SAML in UI based SOAScenarios
SAP NetWeaver Product Management Security
June 2008
© SAP 2008 Page 2
Agenda
1. Typical Authentication and SSO Scenarios in SOA2. Windows Integration Authentication using Kerberos with
SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile5. Outlook
© SAP 2008 Page 3
ServiceProviderServiceProvider
Service ClientService Client
Secure authentication or SSO of users accessing enterprise resourcesAuthorize user access to enterprise system resources with user‘s own role andpermission assignmentsAudit user access to enterprise system resources
Bob Bob
HTTPSOAPRFCRMI
Bob
User Identity Propagation forService Call
Access Management and the UserAuthentication Lifecycle in SOA
ServiceConsumerPortal
Initial User Authentication orSSO to Portal or Desktop
application
© SAP 2008 Page 4
Single Sign-On
Single Sign-On (SSO)User authenticates once against a security systemUser is then seamlessly authenticated to access other systemsAuthentication against other applications is transparent for the user
Identity Management for SSOSynchronization, provisioning or mapping of user identities for SSOUser identities for SSO must match to avoid unintended “user impersonations”Central user identity management to avoid redundant user information
Mainstream Integrated Authentication and SSO Solutionsin SAP NetWeaver
X.509 Client Certificates and PKIsWindows Integrated Authentication and KerberosSAP Logon Tickets and Trusted SystemsSAML Assertions with Trusted SystemsHeader VariablesCustom – JAAS or GSS-API v2 based integration
© SAP 2008 Page 5
Standardizing End to End SSO Scenarios onSAML
2. SSO with SAML
Browser Artifact
3. Acc
ess t
o Res
ourc
e
with
WSS
SAM
L To
ken
Prof
ile
Initial UserAuthentication
Any Supported Solutione.g. SPNego for Windows
integrated authentication
SSO for Web browserapplications
SAML Browser/ArtifactProfile
SSO for Web ServicesWSS SAML Token Profile
Portal
Web Service ProviderSAP NetWeaver AS ABAP
Web Service ConsumerSAP NetWeaver AS ABAP
1. Integrated User
Authentication
against Portal
Synchronized UserIds for SSO via IdM
or User Mapping
Synchronized UserIds for SSO via IdM
or User Mapping
Synchronize User Identitiesfor SSO with
SAP NetWeaver IdentityManagement or User
Mapping
SAML IdentityProvider
SAP NetWeaver Portal or CE 7.1
1
2
3
© SAP 2008 Page 6
IdM / LDAPDirectory
The Big Picture
Authentication
UME (Web AS Java)SAP NetWeaver Portal
Use as userrepository
HR
Create andmodify users
Use as userrepository
UME(Web AS Java)
J2EE / EE 5Application
WebDynpro IdM
Synchronizeuser data
other SAPSystems
User data
Microsoft basedapplications
IBM/Lotusapplications
SSOSSOSSO SSOSSOSSO
SSO
SAP ISAPI Filter orSSO22KerbMapSAP
DSAPIFilterLTPA
KERB
© SAP 2008 Page 7
Agenda
1. Typical Authentication and SSO Scenarios in SOA2. Windows Integration Authentication using Kerberos with
SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile5. Outlook
© SAP 2008 Page 8
© SAP 2008 / SAP TechEd 08 / SIM203 / Page 7
IdM / LDAPDirectory
The Big Picture
Authentication
UME (Web AS Java)SAP NetWeaver Portal
Use as userrepository
HR
Create andmodify users
Use as userrepository
UME(Web AS Java)
J2EE / EE 5Application
WebDynpro IdM
Synchronizeuser data
other SAPSystems
User data
Microsoft basedapplications
IBM/Lotusapplications
SSOSSOSSO SSOSSOSSO
SSO
SAP ISAPI Filter orSSO22KerbMapSAP
DSAPIFilterLTPA
KERB
In this Section:Focus on Windows Integrated Authentication
MicrosoftActive
Directoryand Windows
Domain
© SAP 2008 Page 9
Kerberos for User Authentication in SAPNetWeaver – SSO Process
Authenticateonce to Domain SSO Access to Information Content
Available from Portal Server iViews
1. Initiallogon inDomain
4. Kerberos Ticket Request5. Kerberos Ticket Response
2. Call Portal URL
Domain Controller (KDC)
7. Ticket verificationand user ID resolution
8. Username
3. Error 401Req. Kerberos Ticket
BI
CRM
Other…
BusinessApps
Intranet
Collaborate6. Forward Kerberos Ticket
9. Resource
© SAP 2008 Page 10
Integrated User Authentication from Browser to SAP NetWeaver AS Java/ Portalby natively leveraging Microsoft Windows credentials (Kerberos) for authentication“
ActiveDirectory /Windows domaincontroller
SAP NetWeaverAS Java / Portal
4.SAP LogonTicket issued
2. BrowserSends windowscredentials
1.WindowsdomainLogon
3. SPNegochecks via JVMcredentialsagainst DC andUME resolvesuser id
Enabling User Authentication with Kerberos on theSAP NetWeaver Portal: SPNegoLoginModule
PrerequisitesMicrosoft Windows domain
Authentication of users is delegated tothe Windows Domain Controller1. User authenticates against Windows domain on
his or her workstation2. On portal access user’s browser sends Kerberos
Session Ticket to SAP NetWeaver AS Java orPortal
3. UME of AS Java/Portal resolves user id fromUser Principal Name in Windows Domain
4. Further user interactions with Portal and backendsystems in iViews with SSO tickets
Typical deployment scenariosIntranet scenarios
© SAP 2008 Page 11
JAAS SPNego LoginModule: AuthenticationFlow on the Wire
© SAP 2008 Page 12
SPNego Use Cases
SPNego can see application for authentication in many scenariosSAP NetWeaver Portal in intranetSAP NetWeaver Portal in intranet + external access with SSO tickets or SAML to Portal applications:
Web Dynpro applicationsABAP applications, e.g. SAP BW web reports, BSP pages,…Integrated ITS (as of 6.40 onwards)
Duet scenario for service-based access and SSO to SAP NetWeaver applications...and others
Security considerationsIn the JVM 1.4.x versions, Kerberos tokens are only 56-bit encryptedGood passwords for the J2EE user account in AD are important for the security of the solutionThe Kerberos Key Table represents the J2EE engine’s identity; Malicious users who obtain the Key Tablecan setup a phishing site by impersonating the J2EE engine
Generate the Key Table with encryption type DES-CBC-MD5; do not use DES-CBC-CRCKeep the Key Table file in a safe place. Allow only <SID>adm and SAPService<SID> to access theKey TableIn a high security environment, change the service user’s password (and the Key Table) periodically
© SAP 2008 Page 13
SPNego Configuration Wizard – 1
SAP Note#994791Availablescenarios:
DB, ADS,multiple ADSas data sourceSUN JDKIBM JDK
Launch the Wizard using: http://<server>:<port>/spnego
© SAP 2008 Page 14
SPNego Configuration Wizard – 2
© SAP 2008 Page 15
SPNego Configuration Wizard – 3
Includes the test facility for the selected user resolution mode
© SAP 2008 Page 16
SPNego Configuration Wizard – 4
Summary of configuration for confirmation
© SAP 2008 Page 17
Configuration on The Browser Clients
Configuration on the browser clients
Windows integrated authentication must be switched onNetWeaver AS host must be explicitly assigned to local intranetAutomatic logon in intranet zone must be allowed
© SAP 2008 Page 18
Summary
SPNego leverages the Kerberos security standard, which is a built-in capability of aMicrosoft Windows user desktop environment, to securely authenticate users toSAP NetWeaver AS Java applications
Prerequisites:SAP NetWeaver J2EE 6.40 SP15 or higherSAP NetWeaver 7.0 J2EE SP6 or higherSAP NetWeaver 7.1 Composition Environment
SPNego enables integrated Windows authentication to the SAP NetWeaver Portaland AS Java
Subsequent single sign-on (SSO) to SAP business applications in Portal, AS Java or ASABAP, displayed in Portal iViews
AS Java Configuration Wizard under application alias /spnego
Useful SAP Notes:968191 – SPNego: Central Note957666 – Diagtool for Troubleshooting Security Configuration
© SAP 2008 Page 19
Agenda
1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with
SAP NetWeaver3. Authentication with SAML
3.1 Overview of SAML3.2 SAML Browser/Artifact Profile3.3 Configuration
4. Single Sign-On using SAML Token Profile5. Outlook
© SAP 2008 Page 20
Benefits of Security Assertions MarkupLanguage (SAML)
Interoperable securitysolution to allow systemsintegration with great ease andminimal resourcesSAML can be used acrossdifferent security domains(e.g. In a B2B scenario)
SAML is a protocol forencoding securityrelated information(assertions) into XML andexchanging this information ina request/response fashionProvides standard basedmechanisms to exchangesecurity information usingSOAP, HTTP(s)SAML is an OASISstandard, which is widelyadopted in the industry andvendor independent
Domain A
Domain BSSO
SSO
© SAP 2008 Page 21
SAML Based Scenarios
1. Authentication
2. A
cces
s to
Res
ourc
e
Web Service based SSOSAML Token ProfileWeb Service Security Standard
Web Browser based SSOSAML Browser/Artifact ProfileSAML Standard
SAMLIdentity Provider
SAMLIdentity Provider
SAMLService Provider
SAMLService Provider
ServiceConsumer
ServiceConsumer
© SAP 2008 Page 22
Security Assertion Markup Language (SAML)Building Blocks
Assertions: statements about a subject.This could be an authentication, attributeinformation, or authorization permissions
Protocols: SAML definesrequest/response protocols for obtainingassertions
Protocol Bindings: defines how SAMLprotocols map to transport and messagingprotocols, e.g. SAML SOAP Binding
Profiles: define how assertions, protocols,and bindings are combined for particularuse cases
Profiles
Bindings
Assertions and Protocol
SAML AssertionSAML Assertion
© SAP 2008 Page 23
SAML Assertion
SAML Issuing Authorities produce “Assertions” inresponse to client requests.
An SAML Assertion can consist of
Authentication Statement: Piece of datathat represents an act of authenticationperformed on a subject (user) by the SAMLIssuing Authority
Other Statements: Attribute Statement,Authorization Decision Statement
SAML AssertionSAML Assertion
AuthenticationStatement
Other StatementsOther Statements
© SAP 2008 Page 24
SAML Request / Response
SAMLIdentity Provider
SAMLIdentity Provider
SAMLIdentity Provider Service ProviderService Provider
SOAP EnvelopeSOAP EnvelopeSOAP Header
SOAP BodySAMLResponseAssertion
SOAP EnvelopeSOAP EnvelopeSOAP Header
SOAP BodySAMLRequest
© SAP 2008 Page 25
SAML Request / Response
<samlp:Request ..RequestID="ID563AD51D8FE16A713C4E38C279492DDEDAB65A5A"xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><samlp:AssertionArtifact>AAH7boOW79mDzbpq7B35WtLF4MP0rzC3J3BM16F+gm0EluFkAAAAAAAA</samlp:AssertionArtifact>
</samlp:Request>
Request Response<samlp:ResponseInResponseTo="ID563AD51D8FE16A713C4E38C279492DDEDAB65A5A" ..ResponseID="ID67AB48DAFA08159A35AE6B4BAB109D8E0AF063E9“..<saml:AssertionAssertionID="ID9BB9590058FBC303414444F2D8D81C52D91D640B" ..Issuer="www.samlssodemo.com" ..
<saml:AuthenticationStatement ..AuthenticationMethod="urn:ietf:rfc:1510">
<saml:Subject><saml:NameIdentifier>SAML_DEST</saml:NameIdentifier>
</saml:Subject></saml:AuthenticationStatement>
</saml:Assertion></samlp:Response>
© SAP 2008 Page 26
Agenda
1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with
SAP NetWeaver3. Authentication with SAML
3.1 Overview of SAML3.2 SAML Browser/Artifact Profile3.3 Configuration
4. Single Sign-On using SAML Token Profile5. Outlook
© SAP 2008 Page 27
SAML – Browser/Artifact Profile for Web SSO
Initiallogon
1. Request for a Resource
Source Web Site
3. SAML Assertion Request
4. SAML Response with Assertion
Destination Web Site
SAMLResponder
SAML Identity Provider SAML Service Provider
Create Artifact and AssertionDetermine SAML Artifact Receiver URL
5. Resource
2. Redirect URL + Artifact
RedirectArtifactReceiver
Authenticate User( User Mapping )
ICF/SAML LoginModule
Resource
Determine IdP basedon SourceID providedwith the ArtifactAnalyze Assertion
SAMLService
SAMLService
SAP NW Portal
ServiceConsumer
SAML Service
© SAP 2008 Page 28
SAP Landscape
Source Web Site Destination Web SiteSAML Identity ProviderSAML Identity Provider SAML Service ProviderSAML Service Provider
SAML Service
SAP NW ABAPICF
Resource
SAP NetWeaver Portal
SAML Login Module
SAP NW Java
SAP NW Java
Artifact ReceiverSAP NW Java
SAMLResponder
SAMLService
Service ConsumerService Consumer
© SAP 2008 Page 29
Agenda
1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with
SAP NetWeaver3. Authentication with SAML
3.1 Overview of SAML3.2 SAML Browser/Artifact Profile3.3 Configuration
4. Single Sign-On using SAML Token Profile5. Outlook
© SAP 2008 Page 30
DestinationNW AS ABAPor NW AS Java
request
Source
response
Configuring NW AS ABAPor NW AS Java asDestination Site
Create a role with the action “SAMLResponder” and assign it to thetechnical user that is used by theDestination Site to get the assertion
get assertion
Maintain configuration data for thedestination sites (SAML outboundpartner definition)
Create a system object for the NW ASABAP and system alias
Maintain Portal Content (e.g. iView)
Configuration of SAML With NW Portal asSource Site
Prerequisites:You have configured SSL
© SAP 2008 Page 31
Maintain Configuration Data for the DestinationSites (SAML Outbound Partner Definition)
NWA: Configuration Management – Infrastructure – Trusted Systems-SAML Browser/Artifact Profile – Outbound Partners
© SAP 2008 Page 32
Create a System Object for the NW AS ABAPand System Alias
Portal: System Administration – System ConfigurationNew Property: SAML PartnernameNew Logon Method value: SAML Browser/Artifact
© SAP 2008 Page 33
DestinationNW AS ABAP
request
Source
response
Establishing a Connection between ASABAP and AS Java (RFC)
Configuring the Portalas a SAML Source Site
Configuring AS Java as a SAML DestinationSite (Partner Inbound)
Activating SAML for Resources in the ASABAP (SAML Login Module)
Mapping SAML Principals to AS ABAP UserID’s (VUSREXTID)
get assertion NW ASJava RFC
HTTPS
HTTPS
12
3 4
5
Configuration of SAML With NW AS ABAP asDestination Site
Prerequisites:You have configured SSL
© SAP 2008 Page 34
Configuring AS Java as a SAML DestinationSite (Partner Inbound)
NWA: Configuration Management – Infrastructure – Trusted Systems-SAML Browser/Artifact Profile – Inbound Partners
© SAP 2008 Page 35
Activating SAML for Resources in the ASABAP (SAML Login Module)
Transaction SICF: Logon Procedure: Alternative Logon Procedure
Logon Procedure: SAML Authentication
Maintain RFCDestination on ASABAP
© SAP 2008 Page 36
Mapping SAML Principals to AS ABAP UserID’s (VUSREXTID)
Transaction SM30: VUSREXTIDNew External ID type: SA for SAML NameIdentifier
© SAP 2008 Page 37
DestinationNW AS Java
request
Source
response
Configuring AS Java as a SAML DestinationSite (Partner Inbound)
Configuring the Portalas a SAML Source Site
Adjust login module stack
get assertion
Prerequisites:You have configured SSL
Configuration of SAML With NW AS Java asDestination Site
© SAP 2008 Page 38
Support of SAML Browser/Artifact Profile
Functionality NW04 NW 7.00 NW>=7.10
SAML Browser/Artifact Profile – SAP NetWeaverPortal
- - X
Support for the “SAML Browser/Artifact Profile” as Destination Site
Functionality NW04 NW 7.00 NW>=7.10
SAML Browser/Artifact Profile – Java X X X
SAML Browser/Artifact Profile - ABAP - - X
Support for the “SAML Browser/Artifact Profile” as Source Site
© SAP 2008 Page 39
Agenda
1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with
SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile
4.1 Overview4.2 Configuration
5. Outlook
© SAP 2008 Page 40
SAML Based Scenarios
1. Authentication
2. A
cces
s to
Res
ourc
e
Web Service based SSOSAML Token ProfileWeb Service Security Standard
Web Browser based SSOSAML Browser/Artifact ProfileSAML Standard
SAMLIdentity Provider
SAMLIdentity Provider
SAMLService Provider
SAMLService Provider
ServiceConsumer
ServiceConsumer
© SAP 2008 Page 41
WS-Security Overview
The OASIS WS-Security Standard extends a SOAP message by one or moreWS-Security Headers (wsse:Security) which contains security informationfor each recipient
This new SOAP Header contains all relevant security metadata to secure aSOAP message, such as
Security Tokens to carry security information (e.g. user authenticationdata, X.509 certificates)A Timestamp to protectagainst Replay AttacksSignatures to protectagainst message tampering*Encrypted Keys and Datato protect confidentialinformation
Single Sign-On is provided by usinge.g. SAML Security Tokens
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
Security Token
Timestamp
Signature
Encrypted Key+ Data
WS-SecurityHeader
* The act of altering something secretly or improperly
© SAP 2008 Page 42
Profiles
Bindings
Assertions and Protocol
Relationship between WS Security SAMLToken Profile and the SAML Standard
SAML AssertionsAuthentication, Attribute
and Authorization Information
SAML AssertionsAuthentication, Attribute
and Authorization Information
SAML Token Profile
references
SAML ConfirmationMethodsSOAP Message Security
Username Token Profile
...
SAML
WS-Security
© SAP 2008 Page 43
SAML Token ProfileA Short Primer
The SAML Token Profile defines theuse of SAML Assertions as SecurityTokens in the WS-Security Header
The SAML Token is used by the serviceprovider to authenticate the userbased on the identity information in theSAML Assertion in incoming requests fromservice consumers
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
WS-Security
SAML Token
SAML Assertion
AuthenticationStatement
© SAP 2008 Page 44
Token Issuer(STS)
Token Issuer(STS)
Web Services SSO with SAMLGeneral Message Exchange
1. Web Service (WS) Consumerauthenticates at the Token Issuer(Security Token Service, STS) andrequests a SAML Token
2. Token Issuer authenticates the User andissues a SAML Token to the WSConsumer
3. WS Consumer uses the SAML Tokenfor authentication at the WS Provider
4. WS Provider must trust the assertion inthe SAML Token to authenticate the WSConsumer and sends back the response
1
2
3
4SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
WS-Security
SAML Token
Web ServiceConsumer
Web ServiceConsumer
Web ServiceProvider
Web ServiceProvider
The SAML Token profile addresses two major questions:How can the SAML assertions be bound to the SOAP message so that theservice provider can be sure that they belong together?How can the service provider be sure that the sender of the message is really thesubject in the assertion?
© SAP 2008 Page 45
Sender-Vouches (SV) Subject Confirmation MethodThe WS Consumer cryptographically binds the assertion to the body of theSOAP message by signing both with its private keyThe WS Provider compares the identity information from the message signaturewith the subject information in the assertion
Holder-of-Key (HoK) Subject Confirmation MethodThe assertion holds a key that is used by the WS Consumer to cryptographicallybind (sign) the assertion and the body of the SOAP messageThe WS Provider uses the same key to verify the signature. The subject in theassertion is the party that can demonstrate that it is the holder of the key
Token Issuer(STS)
Token Issuer(STS)
Web ServiceProvider
Web ServiceProvider
Sender-Vouches: Basis of trust is the WS Consumer‘s certificate
Holder-of-Key:Basis of trust is the
Token Issuer‘scertificate
Confirmation of the Subject IdentitySAML Confirmation Methods Overview
Web ServiceConsumer
Web ServiceConsumer
© SAP 2008 Page 46
Benefits of WS-Security
WS ProviderWS ProviderWS ConsumerWS Consumer
Reverse ProxyReverse Proxy
End-to-End security
WS-Security
SSLOnly Point-to-Point security
DMZ
The Reverse Proxyterminates the SSLconnection betweenWS Consumer and WSProvider
© SAP 2008 Page 47
SAML Token Profile: WS-Security Header
<wsse:Security><saml:Assertion AssertionID="SAML_ID" Issuer="www.example.org" ...>
<saml:Conditions NotBefore="..." NotOnOrAfter="..."/><saml:AuthenticationStatement AuthenticationMethod="urn:...:password"
AuthenticationInstant="2005-03-19T...Z"<saml:Subject>
<saml:NameIdentifier>MUELLERTHOM2</saml:NameIdentifier><saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</saml:ConfirmationMethod><ds:KeyInfo> ... </ds:KeyInfo>
</saml:SubjectConfirmation></saml:Subject>
</saml:AuthenticationStatement><ds:Signature>
<ds:SignedInfo>...<ds:Reference URI="SAML_ID"> ... </ds:Reference>...
</ds:SignedInfo></ds:Signature>
</saml:Assertion></wsse:Security>
Example of SAML Token Profile Usage
© SAP 2008 Page 48
Agenda
1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with
SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile
4.1 Overview4.2 Configuration
5. Outlook
© SAP 2008 Page 49
Configuring SSO With SAML Token Profiles
Configuring SAML Trust Connectionbetween ABAP systems
In the consumer system, start theTrust ManagerIn the system PSE, find the certificateof the consumer system that issuesSAML assertionsExport this system’s certificateIn the provider system import theconsumer system’s certificate
WS ProviderWS Provider
WS ConsumerWS Consumer
system
export
import
STRUST
© SAP 2008 Page 50
Configuring SSO With SAML Token Profiles
Enabling SSO with SAML TokenProfile
Configure a WS service endpoint forproviding a Web ServiceConfigure a WS port for consuming aWeb Service
Maintain User Mapping
WS port
WS service endpoint
User Mapping
SOAMANAGER
SE38 - RSUSREXTIDWS ProviderWS Provider
WS ConsumerWS Consumer
© SAP 2008 Page 51
Configure a WS Service Endpoint for Providinga Web Service
Transaction: SOAMANAGER – Application and Scenario Communication –Single Service Administration: Service Configuration
© SAP 2008 Page 52
Configure a WS Port for Consuming a WebService
Transaction: SOAMANAGER – Application and Scenario Communication –Single Service Administration: Consumer Proxy Configuration
© SAP 2008 Page 53
Maintain User Mapping
Transaction SE38 : RSUSREXTID
© SAP 2008 Page 54
Support of WS Security with theSAP NetWeaver Platform
Functionality NW04 NW 7.00 NW>=7.10
XML Signature/ XML Encryption – Java - x xXML Signature/ XML Encryption – ABAP - x X
Support for the “SAML-Token Profile” for Web Services
Functionality NW04 NW 7.00 NW>=7.10
WSS SAML Token Profile - Java - - X
WSS SAML Token Profile - ABAP - X X
Support for the “XML Signature/ XML Encryption” for Web Services
© SAP 2008 Page 55
Agenda
1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with
SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile5. Outlook
© SAP 2008 Page 56
SSO in the SAP NetWeaver Roadmap
2007/2008 2010 and beyond2009
Meta-rolesdefinition andassignment
Enhanced supportfor WS-* standards
Central IdentityManagement forheterogeneouslandscapes
Centralized policy-based securityadministration
Identity federationsupport (SAMLv2)
Standards-basedsingle sign-oninfrastructure (SAML)
Standards-basedprincipalpropagation
Harmonization ofsecurityadministration
Role managementsimplification andTCO reduction
Business processintegrated identitymanagement
Business rolemanagement
Harmonizedauthorizationconcepts
Extended SOAscenario support
Model drivensecuritymanagement
Role &Authorization
Mgmt.
IdentityManagement
EnterpriseSOA and
Standards
SecurityManagement
Add. WS-* standards(WS-Sec.Conversation,WS-Trust)
Trust Configurationusing X.509 SystemCertificates
Secure Single Sign Onand Single Log Out forTrusted Systems inHeterogeneousLandscapes
User Mapping, AccountLinking and IdentityFederation fromAuthenticationProtocols
© SAP 2008 Page 57
Copyright 2008 SAP AGAll Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changedwithout prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior writtenpermission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies,developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note thatthis document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant theaccuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express orimplied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitationshall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durchSAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.
Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte können Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie diedazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen vonProdukten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zuInformationszwecken. Produkte können länderspezifische Unterschiede aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Formauch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet. Bei dieser Publikation handelt es sich um eine vorläufige Version, die nicht Ihrem gültigen Lizenzvertragoder anderen Vereinbarungen mit SAP unterliegt. Diese Publikation enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts. SAP entsteht aus dieserPublikation keine Verpflichtung zu einer bestimmten Geschäfts- oder Produktstrategie und/oder bestimmten Entwicklungen. Diese Publikation kann von SAP jederzeit ohne vorherigeAnkündigung geändert werden.
SAP übernimmt keine Haftung für Fehler oder Auslassungen in dieser Publikation. Des Weiteren übernimmt SAP keine Garantie für die Exaktheit oder Vollständigkeit der Informationen, Texte,Grafiken, Links und sonstigen in dieser Publikation enthaltenen Elementen. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a.,aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts.SAP haftet nicht für entstandene Schäden. Dies gilt u. a. und uneingeschränkt für konkrete, besondere und mittelbare Schäden oder Folgeschäden, die aus der Nutzung dieser Materialienentstehen können. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit.
Die gesetzliche Haftung bei Personenschäden oder Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinks zugreifen,unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über InternetseitenDritter ab.
Alle Rechte vorbehalten.