Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management & Security Kristian Lehment, May 2011 ASUG-Conference Session ID 3603
Agenda Introduction to Single Sign-On (SSO) Short demo of a federated SSO scenario The technology and the concepts behind SSO Introduction to the Security Assertion Markup Language (SAML) Browser-based Web single sign-on with SAML 2.0 Identity federation Web service-based SSO with SAML 2.0 and X.509 certificates 2011 SAP AG. All rights reserved. 2
Demo Introduction to Single Sign-On
Brokered Authentication A Core Security Pattern for Single Sign-On Security Token Issuer 1 proves his identity to a central Security Token Issuer by presenting his credentials. 2 The issuer verifies the correctness and trustworthiness of the credentials and issues a security token with s identity information. 3 presents the security token to the application(s) he wants to Single Sign-On. 4 The Application verifies the security token. ****** 1 2 5 The Application associates an identity from its user store based on a unique value in the token. 4 3 Applications 5 2011 SAP AG. All rights reserved. 4
Examples for Brokered Authentication in SSO Technologies SSO Technology Security Token Issuer Token Format SAP Logon Ticket SAP Portal (AS Java) Cookie (digitally signed) Digital Certificate Certification Authority (CA) X.509 Certificate Kerberos Key Distribution Center (KDC) Kerberos Ticket 2011 SAP AG. All rights reserved. 5
Key Properties of SSO Technologies Cross-Domain Is it possible to use the SSO technology only within a security domain (i.e. the corporate Intranet) or can it be used across different domains (e.g.. to access a business partner system)? Domain A Security Token Issuer Domain B Application Cross-Platform Which platforms are supported by the SSO technology? Does it work in a heterogeneous system landscape? Is it based on industry standards? Token Content Model Does the security token only allow a fixed set of identity attributes or can it be extended dynamically? Security Token Issuer Application 2011 SAP AG. All rights reserved. 6
SSO Technologies Compared SSO Technology Cross-Domain Cross-Platform Token Content Model SAP Logon Ticket No No* Fixed Digital Certificate Yes Yes Fixed Kerberos No Yes Fixed SAML Yes Yes Extensible * Issuer running on SAP only, ticket validation also possible with non-sap applications 2011 SAP AG. All rights reserved. 7
Agenda Introduction to Single Sign-On (SSO) Short demo of a federated SSO scenario The technology and the concepts behind SSO Introduction to the Security Assertion Markup Language (SAML) Browser-based Web single sign-on with SAML 2.0 Identity federation Web service-based SSO with SAML 2.0 and X.509 certificates 2011 SAP AG. All rights reserved. 8
Security Assertion Markup Language (SAML) in a Nutshell Industry standard for cross-vendor Web-based Single Sign-On and Single Log-Out with wide adoption in the industry XML-based framework for security and identity information and exchanging it across administrative and technical domain boundaries SAML profiles describe a variety of end use cases for the framework SAML Security Token: the Assertion contains a statement about a user s authentication that happened in the past, i.e. when and how the user authenticated at the issuer who is the issuer of the assertion can contain additional information (a.k.a. attributes) about the user s identity, i.e. role information 2011 SAP AG. All rights reserved. 9
SAML 2.0 Terminology for Web Browser based SSO Identity Provider (IdP) Identity Provider (IdP) Authority responsible for authenticating an end user and asserting an identity for that user in a security token based on a trusted fashion to trusted partners. Synonyms: (Security Token) Issuer Service Provider (SP) Offers services/resources to users and has a trust relationship with an IdP to accept and trust vouch-for information provided by the IdP on behalf of a user Synonyms: (Web) Application, Relying Party Subject A subject is the user who has been authenticated by the IdP. Synonyms: User, Principal Subject Service Provider (SP) 2011 SAP AG. All rights reserved. 12
SAML 2.0 Terminology for Web Service based SSO Security Token Service (STS) Security Token Service (STS) Authority responsible for authenticating an end user and asserting an identity for that user in a security token based on a trusted fashion to trusted partners. Synonyms: (Security Token) Issuer Web Service Provider (SP) Offers services/resources to users and has a trust relationship with an IdP to accept and trust vouch-for information provided by the IdP on behalf of a user Synonyms: (Web) Application, Relying Party Subject A subject is the user who has been authenticated by the IdP. Synonyms: User, Principal Subject Service Provider (SP) 2011 SAP AG. All rights reserved. 13
Analogy of an Interoperable, Cross-Domain Security Token in the Real World TRUST German Government US Government ID Card Passport Citizen of Germany Passport Immigration Officer 2011 SAP AG. All rights reserved. 14
Agenda Introduction to Single Sign-On (SSO) Short demo of a federated SSO scenario The technology and the concepts behind SSO Introduction to the Security Assertion Markup Language (SAML) Browser-based Web single sign-on with SAML 2.0 Identity federation Web service-based SSO with SAML 2.0 and X.509 certificates 2011 SAP AG. All rights reserved. 16
Browser-Based Web SSO with SAML Part 1/2 1 invokes the URL of an access protected Web Application with his browser 2 The Web Application redirects the request to its trusted Security Token Issuer Identity Provider (IdP) 3 If is not already logged on at the Security Token Issuer, he will be asked to provide his credentials ****** 3 2 redirect request 1 http://... Service Provider (SP) 2011 SAP AG. All rights reserved. 17
<form> with Assertion Browser-Based Web SSO with SAML Part 2/2 Identity Provider (IdP) 4 5 4 The Security Token Issuer returns a SAML Assertion for in a <form> HTML element 5 s Web Browser (automatically) submits the SAML Assertion in the <form> element 6 The Web Browser sends the SAML Assertion with a HTTP POST Request to the Web Application 7 The Web Application validates the SAML Assertion, assigns a local user account to s session and returns the web page 6 POST <form> Service Provider (SPs) 7 2011 SAP AG. All rights reserved. 18
Support for Web SSO with SAML 2.0 in SAP NetWeaver Identity Center SAP NetWeaver Identity Management 7.20 Virtual Directory Server SAML 2.0 IdP SAML 2.0 SP AS ABAP 7.02 AS Java 7.20 WS-Trust STS Min. Java 7.0 SP 14 Min. Java 7.20 The IdP software component is independent from the other SAP NW IdM software components E.g. if you have the license for SAP NW IdM 7.20, the IdP can be used without using the other software components like Identity Center or VDS 2011 SAP AG. All rights reserved. 19
Support for Web SSO using IdP and older Releases than AS ABAP 7.02 / AS Java 7.20 Identity Provider (IdP) For SP with AS ABAP >= 7.02 AS Java >= 7.20 For SP with AS ABAP < 7.02 AS Java < 7.20 ABAP SP Java SP 2011 SAP AG. All rights reserved. 20
Summary SAML 2.0 The main benefits of SAML 2.0 are: SSO with SAML 2.0 SAML provides a standard for cross-domain Single Sign-On (SSO) SAML 2.0 supports identity-provider-initiated SSO (as in SAML 1.x) SAML 2.0 also supports service-provider-initiated SSO SLO with SAML 2.0 Single Log-Out (SLO) enables users to cleanly close all their sessions in a SAML landscape, even across domains Identity federation Identity federation provides the means to share identity information between partners 2011 SAP AG. All rights reserved. 21
Agenda Introduction to Single Sign-On (SSO) Short demo of a federated SSO scenario The technology and the concepts behind SSO Introduction to the Security Assertion Markup Language (SAML) Browser-based Web single sign-on with SAML 2.0 Identity federation Web service-based SSO with SAML 2.0 and X.509 certificates 2011 SAP AG. All rights reserved. 22
SSO and Identity Federation The challenge ****** Identity Provider (IdP) Service Provider (SPs) CRM john.do e Partner Portal sale s ERP JDO E How and where are s SP accounts linked to his central account at the IdP to enable SSO across all applications? 2011 SAP AG. All rights reserved. 23
SSO and Identity Federation and three solutions to solve it Use an existing common, unique NAME to map the accounts IdP E-Mail: john@idp.com SP jdoe E-Mail: john@idp.com Create a new common, unique IDENTIFIER to link the accounts IdP SP ID: abc123 SP jdoe IdP ID: abc123 Federate the accounts based on identity ATTRIBUTES and mapping rules IdP Department: Sales Department = Sales? SP sales 2011 SAP AG. All rights reserved. 24
Identity Federation in SAP NetWeaver Identity Management 7.2 Identity federation provides the means to share identity information across company boundaries User must be unambiguous and clearly identifiable, even though different user identifiers may exist across the landscape The name identifier (name ID) is the means to establish a common identifier Once the name ID has been established, the user is said to have a federated identity Identity federation enables SSO for web browser based access (user-centric) and web services (system centric) across domains SAP s solution relies on standards for interoperability between SAP and non SAP systems For web browser based access, identity federation uses an identity provider that supports SAML 2.0 For web services, identity federation uses a security token service (STS) that supports WS-Trust 1.3, supporting X.509, SAML 1.1, and SAML 2.0 tokens 2011 SAP AG. All rights reserved. 25
Agenda Introduction to Single Sign-On (SSO) Short demo of a federated SSO scenario The technology and the concepts behind SSO Introduction to the Security Assertion Markup Language (SAML) Browser-based Web single sign-on with SAML 2.0 Identity federation Web service-based SSO with SAML 2.0 and X.509 certificates 2011 SAP AG. All rights reserved. 26
SAML Web Service SSO A service is required to transform the successful authentication into an SSO token which..can be used for authentication at the Service Provider..can transfer the authentication information beyond the domain boundary...enables the Web Service consumer to prove Doe s identity to the SAP Web Service by strong cryptographic means WS Consumer Doe SAML Issuer JDoe WS Provider 2011 SAP AG. All rights reserved. 28
Role of an STS in Service-Based Single Sign-On Scenarios The Security Token Service (STS) is a distinguished Web Service that issues security tokens based on a standardized protocol (WS-Trust) Security Token Service (STS) 2 Authenticate user Generate requested Token The STS enhances security tokens with identity information needed for authentication Security Token Request Authentication Data 1 3 Security Token Response The STS has broad applicability - it can be used to issue security tokens in a wide range of formats Web Service Consumer Supported Securty Tokens from SAP STS: SAML 1.1 SAML 2.0 X.509 Certificates* 2011 SAP AG. All rights reserved. *short live X.509 Certificate 29
Support for Web SSO with SAML 2.0 in SAP NetWeaver Identity Center SAP NetWeaver Identity Management 7.20 Virtual Directory Server SAML 2.0 IdP STS The IdP software component is independent from the other SAP NW IdM software components Min. Java 7.0 SP 14 SAML 2.0 WS- Consumer AS ABAP 7.02 / 7.30 No AS Java Min. Java 7.20 SAML 2.0 WS- Provider AS ABAP 7.02 / 7.01 No AS Java E.g. if you have the license for SAP NW IdM 7.20, the IdP can be used without using the other software components like Identity Center or VDS 2011 SAP AG. All rights reserved. 30
Support for Web service based SSO using STS Security Token Service (STS) 2011 SAP AG. All rights reserved. 31
STS Issued Token Format at a Glance 2011 SAP AG. All rights reserved. 32
Thank You! SAP NetWeaver goes Single Sign-On Tuesday, May 17 th, 2:30 PM in the Technology Theater on the show floor learn about the new solution: SAP NetWeaver Single Sign-On, that resulted from the acquisition of assets from the company Secude. SAP will release new Single Sign-On capabilities with this product.