SIS200

Miroslav Jokic, Roy Tronstad TechEd 2012

SIS200

SAP NetWeaver Identity Management Virtual Directory Server and Identity Service

2012 SAP AG. All rights reserved. 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other agreement

with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation. This presentation and SAP's

strategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice. This document is provided without a warranty of any kind, either

express or implied, including but not limited to, the implied warranties of merchantability, fitness for a

particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP intentionally or grossly negligent.


Agenda

Introduction

Heterogeneous environment

Basic challenge

Synchronization approach

Virtual Directory approach

SAP NetWeaver Identity Management Virtual Directory Server - VDS

VDS in SAP NetWeaver Identity Management

Inbound / outbound scenarios

Identity Service

Configuration

Basic properties

Deployment

Usage

Introduction


Heterogeneous environment Basic challenge

Access to information stored in multiple data sources

Access

Back-ends support many protocols

Not the one that we need or consider as simple/accessible

Efficiency

Not only with respect to performance

Depends on connector, amount of data, etc

Minimizing number of connection points

?

?

?


Move all relevant data into a central repository

Typically - Directory server

SAP NW IdM - Identity Center database

Synchronize data regularly

Scheduled synchronization

Use delta mechanisms to minimize load

Heterogeneous environment Synchronization approach

Central Repository

Access using

standard protocol

Pull and regularly

synchronize


Synchronization approach Advantages

Processing of data may be implemented as multi-stage process

The quality of data may be gradually improved

Data cleansing

Attribute mapping

Complex joins across data sources based on rules

Provisioning

Up-time of the back-ends

Only when synchronizing


Synchronization approach Issues

Synchronization frequency vs. data change frequency

Keeping central repository up to date is challenging

Data is always old

Moving data from native back-end is not always allowed

Political issues

Security issues


Virtual Directory

Server

Leave data where they are

Connect to back-ends on demand

Requirement

On-the-fly translation of the requests from inbound protocol to proprietary back-end protocols and back

Heterogeneous environment Virtual Directory Approach

LDAP access point

LDAP, JDBC, various APIs


Virtual Directory approach Advantages

Real time access

What you see is real and up-to-date

Less political issues

No hustle with data ownership

Non-intrusive solution

No changes in existing repositories

Faster implementation

Easier and cheaper installation and maintenance

Cost of ownership

No additional data sources needed

No need for back-up, training

Virtual Directory

Server

LDAP access point

LDAP, JDBC, various APIs

SAP NetWeaver Identity

Management Virtual Directory

Server - VDS


SAP NetWeaver Virtual Directory Server

Acts as a single access point for various client applications

Provides real-time access to numerous disparate target

system

Without moving the data

Offer fast, flexible and reliable service

Authentication

Authorization

Provisioning

Quick and non-intrusive configurations


The scope of the presentation

Not a detailed training on SAP NW IdM VDS

White papers, tutorials

Schema adjustments

Authentication and authorization

Extensibility

Some basic concepts will be touched

Architecture

Basic configuration

Running modes


VDS Architecture

VDS in SAP NetWeaver Identity

Management


Versatility of VDS

Inbound usage

Connection protocol to the back-end

Well known

Standard

Accessible

Need access via standard protocol

Outbound usage

Existing protocol supported by VDS

Need to connect to back-end with non-standard / ineffective back-end

Utilize the connector framework of the VDS (protocol translation)


SAP NetWeaver Identity Management Populating Identity Center database

Loading and creating data

Using SAP NW Web UI

Using SAP NW Admin UI

SAP NW IdM Runtime Engine

Executing tasks and jobs

Typically Initial Load tasks

Pull scenario

External access to Identity Center database?

Can be treated as any other data source

How to PUSH data to it?

SAP NW IdM

identity store

SAP NW IdM Web UI SAP NW IdM Admin UI


SAP NetWeaver Identity Management Connectors to back-ends

Native/built-in connectors

LDAP, databases, ABAP etc

Runtimes Custom passes framework

Methods: Init, getNextEntry, putNextEntry

Connector framework of the VDS

Any back-end is treated as LDAP back-end

Back-end

(connector needed)

SAP NW IdM Runtime

SAP NW IdM VDS

1a. LDAP pass to VDS

2. Custom Pass 1b. VDS connector to

back-end


SAP NetWeaver Identity Management Simplified architecture

LDAP, SPML access point

Use Meta approach to synchronize data into

central repository

All benefits mentioned before

Use VDS to get external access to Identity

Center database

Best of both breeds

SAP NW IdM

identity store

Virtual

Directory

Server

SAP NW IdM

Runtime

Engine


SAP NetWeaver Identity Management Architecture

Identity Services


Identity Services Topics

Configuration properties

Deployment Pitfalls

Usage


What is IdM Identity Services?

Identity Services is

VDS configuration template

has the Identity Center database of SAP NW IdM as back-end

deployed on SAP NetWeaver

Any VDS configuration can be deployed why is this one special?

Level of pre-configuration

Schema is pre-configured

SPML friendliness

Use identifiers instead of full DNs

Special/high-level operations added



Basic properties

Starting New configurations

Basic configuration parameters

Data source parameters

Pre-processing class

VDS extensions

Web-Service deployment

Deployment types

Successfully deployed Identity Service

Schema


Basic properties Starting new configurations

VDS is installed with several templates

Various back-ends

Ease of start-up

VDS configuration consists of several objects

Time saving


Basic properties Basic configuration parameters

Initial configuration of the template


Basic properties Basic configuration parameters

Majority of the properties written to

CONSTANTS object

Can be changed at any time

Some of them will directly influence

VDS objects

Every template has specific/hard-

coded properties


Basic properties Data source parameters

Data source object

May contain properties that influence connectors behavior

Pre-configured for optimal

performance of the template


Identity Services template Basic properties

Web Service Deployment

Virtual Tree

Entries in identity store exposed as cn=,ou=nwidm1,o=ids

In Identity Services template it is hidden

Use special operation and SPML identifiers to access data



Basic properties





VDS extensions


Deployment types


Schema


Pre-processing class VDS extensions

VDS offers possibility to change the normal behavior

Usage of Java extension classes

Hooked into the normal execution sequence

Can extend or change all aspects of the processing


Methods executed before VDS start processing of the incoming request

Possibility to modify incoming request



In Identity Services template

Responsible for transforming requests from the high-level

operations to near-LDAP operations suitable for VDS



Basic properties





VDS extensions


Deployment types


Schema


Web Service deployment Deployment types

VDS supports two deployment types

LDAP deployments

Web Service deployments

On NetWeaver application server

LDAP Deployments (Standalone mode)

Multiple

On Windows - may also run as service


Web Service deployment

Enterprise Archive (EAR)

Configure Web Service deployment properties

Create EAR file

Copy to AS Java server

Deploy

Test in standalone mode

Avoid problems

Easier troubleshooting

EAR

CREATE

COPY TO AS JAVA

SERVER AND DEPLOY

SAP NW AS Java


Web Service deployment Successfully deployed application

SAP NetWeaver Administrator



Basic properties





VDS extensions


Deployment types


Schema


Identity Service template Schema

Pre-configured

Can be extended (prior to EAR creation)

Attributes in From column

Returned upon SPMLs schema request

Non-mapped attributes are returned with original (identity store) names


Identity Services Topics


Deployment pitfalls

Usage


Deployment pitfalls

Deployment is supposed to be a simple and straightforward process and yet

It happens that deployed services do not respond properly

URL Case sensitivity

Java class path for application

AS Java version

Connection String

Missing Keys.ini file


Deployment pitfalls Java class path for application

In deployment mode

All JAR files and external classes must be part of EAR file

For Identity Service

JDBC Driver

attrClass

Prior to EAR creation

Create a lib directory in configuration workspace

Copy JDBC driver

Compile attrClass

Java class path for standalone mode


Deployment pitfalls AS Java version

Compiler compliance level

1.4 for AS Java 7.0

1.5 for AS Java 7.1 +


Deployment pitfalls Encryption and Keys.ini file

IdM can encrypt and hash attribute values

Keys.ini file contains information about

Encryption key(s)

Encryption and Hash algorithm

VDS (and IdS) needs the same information

[KEYS]

KEY001=2DFB962127167351847821086219D27

BAD80FB2296716373

[CURRENT]

KEY=KEY001

[ALGORITHMS]

ENCRYPTION=DES3CBC

HASH=SSHA

Typical Keys.ini file


Deployment pitfalls Keys.ini reference

In standalone mode Tools/Options


Deployment pitfalls Missing Keys.ini

In deployed mode

The path to local Keys.ini file configured as AS Java Application parameter

com.sap.idm.vds.keyfile


Identity Services - Topics

Configuring and Basic Properties

Deployment pitfalls

Usage


Identity Services usage

Situation

Correctly deployed service

Not started yet (until first request comes)

Expects SPMLv1 requests

Exposes exactly one identity store

No limitations multiple identity stores can be back-ends

Relevant parameters

URL same as configured when deploying IDS

Authentication credentials

As configured in template


Identity Service usage Functionality and usage

Identifiers

Special operations

For starter only ONE is needed: operation=info

Simple IdM identifiers

mskeyvalue of the entry in the IdM

Full DN names matching the underlying VDS virtual tree

DN of the entry in IdM, as seen in VDS

Special identifiers (target system, using @)

What makes this possible?



Identity Service usage Basic operations

Operation=info

Lists other useful operations

Other properties

Default systemid



Operation=listsystems

Lists the identity stores in the VDS configuration

Default is only ONE (systemid=idm1)

Syntax: using system identifiers

Any operation can be post fixed with @

Not necessary (default is used)

Pre-processing class will direct operation to proper identity store

Constructing proper DN



Operation=schema

Closely related to schema configured in Identity Service template

Important for provisioning



Operation=listapplications

Which applications are supported

Creates distinct list of all

Privilege references to repositories

MX_REPOSITORYNAME

o Direct reference

MX_APPLICATION_ID

o Virtual reference, through GRC repository


Identity Service usage List operations

List operations

Operation = listprivileges

Operation = listroles

Operation = listusers

All of those are special case of the

Operation = list

Object class set to respectively

o MX_PRIVILEGE

o MX_ROLE

o MX_PERSON


Identity Service usage operation=listusers


Identity Service template Provisioning

SPML is synchronous protocol

The result of the request is returned immediately

Returned result

Correctness depends on nature of the executed operation

Simple attributes

OK means request completed

Combination of simple and reference attributes

Require additional processing on IdM side

OK means - we have started processing your request

Additional result polling is needed





Returned result


Simple attributes







Identity Service usage Provisioning

Supply

Identifier - mandatory

RequestID - optional

Check status

Using RequestID

Confirm

Search for user


Identity Service usage Provisioning

Check status (by RequestID)

Confirm (search for user)


Identity Service usage Obtaining result - alternative

Request Complete framework

IdM may execute a special task whenever processing of whole request is completed

Switch on various request types

Content of the task must be customized


Identity Service usage Additional operations

Operation=roleassignmentresult

GRC integration specific

Not a topic here


Further Information

Related Workshops/Lectures at SAP TechEd 2012

SIS102 Lecture (2hr) SAP NetWeaver ID Management Latest Functionality and Demo SIS103 Lecture (1hr) Best Practices: How to Implement SAP NetWeaver Identity Management

SIS160 Hands-On Workshop (2hr) SAP NetWeaver ID Management Context-Based Role Assignments

SIS161 Hands-On Workshop (2hr) SAP NetWeaver ID Management Provisioning Framework System Connectors

SAP Public Web

SAP NetWeaver Identity Management homepage on SDN:

http://www.sdn.sap.com/irj/sdn/nw-identitymanagement

SAP Online Help for SAP NetWeaver Identity Management :

http://help.sap.com/content/documentation/netweaver/docu_nw_idm_design.htm

Feedback Please complete your session evaluation for SIS200.

Thanks for attending this SAP TechEd session.


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express

permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of

other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System

z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7,

POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize,

XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere,

Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe

Systems Incorporated in the United States and other countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web

Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri,

and Xcode are trademarks or registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry

Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered

trademarks of Research in Motion Limited.

2012 SAP AG. All rights reserved.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads,

Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice,

Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork,

SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web

Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects

is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services

mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc.

Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data

contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied,

or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

Documents

SIS200