SP. SAP NetWeaver. Composition Environment 7.20. SAP NW. Java 7.20. SAP
Business. Suite 7i2010. Non-SAP. IDP/STS. Non-SAP. ▫ Single sign-on for.
SAP NetWeaver Single Sign-On Product Management SAP NetWeaver Identity Management & Security June 2011
Agenda SAP NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity Provider and Security Token Service
Secure Login SSO using Kerberos authentication SSO using X.509 certificate authentication Secure Store & Forward (SSF) integration
Strong authentication Enterprise Single Sign-On Secure communication channel
© 2011 SAP AG. All rights reserved.
Internal
2
SAP NetWeaver Single Sign-On Solution overview SAP Identity Federation NetWeaver Single Secure Login Sign-On Enterprise SSO Web Access Mgmt Secure Communication
SAP NetWeaver Single Sign-On Compliant identity management and single sign-on
Compliant Identity Management and Single Sign-On Compliance Governance
Identity Management
Authentication and Single Sign-On
SAP Business Object Access Control
SAP NetWeaver Identity Management
SAP NetWeaver Single Sign-On
SAP offers a complete suite of compliance, governance, identity management, and single sign-on solutions.
© 2011 SAP AG. All rights reserved.
Internal
4
SAP NetWeaver Single Sign-On Single sign-on and secure communication channels
© 2011 SAP AG. All rights reserved.
Secure Communication Channel
SSO
Encryption of communication channel
Improved security
Integrity
Reduction of password-related helpdesk calls
Compliance
Improved user productivity
Confidentiality
Alternative user authentication
Internal
5
SAP NetWeaver Single Sign-On Key capabilities
Compliant Management Single sign-on Identity for SAP GUI for Windows, SAP GUI for Java, Web applications
and Single Sign-On
Integration capabilities Compliance Identity Management (Microsoft Active Directory Server; Governance Microsoft Certificate Store) Strong encryption of communication channels SAP Business Objectbetween SAPclient NetWeaver Identity SAP application server Accessand Control Management
Authentication and single sign-on
SAP NetWeaver Single Sign-On
Single sign-on for legacy systems Support of additional authentication methods SAP offers a(Radius, complete suitecards) of compliance, governance, identity and single smart sign-on solutions This presentation and SAP‘s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. © 2011 SAP AG. All rights reserved.
Internal
6
Positioning of SAP NetWeaver Identity Management and SAP NetWeaver Single Sign-On SAP NetWeaver Identity Management and Single Sign-On Secure Communication Channels Encryption of communication between client and application server Secure default installation for every SAP system
Encryption of communication channels between SAP servers and all SAP GUIs Secure default installation for every SAP system (encrypted channels) © 2011 SAP AG. All rights reserved.
SAP NetWeaver Identity Management User and Role Management Provisioning
Identity Center Virtual Directory Server
SAP NetWeaver Single Sign-On Federation with Identity Provider / Security Token Service Standards-based Single Sign-On to SAP Windows GUI, SAP and non-SAP web-based applications (Kerberos, X.509, SAML)
Digital Signatures (hardware crypto tokens)
Identity Services
Re-authentication
Integration with SAP Business Objects Access Control
Strong authentication: Radius (eg OTP tokens), smart cards, etc
Identtiy Provider & Security Token Service
Enterprise Single Sign-On Web Access Management (via EBS with CA)
Heterogeneous, cross-company identity management and variable, standardsbased, multi-method authentication and single sign-on Integration: Deploy users, roles,systems as well as authentication and SSO configurations with one click in provisioning Secure and standards-based connectivity and integration enhancements of business processes Internal
7
SAP NetWeaver Single Sign-On: Solution components SAP NetWeaver Identity Federation Single Sign-On Secure Login
Web-based and web service-based authentication, SSO and identity federation with Identity Provider (IDP) and Security Token Service (STS) via SAML 2.0 Cross-company domain SSO, heterogeneity, interoperability Standards-based single sign-on to SAP Windows GUI, as well as SAP and non-SAP web-based applications (Kerberos, X.509) Digital signatures for integrity Strong authentication and re-authentication for business-critical applications Enterprise SSO to legacy applications requiring user ID/password
Enterprise Single Sign-On
Partner API
Available free of charge
Web Access Management
authentication (terminal server, ftp, databases etc)
Endorsed Business Solution (EBS) with CA SiteMinder product Policy-based authentication and authorization to web applications XACML-based, policy-enforced access
Encryption of communication channels between SAP
Secure Communication Channels
© 2011 SAP AG. All rights reserved.
client and application server Based on SNC and Kerberos Encryption only No single sign-on Internal
8
Solution in detail: Identity federation SAP Identity Federation NetWeaver Single Secure Login Sign-On Enterprise SSO Web Access Mgmt Secure Communication
What is Identity Federation?
Identity federation allows the transfer of identity information across (company) domain boundaries. Federation enables users to work across domains securely and seamlessly. It creates cross-company single sign-on scenarios and reduces the user administration effort by re-using identity information from one domain for user authentication in other domains. Identity federation is based on open industry standards to guarantee maximum interoperability. SAP provides identity federation capabilities in SAP NetWeaver Identity Management through the Identity Provider (IDP) and the Security Token Service (STS). Both options are based on SAML 2.0 (Security Assertion Markup Language); in addition, the STS supports X.509 certificates.
© 2011 SAP AG. All rights reserved.
Internal
10
Single sign-on and identity federation using SAML for web applications and services
Single sign-on for Web-based applications and services
Support of crosscompany business processes
Extensible identity information model
Based on open SAML standard
Successful participation in Liberty Alliance and Kantara interop tests 2009 and 2011
Identity Provider + Security Token Service SAP NetWeaver Composition Environment 7.20 IDP/STS Identity federation and single sign-on SP SAP NW Java 7.20
Non-SAP
SP SAP Business Suite 7i2010
SP
Non-SAP
Identity federation and single sign-on via SAML 2.0 in heterogeneous landscapes © 2011 SAP AG. All rights reserved.
Internal
11
Identity Provider: Web browser-based SSO In a single sign-on environment, a number of systems which provide services to the end user (Service Providers) trust the one system which administrates the end user’s identity (Identity Provider). Web users who are trying to access such a Service Provider system with their Web browser will be redirected to the Identity Provider. Once a user is authenticated by the Identity Provider, the user can access any of those service providers without re-authenticating. Web Browser-based single sign-on is user-centric.
© 2011 SAP AG. All rights reserved.
Internal
12
SAP support for Web browser-based SSO
SAP NetWeaver Identity Management 7.2 Identity Center
Virtual Directory Server
Min. Java 7.0 SP 14
SAML 2.0 IDP
SAP NetWeaver Single SignOn 1.0
WS-Trust STS
E-SSO
SAML 2.0 IDP
WS-Trust STS
Min. Java 7.20
Min. Java 7.20
SAML 2.0 SP AS ABAP 7.02 AS Java 7.20 © 2011 SAP AG. All rights reserved.
Secure Login
IdP/STS can be installed as a component via SAP NetWeaver Identity Management or SAP NetWeaver Single Sign-On Internal
13
Security Token Service: Web service-based SSO For Web services-based SSO, a Security Token Service (STS) is used. The STS is a Web service that enables you to use single sign-on (SSO) in heterogeneous system landscapes. The STS acts as a token broker. It supports a number of authentication methods from a Web service consumer and can convert these tokens into a security token that a Web service provider can use. The STS supports X.509, SAML 1.1, and SAML 2.0 tokens. Just as with SAML 2.0 for Web browser-based access, the SAML 2.0 assertion can transport profile and authorization attributes to the target Web service provider. Web service-based single sign-on is system-centric.
© 2011 SAP AG. All rights reserved.
Internal
14
SAP support for Web service-based SSO SAP NetWeaver Identity Management 7.2 Identity Center
Virtual Directory Server
Min. Java 7.0 SP 14
SAML 2.0 IdP
STS
E-SSO
Secure Login
SAML 2.0 IdP
STS
min. Java 7.20
min. Java 7.20
SAML 2.0
© 2011 SAP AG. All rights reserved.
SAP NetWeaver Single SignOn 1.0
WS Consumer
SAML 2.0 WS Provider
AS ABAP 7.02 / 7.30 No AS Java
AS ABAP 7.02 / 7.01 No AS Java Internal
15
Solution in Detail: Secure Login SAP Identity Federation NetWeaver Single Secure Login Sign-On Enterprise SSO Web Access Mgmt Secure Communication
What is Secure Login?
Secure Login allows re-using an initial user authentication, such as a Kerberos ticket or SAP system authentication, for subsequent log-ins to connected systems within an enterprise IT landscape. Secure Login offers flexibility regarding the initial authentication mechanism. The solution offers a standards-based (X.509) SSO technology, but does not require the implementation of a full-blown, costly Public-Key Infrastructure (PKI). It combines maximum security, such as reauthentication, with ease of use and minimum implementation requirements.
© 2011 SAP AG. All rights reserved.
Internal
17
Secure Login: Solution architecture R
SAP Frontend
NWBC
Secure Login Client
Browser Key Store
Secure Login Library
SAPGui
Web Browser
Enterprise Single Sign-On
SLWC (Applet)
PSE Service
Client System
R
Non-SAP client
Policy Store
R
HTTP(S)
Java Stack
DIAG, SNC
ABAP Stack
SAP or Java Secure Crypto Login LibrarySystemLibrary Backend Backend System SAP Backend System © 2011 SAP AG. All rights reserved.
Secure Login Server
Authentication Server Backend System Backend System (e.g. SAP User Management)
Backend Non-SAP Backend System Backend System System
Config Data NetWeaver CE 7.2 Internal
18
Secure Login: Platform availability
Mozilla Firefox 64Bit is not available (Status May 2011)
© 2011 SAP AG. All rights reserved.
Internal
19
Single sign-on with Secure Login via Kerberos SAP 4 authenticate via security token secure communication
1 start SAP GUI
User authenticated via Microsoft Active Directory
2 request
security 3 token
Microsoft Active Directory
© 2011 SAP AG. All rights reserved.
SAP Business Suite
Authentication through standardized security tokens based on Kerberos
Low implementation effort
Tight integration between SAP GUI, Windows client and Windows Active Directory
Strong encryption and single sign-on to standard Windows GUI Internal
20
Single sign-on with Secure Login via X.509 certificates SAP User will be prompted 5 for credentials 1 authenticate via certificate start SAP GUI secure communication
SAP Business Suite
Out-of-the-box generated certificates can be used for SAP GUI and Web applications
Low entry barrier into X.509 certificate based access
PKI integration available but not required, short lived X.509 certificates can be generated
Strong encryption
Digital signatures via SSF integration
2 call 4 create Login Server
3 validate Authentication Server (AD, LDAP, ...)
automatic creation of certificate
new capabilities
© 2011 SAP AG. All rights reserved.
Internal
21
Strong authentication with Secure Login SAP 4 authenticate via security token secure communication
1 start SAP GUI
User authenticated via Microsoft Active Directory
2 request
security 3 token
Microsoft Certificate Store
new capabilities
© 2011 SAP AG. All rights reserved.
SAP Business Suite
Authentication via smart card and existing PKI (Microsoft CA)
PKCS#11 also supported
Low implementation effort
Strong encryption
Multi-factor authentication
Internal
22
Re-authentication with Secure Login
1 Starts business critical transaction
User is already authenticated and has already received an SSO token
Gets prompted for 4 re-authentication 5 Sends credentials
secure communication Triggers 3 re-authentication 2 Receives access request
Secure Login Server SAP NetWeaver CE 7.20
© 2011 SAP AG. All rights reserved.
SAP
6 authenticate via security token SAP Business Suite
Re-authentication to secure business-critical transactions
Possibility to configure the enforcement of an additional authentication step (user re-enters credentials) for critical transactions Internal
23
Web client: Zero footprint client software SAP Secure Login Server Web Interface
1
2 validation
Authentication Server
(AD, LDAP, RSA ...)
3 Client authenticate via certificate and secure communication 4
SAP Application Server
Provides certificate to SAP GUI and internet browser (SSO enablement)
Secure connection between SAP GUI and SAP application server
Support of SAP GUI Java
No distribution of client software
(Java, ABAP)
new capabilities
© 2011 SAP AG. All rights reserved.
Internal
24
Digital signatures via SSF API and Secure Login Library
SAP Business Suite
PLM
SRM
SCM
CRM
ERP
SSF Call Interface
Digital signatures for legally binding contracts
Integration with SSF API
Out of the box support for a set of SAP transactions
Consistent with SAP SSO mechanisms
Easy and flexible to implement
Generation of X.509 certificates and smart card support
Industry Solutions
SSF API SAP Cryptolib Secude Login Library
SAP NetWeaver © 2011 SAP AG. All rights reserved.
Internal
25
Digital signatures – step by step
1. SAP transaction triggers digital signature
SAP System
3. User information is transferred
SAP client / UI
End-user desktop
4. SAP application digitally signs document and stores data
2. User authenticates and digital certificate is received
Supported out of the box for a set of SAP transactions; additional programming/integration necessary if:
ABAP programming for other transactions not yet supporting SSF Integration of Secure Login Library with client actions Hardware support needed
© 2011 SAP AG. All rights reserved.
Internal
26
Solution in Detail: Enterprise Single Sign-On SAP Identity Federation NetWeaver Single Secure Login Sign-On Enterprise SSO Web Access Mgmt Secure Communication
What is Enterprise Single Sign-On?
Enterprise Single Sign-On (E-SSO) helps users authenticate to multiple non-SAP systems or applications without the need to remember every password or logon dialog. After the end user has successfully authenticated to the E-SSO, further logon procedures to applications running under the system’s control are carried out automatically by E-SSO. E-SSO supports: Windows applications, Java applications, Web-based applications, Web site forms, and Terminal emulators. If you do not have a smart card you can use a soft token to store the credentials. E-SSO installs plug-ins (toolbar) for Internet Explorer and/or Firefox to facilitate SSO to protected web sites.
© 2011 SAP AG. All rights reserved.
Internal
28
Scope and highlights of Enterprise Single Sign-On Provides access to:
Single sign-on to applications that don not support standardized authentication tokens Web applications E-SSO Windows Client
Windows applications Java applications Databases Terminal emulators
Secure store
Highlights: Wizard-based Automatic and/or drag & drop authentication Primary authentication
© 2011 SAP AG. All rights reserved.
Internal
29
Solution in Detail: Web Access Management SAP Identity Federation NetWeaver Single Secure Login Sign-On Enterprise SSO Web Access Mgmt Secure Communication
What is Web access management?
Web access management controls access to Web resources, providing: Authentication management Policy-based authorizations Auditing and reporting Single sign-on CA SiteMinder Web access management solution is an SAP-endorsed business solution. It complements the security features in the SAP NetWeaver technology platform by controlling user access to SAP applications and helping securely deliver essential information to millions of employees, partners, suppliers and customers.
© 2011 SAP AG. All rights reserved.
Internal
31
Endorsed Business Solution for Web Access Management: CA SiteMinder CA SiteMinder for WAM to SAP NetWeaver Application Server
Extends web-based single sign-on to SAP NetWeaver Application Server systems to offer Web Access Management
Offers policy-based authentication and authorization in web environments
Integration via certification against SAP standard APIs for JAAS login modules
Successful, long-term partnership between SAP and CA
MOBILE DEVICE
SAP WebAS Application Server
USERS
WEB or PROXY SERVER
SAP AGENT
Web Agent
POLICY SERVER
WEB SERVICES & FEDERATED APPLICATIONS
USER STORE
© 2011 SAP AG. All rights reserved.
Internal
32
Solution in Detail: Secure Communication Channel SAP Identity Federation NetWeaver Single Secure Login Sign-On Enterprise SSO Web Access Mgmt Secure Communication
What is a secure communication channel?
A secure communication channel uses an encryption algorithm to render the transmitted data unreadable during transport, protecting the information passing through the channel. SAP offers free encryption libraries for the communication between SAP Application Servers and between SAP Clients and Servers (based on the SNC interface and Kerberos technology, planned to be available in October / November 2011). A secure communication channel provides: Compliance Integrity Confidentiality
© 2011 SAP AG. All rights reserved.
Internal
34
Securing the communication channel between client and standard Windows GUI SAP NetWeaver Business Client
Standard Win GUI
RFC client
SNC
SAP app server
Included in SAP NetWeaver license
Encryption between SAP client and application server
Based on SNC and Kerberos
Encryption of communication channel only
No single sign-on
Planned to be available with SP1 around Oct/Nov 2011 as pat of the GUI installation
© 2011 SAP AG. All rights reserved.
Clients
SNC
SNC SAP app server
BEX browser
Application servers
Internal
35
