol
Outbound usage
Existing protocol supported by VDS
Need to connect to back-end with non-standard / ineffective back-end
Utilize the connector framework of the VDS (protocol translation)
2012 SAP AG. All rights reserved. 17
SAP NetWeaver Identity Management Populating Identity Center database
Loading and creating data
Using SAP NW Web UI
Using SAP NW Admin UI
SAP NW IdM Runtime Engine
Executing tasks and jobs
Typically Initial Load tasks
Pull scenario
External access to Identity Center database?
Can be treated as any other data source
How to PUSH data to it?
SAP NW IdM
identity store
SAP NW IdM Web UI SAP NW IdM Admin UI
2012 SAP AG. All rights reserved. 18
SAP NetWeaver Identity Management Connectors to back-ends
Native/built-in connectors
LDAP, databases, ABAP etc
Runtimes Custom passes framework
Methods: Init, getNextEntry, putNextEntry
Connector framework of the VDS
Any back-end is treated as LDAP back-end
Back-end
(connector needed)
SAP NW IdM Runtime
SAP NW IdM VDS
1a. LDAP pass to VDS
2. Custom Pass 1b. VDS connector to
back-end
2012 SAP AG. All rights reserved. 19
SAP NetWeaver Identity Management Simplified architecture
LDAP, SPML access point
Use Meta approach to synchronize data into
central repository
All benefits mentioned before
Use VDS to get external access to Identity
Center database
Best of both breeds
SAP NW IdM
identity store
Virtual
Directory
Server
SAP NW IdM
Runtime
Engine
2012 SAP AG. All rights reserved. 20
SAP NetWeaver Identity Management Architecture
Identity Services
2012 SAP AG. All rights reserved. 22
Identity Services Topics
Configuration properties
Deployment Pitfalls
Usage
2012 SAP AG. All rights reserved. 23
What is IdM Identity Services?
Identity Services is
VDS configuration template
has the Identity Center database of SAP NW IdM as back-end
deployed on SAP NetWeaver
Any VDS configuration can be deployed why is this one special?
Level of pre-configuration
Schema is pre-configured
SPML friendliness
Use identifiers instead of full DNs
Special/high-level operations added
2012 SAP AG. All rights reserved. 24
Configuration properties
Basic properties
Starting New configurations
Basic configuration parameters
Data source parameters
Pre-processing class
VDS extensions
Web-Service deployment
Deployment types
Successfully deployed Identity Service
Schema
2012 SAP AG. All rights reserved. 25
Basic properties Starting new configurations
VDS is installed with several templates
Various back-ends
Ease of start-up
VDS configuration consists of several objects
Time saving
2012 SAP AG. All rights reserved. 26
Basic properties Basic configuration parameters
Initial configuration of the template
2012 SAP AG. All rights reserved. 27
Basic properties Basic configuration parameters
Majority of the properties written to
CONSTANTS object
Can be changed at any time
Some of them will directly influence
VDS objects
Every template has specific/hard-
coded properties
2012 SAP AG. All rights reserved. 28
Basic properties Data source parameters
Data source object
May contain properties that influence connectors behavior
Pre-configured for optimal
performance of the template
2012 SAP AG. All rights reserved. 29
Identity Services template Basic properties
Web Service Deployment
Virtual Tree
Entries in identity store exposed as cn=,ou=nwidm1,o=ids
In Identity Services template it is hidden
Use special operation and SPML identifiers to access data
2012 SAP AG. All rights reserved. 30
Configuration properties
Basic properties
Starting New configurations
Basic configuration parameters
Data source parameters
Pre-processing class
VDS extensions
Web-Service deployment
Deployment types
Successfully deployed Identity Service
Schema
2012 SAP AG. All rights reserved. 31
Pre-processing class VDS extensions
VDS offers possibility to change the normal behavior
Usage of Java extension classes
Hooked into the normal execution sequence
Can extend or change all aspects of the processing
Pre-processing class
Methods executed before VDS start processing of the incoming request
Possibility to modify incoming request
2012 SAP AG. All rights reserved. 32
Pre-processing class
In Identity Services template
Responsible for transforming requests from the high-level
operations to near-LDAP operations suitable for VDS
2012 SAP AG. All rights reserved. 33
Configuration properties
Basic properties
Starting New configurations
Basic configuration parameters
Data source parameters
Pre-processing class
VDS extensions
Web-Service deployment
Deployment types
Successfully deployed Identity Service
Schema
2012 SAP AG. All rights reserved. 34
Web Service deployment Deployment types
VDS supports two deployment types
LDAP deployments
Web Service deployments
On NetWeaver application server
LDAP Deployments (Standalone mode)
Multiple
On Windows - may also run as service
2012 SAP AG. All rights reserved. 35
Web Service deployment
Enterprise Archive (EAR)
Configure Web Service deployment properties
Create EAR file
Copy to AS Java server
Deploy
Test in standalone mode
Avoid problems
Easier troubleshooting
EAR
CREATE
COPY TO AS JAVA
SERVER AND DEPLOY
SAP NW AS Java
2012 SAP AG. All rights reserved. 36
Web Service deployment Successfully deployed application
SAP NetWeaver Administrator
2012 SAP AG. All rights reserved. 37
Configuration properties
Basic properties
Starting New configurations
Basic configuration parameters
Data source parameters
Pre-processing class
VDS extensions
Web-Service deployment
Deployment types
Successfully deployed Identity Service
Schema
2012 SAP AG. All rights reserved. 38
Identity Service template Schema
Pre-configured
Can be extended (prior to EAR creation)
Attributes in From column
Returned upon SPMLs schema request
Non-mapped attributes are returned with original (identity store) names
2012 SAP AG. All rights reserved. 39
Identity Services Topics
Configuration properties
Deployment pitfalls
Usage
2012 SAP AG. All rights reserved. 40
Deployment pitfalls
Deployment is supposed to be a simple and straightforward process and yet
It happens that deployed services do not respond properly
URL Case sensitivity
Java class path for application
AS Java version
Connection String
Missing Keys.ini file
2012 SAP AG. All rights reserved. 41
Deployment pitfalls Java class path for application
In deployment mode
All JAR files and external classes must be part of EAR file
For Identity Service
JDBC Driver
attrClass
Prior to EAR creation
Create a lib directory in configuration workspace
Copy JDBC driver
Compile attrClass
Java class path for standalone mode
2012 SAP AG. All rights reserved. 42
Deployment pitfalls AS Java version
Compiler compliance level
1.4 for AS Java 7.0
1.5 for AS Java 7.1 +
2012 SAP AG. All rights reserved. 43
Deployment pitfalls Encryption and Keys.ini file
IdM can encrypt and hash attribute values
Keys.ini file contains information about
Encryption key(s)
Encryption and Hash algorithm
VDS (and IdS) needs the same information
[KEYS]
KEY001=2DFB962127167351847821086219D27
BAD80FB2296716373
[CURRENT]
KEY=KEY001
[ALGORITHMS]
ENCRYPTION=DES3CBC
HASH=SSHA
Typical Keys.ini file
2012 SAP AG. All rights reserved. 44
Deployment pitfalls Keys.ini reference
In standalone mode Tools/Options
2012 SAP AG. All rights reserved. 45
Deployment pitfalls Missing Keys.ini
In deployed mode
The path to local Keys.ini file configured as AS Java Application parameter
com.sap.idm.vds.keyfile
2012 SAP AG. All rights reserved. 46
Deployment pitfalls Missing Keys.ini
In deployed mode
The path to local Keys.ini file configured as AS Java Application parameter
com.sap.idm.vds.keyfile
2012 SAP AG. All rights reserved. 47
Identity Services - Topics
Configuring and Basic Properties
Deployment pitfalls
Usage
2012 SAP AG. All rights reserved. 48
Identity Services usage
Situation
Correctly deployed service
Not started yet (until first request comes)
Expects SPMLv1 requests
Exposes exactly one identity store
No limitations multiple identity stores can be back-ends
Relevant parameters
URL same as configured when deploying IDS
Authentication credentials
As configured in template
2012 SAP AG. All rights reserved. 49
Identity Service usage Functionality and usage
Identifiers
Special operations
For starter only ONE is needed: operation=info
Simple IdM identifiers
mskeyvalue of the entry in the IdM
Full DN names matching the underlying VDS virtual tree
DN of the entry in IdM, as seen in VDS
Special identifiers (target system, using @)
What makes this possible?
Pre-processing class
2012 SAP AG. All rights reserved. 50
Identity Service usage Basic operations
Operation=info
Lists other useful operations
Other properties
Default systemid
2012 SAP AG. All rights reserved. 51
Identity Service usage Basic operations
Operation=listsystems
Lists the identity stores in the VDS configuration
Default is only ONE (systemid=idm1)
Syntax: using system identifiers
Any operation can be post fixed with @
Not necessary (default is used)
Pre-processing class will direct operation to proper identity store
Constructing proper DN
2012 SAP AG. All rights reserved. 52
Identity Service usage Basic operations
Operation=schema
Closely related to schema configured in Identity Service template
Important for provisioning
2012 SAP AG. All rights reserved. 53
Identity Service usage Basic operations
Operation=listapplications
Which applications are supported
Creates distinct list of all
Privilege references to repositories
MX_REPOSITORYNAME
o Direct reference
MX_APPLICATION_ID
o Virtual reference, through GRC repository
2012 SAP AG. All rights reserved. 54
Identity Service usage List operations
List operations
Operation = listprivileges
Operation = listroles
Operation = listusers
All of those are special case of the
Operation = list
Object class set to respectively
o MX_PRIVILEGE
o MX_ROLE
o MX_PERSON
2012 SAP AG. All rights reserved. 55
Identity Service usage operation=listusers
2012 SAP AG. All rights reserved. 56
Identity Service template Provisioning
SPML is synchronous protocol
The result of the request is returned immediately
Returned result
Correctness depends on nature of the executed operation
Simple attributes
OK means request completed
Combination of simple and reference attributes
Require additional processing on IdM side
OK means - we have started processing your request
Additional result polling is needed
2012 SAP AG. All rights reserved. 57
Identity Service template Provisioning
SPML is synchronous protocol
The result of the request is returned immediately
Returned result
Correctness depends on nature of the executed operation
Simple attributes
OK means request completed
Combination of simple and reference attributes
Require additional processing on IdM side
OK means - we have started processing your request
Additional result polling is needed
2012 SAP AG. All rights reserved. 58
Identity Service template Provisioning
SPML is synchronous protocol
The result of the request is returned immediately
Returned result
Correctness depends on nature of the executed operation
Simple attributes
OK means request completed
Combination of simple and reference attributes
Require additional processing on IdM side
OK means - we have started processing your request
Additional result polling is needed
2012 SAP AG. All rights reserved. 59
Identity Service template Provisioning
SPML is synchronous protocol
The result of the request is returned immediately
Returned result
Correctness depends on nature of the executed operation
Simple attributes
OK means request completed
Combination of simple and reference attributes
Require additional processing on IdM side
OK means - we have started processing your request
Additional result polling is needed
2012 SAP AG. All rights reserved. 60
Identity Service template Provisioning
SPML is synchronous protocol
The result of the request is returned immediately
Returned result
Correctness depends on nature of the executed operation
Simple attributes
OK means request completed
Combination of simple and reference attributes
Require additional processing on IdM side
OK means - we have started processing your request
Additional result polling is needed
2012 SAP AG. All rights reserved. 61
Identity Service usage Provisioning
Supply
Identifier - mandatory
RequestID - optional
Check status
Using RequestID
Confirm
Search for user
2012 SAP AG. All rights reserved. 62
Identity Service usage Provisioning
Check status (by RequestID)
Confirm (search for user)
2012 SAP AG. All rights reserved. 63
Identity Service usage Obtaining result - alternative
Request Complete framework
IdM may execute a special task whenever processing of whole request is completed
Switch on various request types
Content of the task must be customized
2012 SAP AG. All rights reserved. 64
Identity Service usage Additional operations
Operation=roleassignmentresult
GRC integration specific
Not a topic here
2012 SAP AG. All rights reserved. 65
Further Information
Related Workshops/Lectures at SAP TechEd 2012
SIS102 Lecture (2hr) SAP NetWeaver ID Management Latest Functionality and Demo SIS103 Lecture (1hr) Best Practices: How to Implement SAP NetWeaver Identity Management
SIS160 Hands-On Workshop (2hr) SAP NetWeaver ID Management Context-Based Role Assignments
SIS161 Hands-On Workshop (2hr) SAP NetWeaver ID Management Provisioning Framework System Connectors
SAP Public Web
SAP NetWeaver Identity Management homepage on SDN:
http://www.sdn.sap.com/irj/sdn/nw-identitymanagement
SAP Online Help for SAP NetWeaver Identity Management :
http://help.sap.com/content/documentation/netweaver/docu_nw_idm_design.htm
Feedback Please complete your session evaluation for SIS200.
Thanks for attending this SAP TechEd session.
2012 SAP AG. All rights reserved. 67
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System
z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7,
POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize,
XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere,
Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and other countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web
Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri,
and Xcode are trademarks or registered trademarks of Apple Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry
Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered
trademarks of Research in Motion Limited.
2012 SAP AG. All rights reserved.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads,
Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice,
Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings LLC.
Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork,
SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects
is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc.
Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data
contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied,
or transmitted in any form or for any purpose without the express prior written permission of SAP AG.