AA enabling a closed source legacy application



Similar documents
Shibboleth Identity Provider (IdP) Sebastian Rieger

Perceptive Experience Single Sign-On Solutions

Shibboleth Configuration in Tübingen

CentraSite SSO with Trusted Reverse Proxy

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Authentication Methods

Gateway Apps - Security Summary SECURITY SUMMARY

U S E R D O C U M E N TA T I O N ( A L E P H I N O

AAI: SAP NETWEAVER INTEGRATION. André Hunziker and André Wahlig, ETH Zürich ID-BI Februar 2010

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion

Authentication and Single Sign-On. Patrick Hildenbrand NW PM Security, SAP AG

Connecting Web and Kerberos Single Sign On

Configure Security for SAP Mobile Platform (MP5)

Web app AAI Integration How to integrate web applications with AAI in general?

i2b2: Security Baseline

Agenda. How to configure

Angel Dichev RIG, SAP Labs

External Identity and Authentication Providers For Apache HTTP Server

Application Gateway with Apache

SAP NetWeaver AS Java

WebNow Single Sign-On Solutions

HP Cloud Service Automation Deployment Architectures

Apache HTTP Server. Load-Balancing with Apache HTTPD 2.2 and later. Erik Abele

EQUELLA. Clustering Configuration Guide. Version 6.2

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Oracle9i Application Server: Options for Running Active Server Pages. An Oracle White Paper July 2001

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Securing Splunk with Single Sign On & SAML

Integration of Shibboleth and (Web) Applications

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Building Secure Applications. James Tedrick

Shibboleth SP Simple Installation Guide For LINUX

Shibboleth N-Tier Support. Chad La Joie

Authentication and access control in Sympa mailing list software

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

Design and Implementation of Web Forward Proxy with

E-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine.

From centralized to single sign on

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Crawl Proxy Installation and Configuration Guide

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Single Sign-On for the UQ Web

HP Business Service Management

Toward campus portal with shibboleth middleware

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

1Intro. Apache is an open source HTTP web server for Unix, Apache

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

External and Federated Identities on the Web

<Insert Picture Here> Oracle Web Cache 11g Overview

SAP Single Sign-On 2.0 Overview Presentation

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

Eliminating Authentication Pop- Ups in SAP Landscapes

Configuring Apache Web Server for x509 User Authentication

Operating Level Agreement for NYU Login Service

Extranet Access Management Web Access Control for New Business Services

SAP WEB DISPATCHER Helps you to make decisions on Web Dispatcher implementation

Enterprise Access Control Patterns For REST and Web APIs

1. Introduction. Authors. Abstract. Quang Vu DANG (IFI) Olivier BERGER (GET/INT) Christian BAC (GET/INT) Benoît HAMET (phpgroupware)

SAP SECURITY OPTIMIZATION

Single Sign On. SSO & ID Management for Web and Mobile Applications

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

Running Multiple Shibboleth IdP Instances on a Single Host

This section includes troubleshooting topics about single sign-on (SSO) issues.

Authentication and access control in Sympa mailing list server

SAML Authentication within Secret Server

OpenSSO: Cross Domain Single Sign On

FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON

SITEMINDER SSO FOR EMC DOCUMENTUM REST

PortWise Access Management Suite

Test Plan Security Assertion Markup Language Protocol Interface BC-AUTH-SAML 1.0

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

HP ALM. Software Version: External Authentication Configuration Guide

Unleash the Power of Single Sign-On with Microsoft and SAP

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

Biometric Single Sign-on using SAML

ATTACKS TO SAP WEB APPLICATIONS

Application of the PAPI authn and authz system to the TJ-II Remote Participation environment. Madrid, 21 March 2003

Automated Testing of SAML 2.0 Service Providers. Andreas Åkre Solberg UNINETT

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Certification Guide Network Connectivity for SAP on Premise and Cloud Solutions Integration

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Introducing Shibboleth

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

User Management Tool 1.5

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

2 Downloading Access Manager 3.1 SP4 IR1

Enabling SSL and Client Certificates on the SAP J2EE Engine

Transcription:

AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven Belgium

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

Introduction: context association K.U.Leuven educational landscape reflects political situation association K.U.Leuven 1 university and 12 schools of higher education Need for resource sharing 2004: Shibboleth for institutional and inter-institutional web resources

Introduction: context association K.U.Leuven Every institution of association K.U.Leuven has its own central AAI (Authentication and Authorization Infrastructure incl. Shibboleth IdP) Resources e-learning: Blackboard and other coupled education apps library: Ex Libris, and access to scientific papers, publications and databases work place context: Horde webmail, groupware and inter-institutional offers research context: HPC et al administrative and organizational context: SAP Federations K.U.Leuven (institutional) Association K.U.Leuven K.U.Leuven - UZLeuven (university hospital) Not yet :-\ a national federation at NREN level (Belnet)

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

Case : AA enabling SAP Administrative and organizational applications: SAP K.U.Leuven: Campus management, HR, FI, Corona project: 6 institutions of association K.U.Leuven for implementing SAP campus management SAP access control possibilities Basic authentication Digest Form Client certificate Evaluate assertion ticket (SAML) SAPssoTicket Goals: password does not pass the application use an AAI component

Case: AA enabling SAP SAP access control via evaluation of an assertion ticket Problem: SAP speaks a subset of SAML1.1 :-( Assertions must not contain the elements Condition and AudienceRestrictionCondition Assertions must have exactly one AuthenticationStatement element which must have a NameIdentifier element If present, the elements AuthorizationDecisionStatement and AttributeStatement are ignored Creating or verifying digital signatures is not supported SAP considers to implement SAML2.0 sometime in the future :-(

Case: AA enabling SAP Shibboleth enabled reverse proxy in front of SAP servers Extra layer of security Usage of AAI Shibboleth component for general access control

Case: AA enabling SAP Access control Reverse proxy access control via Shibboleth (mod_shib) Only general access control, application specific authz remain in application SAP access control via a valid SAPssoticket obtained at J2EE-engine (SAP portal)

Case: AA enabling SAP r e v e r s e p r o x y

Access control via SAP SSO ticket JAVA and ABAP web apps access via browser SAP SSO ticket in cookie ABAP non-web apps access via a client: SAPgui link or URL (in SAP portal) to a SAPgui Shortcut file associated in Windows with the SAPgui client contains SAP SSO ticket

Accessing SAP applications JAVA and ABAP web apps (link in SAP portal or in WAS) ABAP non-web app via link to a SAPgui shortcut file firewall https://webwsp.aps.kuleuven.be Apache reverse proxy https://wsp.cc.kuleuven.be Java / Portal browser mod_ssl (mod_security) mod_shib mod_proxy LoginModuleStack Evaluate ticket Login Module Header Variable Login Module Create ticket Login Module SUFFICIENT OPTIONAL SUFFICIENT SAPgui SAPssoTicket p11.cc.kuleuven.be ABAP Evaluate SAPssoTicket REQUIRED

Accessing SAP JAVA and ABAP web apps

Accessing SAP ABAP non-web applications Example of SAPgui Shortcut file (tx.sap) [System] Name=P11 Client=300 GuiParm=/M/P11.cc.kuleuven.be/S/3600/G/productie [User] Name=U0001439 at="mysapsso2=ajexmdagaa9wb3j0yww6vtawmde0mzmiabniyxnpy2 F1dGhlbnRpY2F0aW9uAQAIVTAwMDE0MzkCAAM5OTkDAANXU1AEAAw ymda3mduxmde1ntafaaqaaaamcgaivtawmde0mzn/apuwgfigcsqg SIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNA QcBMYHBMIG+AgEBMBMwDjEMMAoGA1UEAxMDV1NQAgEAMAkGBSsOAw IaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb 3DQEJBTEPFw0wNzA1MTAxNTUwNDJaMCMGCSqGSIb3DQEJBDEWBBRf V5O19GIZCInkdkYoC0N7AxN7XDAJBgcqhkjOOAQDBC8wLQIUL2rYN SImSAsBhWBuRDQzUiISASMCFQCTPasn/RL26iMTko2cSWK/jDtW1A ==" [Options] Reuse=0

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

Configuration overview Communication reverse proxy and SAP portal: Vhost webwsp.asp.kuleuven.be Adjusting SAP LoginModuleStack Configuration of access to SAP servers SAP transactions : rz10 and strustsso2

Vhost webwsp.aps.kuleuven.be SSL enabled # communication to browser SSLEngine On SSLCertificateFile /etc/pki/webwsp.aps.kuleuven.be.crt SSLCertificateKeyFile /etc/pki/webwsp.aps.cc.kuleuven.be.key # mutual certificate authentication with SAP SSLProxyEngine On SSLProxyCACertificateFile /etc/pki/ca-bundle.crt SSLProxyMachineCertificateFile /etc/pki/webwsp.pem SSLProxyVerify require SSLProxyVerifyDepth 3

Vhost webwsp.aps.kuleuven.be (continued) Protected with Shibboleth authorization based on affilation header shib-person-uid must be set <Location /> AuthType shibboleth ShibRequireSession on require affiliation member </Location> Reverse proxy ProxyPass / https://wsp.cc.kuleuven.be:8098/ retry=2 ProxyPassReverse / https://wsp.cc.kuleuven.be:8098/ ProxyVia Off ProxyPreserveHost On

Login Module Stack of J2EE - engine Visual administrator Security Provider SAP-J2EE-engine

transaction rz10 Allow access with SAPssotickets

transaction strustsso2 Configure which SAPssotickets are allowed (signed by)

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

AA enabling via reverse proxy remote_user in backend server - complex rewrite rules - use another header variable released by IdP e.g. shib-person-uid Security (spoofing): only uid is passed no password - mutual certificate authentication between proxy and backend server - persistent connection over ssl (keep-alive) is not yet :-/ possible with Apache mod_proxy - firewall filtering

AA enabling a closed source legacy application Introduction: context association K.U.Leuven Case: AA enabling SAP The gory details: configuring the components General: AA enabling by means of a reverse proxy Conclusions

Conclusion AA enabling a closed source legacy application - dependent on application - one possibility: by means of a Shibboleth enabled reverse proxy in front of the app Credits Philip Brusten Jan Van der Velpen URL s http://kuleuven.be/english http://associatie.kuleuven.be/eng http://shib.kuleuven.be

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information