SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Similar documents
Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

SAP Single Sign-On 2.0 Overview Presentation

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Gateway Apps - Security Summary SECURITY SUMMARY

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Cybersecurity and Secure Authentication with SAP Single Sign-On

Improve Security, Lower Risk, and Increase Compliance Using Single Sign-On

Enhancing Web Application Security

Agenda. How to configure

PingFederate. SSO Integration Overview

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SSO Methods Supported by Winshuttle Applications

SAML-Based SSO Solution

SAML-Based SSO Solution

Authentication and Single Sign-On. Patrick Hildenbrand NW PM Security, SAP AG

Unleash the Power of Single Sign-On with Microsoft and SAP

Flexible Identity Federation

First-hand Information about the Enhanced Functionality and Integration Options Within SAP NetWeaver Identity Management 7.2

HP Software as a Service. Federated SSO Guide

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Business-Driven, Compliant Identity Management

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Leveraging SAML for Federated Single Sign-on:

Single Sign-on (SSO) technologies for the Domino Web Server

> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Session ID: B410 A Secure Future Today with SAP NetWeaver

How To Use Saml 2.0 Single Sign On With Qualysguard

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

nexus Hybrid Access Gateway

Using SAML for Single Sign-On in the SOA Software Platform

How to Implement Enterprise SAML SSO

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

Landscape Deployment Recommendations for. SAP Fiori Front-End Server

SAML Security Option White Paper

SAML SSO Configuration

White paper December Addressing single sign-on inside, outside, and between organizations

CA CloudMinder. Getting Started with SSO 1.5

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Biometric Single Sign-on using SAML Architecture & Design Strategies

Perceptive Experience Single Sign-On Solutions

SAP Solution in Detail SAP NetWeaver SAP NetWeaver Identity Management. Business-Driven, Compliant Identity Management

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

API-Security Gateway Dirk Krafzig

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

The Role of Federation in Identity Management

Security and Your SAP System When Working with Winshuttle Products

The Primer: Nuts and Bolts of Federated Identity Management

CA SiteMinder. Implementation Guide. r12.0 SP2

An Oracle White Paper Dec Oracle Access Management Security Token Service

Biometric Single Sign-on using SAML

PingFederate. Integration Overview

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Eliminating Authentication Pop- Ups in SAP Landscapes

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Secure the Web: OpenSSO

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Setup Guide Central Monitoring of SAP NetWeaver Proces Integration 7.3 with SAP Solution Manager 7.1. Active Global Support February 2011

Introduction to SAML

Configuring EPM System for SAML2-based Federation Services SSO

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

SAP NetWeaver AS Java

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

The Top 5 Federated Single Sign-On Scenarios

AND SUN OPENSSO MICROSOFT GENEVA SERVER ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS. White Paper May 2009.

Architecture Guidelines Application Security

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

Enable Your Applications for CAC and PIV Smart Cards

SAM Context-Based Authentication Using Juniper SA Integration Guide

The Primer: Nuts and Bolts of Federated Identity Management

Disclaimer. SAP 2008 / SAP TechEd 08 / SIM202 / Page 2

CA SiteMinder. Upgrade Guide. r12.0 SP2

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Sun Infrastructure Solution for Network Identity Seamlessly extend secure access to your enterprise fast, with reduced deployment time and cost

Implementation Guide SAP NetWeaver Identity Management Identity Provider

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

CA Performance Center

Single Sign-on to Salesforce.com with CA Federation Manager

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

TrustedX - PKI Authentication. Whitepaper

How To Manage A Plethora Of Identities In A Cloud System (Saas)

SAML 2.0 SSO Deployment with Okta

Federated Identity and Single Sign-On using CA API Gateway

Web Access Management and Single Sign-On

Ubilogin SSO. Product Description. Copyright Ubisecure Solutions, Inc., All rights reserved.

McAfee Cloud Identity Manager

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

Transcription:

NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011

Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity Provider and Security Token Service Secure Login SSO using Kerberos authentication SSO using X.509 certificate authentication Secure Store & Forward (SSF) integration Strong authentication Enterprise Single Sign-On Secure communication channel 2011 AG. All rights reserved. Internal 2

NetWeaver Single Sign-On Solution overview NetWeaver Single Sign-On Identity Federation Secure Login Enterprise SSO Web Access Mgmt Secure Communication

NetWeaver Single Sign-On Compliant identity management and single sign-on Compliant Identity Management and Single Sign-On Compliance Governance Identity Management Authentication and Single Sign-On Business Object Access Control NetWeaver Identity Management NetWeaver Single Sign-On offers a complete suite of compliance, governance, identity management, and single sign-on solutions. 2011 AG. All rights reserved. Internal 4

NetWeaver Single Sign-On Single sign-on and secure communication channels Secure Communication Channel Encryption of communication channel Integrity Compliance Confidentiality SSO Improved security Reduction of password-related helpdesk calls Improved user productivity Alternative user authentication 2011 AG. All rights reserved. Internal 5

NetWeaver Single Sign-On Key capabilities Compliant Identity Management and Single Sign-On Single sign-on for GUI for Windows, GUI for Java, Web applications Integration capabilities Compliance (Microsoft Active Directory Identity Server; Management Governance Microsoft Certificate Store) Strong encryption of communication Business channels Object between client NetWeaver Identity Access and Control application server Management Single sign-on for legacy systems Authentication and single sign-on NetWeaver Single Sign-On Support of additional authentication methods offers a (Radius, complete smart suite cards) of compliance, governance, identity and single sign-on solutions This presentation and s strategy and possible future developments are subject to change and may be changed by at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. 2011 AG. All rights reserved. Internal 6

Positioning of NetWeaver Identity Management and NetWeaver Single Sign-On NetWeaver Identity Management and Single Sign-On Secure Communication Channels Encryption of communication between client and application server Secure default installation for every system NetWeaver Identity Management User and Role Management Provisioning Identity Center Virtual Directory Server Identity Services Integration with Business Objects Access Control Identtiy Provider & Security Token Service NetWeaver Single Sign-On Federation with Identity Provider / Security Token Service Standards-based Single Sign-On to Windows GUI, and non- web-based applications (Kerberos, X.509, SAML) Digital Signatures (hardware crypto tokens) Re-authentication Strong authentication: Radius (eg OTP tokens), smart cards, etc Enterprise Single Sign-On Web Access Management (via EBS with CA) Encryption of communication channels between servers and all GUIs Secure default installation for every system (encrypted channels) Heterogeneous, cross-company identity management and variable, standardsbased, multi-method authentication and single sign-on Integration: Deploy users, roles,systems as well as authentication and SSO configurations with one click in provisioning Secure and standards-based connectivity and integration enhancements of business processes 2011 AG. All rights reserved. Internal 7

NetWeaver Single Sign-On: Solution components NetWeaver Single Sign-On Identity Federation Secure Login Enterprise Single Sign-On Web-based and web service-based authentication, SSO and identity federation with Identity Provider (IDP) and Security Token Service (STS) via SAML 2.0 Cross-company domain SSO, heterogeneity, interoperability Standards-based single sign-on to Windows GUI, as well as and non- web-based applications (Kerberos, X.509) Digital signatures for integrity Strong authentication and re-authentication for business-critical applications Enterprise SSO to legacy applications requiring user ID/password authentication (terminal server, ftp, databases etc) Partner API Web Access Management Endorsed Business Solution (EBS) with CA SiteMinder product Policy-based authentication and authorization to web applications XACML-based, policy-enforced access Available free of charge Secure Communication Channels Encryption of communication channels between client and application server Based on SNC and Kerberos Encryption only No single sign-on 2011 AG. All rights reserved. Internal 8

Solution in detail: Identity federation NetWeaver Single Sign-On Identity Federation Secure Login Enterprise SSO Web Access Mgmt Secure Communication

What is Identity Federation? Identity federation allows the transfer of identity information across (company) domain boundaries. Federation enables users to work across domains securely and seamlessly. It creates cross-company single sign-on scenarios and reduces the user administration effort by re-using identity information from one domain for user authentication in other domains. Identity federation is based on open industry standards to guarantee maximum interoperability. provides identity federation capabilities in NetWeaver Identity Management through the Identity Provider (IDP) and the Security Token Service (STS). Both options are based on SAML 2.0 (Security Assertion Markup Language); in addition, the STS supports X.509 certificates. 2011 AG. All rights reserved. Internal 10

Single sign-on and identity federation using SAML for web applications and services Identity federation and single sign-on SP NW Java 7.20 Identity Provider + Security Token Service NetWeaver Composition Environment 7.20 SP Business Suite 7i2010 SP Non- Identity federation and single sign-on via SAML 2.0 in heterogeneous landscapes IDP/STS Non- Single sign-on for Web-based applications and services Support of crosscompany business processes Extensible identity information model Based on open SAML standard Successful participation in Liberty Alliance and Kantara interop tests 2009 and 2011 2011 AG. All rights reserved. Internal 11

Identity Provider: Web browser-based SSO In a single sign-on environment, a number of systems which provide services to the end user (Service Providers) trust the one system which administrates the end user s identity (Identity Provider). Web users who are trying to access such a Service Provider system with their Web browser will be redirected to the Identity Provider. Once a user is authenticated by the Identity Provider, the user can access any of those service providers without re-authenticating. Web Browser-based single sign-on is user-centric. 2011 AG. All rights reserved. Internal 12

support for Web browser-based SSO NetWeaver Identity Management 7.2 NetWeaver Single Sign- On 1.0 Identity Center Virtual Directory Server SAML 2.0 IDP WS-Trust STS E-SSO Secure Login SAML 2.0 IDP WS-Trust STS Min. Java 7.0 SP 14 Min. Java 7.20 Min. Java 7.20 SAML 2.0 SP AS ABAP 7.02 AS Java 7.20 IdP/STS can be installed as a component via NetWeaver Identity Management or NetWeaver Single Sign-On 2011 AG. All rights reserved. Internal 13

Security Token Service: Web service-based SSO For Web services-based SSO, a Security Token Service (STS) is used. The STS is a Web service that enables you to use single sign-on (SSO) in heterogeneous system landscapes. The STS acts as a token broker. It supports a number of authentication methods from a Web service consumer and can convert these tokens into a security token that a Web service provider can use. The STS supports X.509, SAML 1.1, and SAML 2.0 tokens. Just as with SAML 2.0 for Web browser-based access, the SAML 2.0 assertion can transport profile and authorization attributes to the target Web service provider. Web service-based single sign-on is system-centric. 2011 AG. All rights reserved. Internal 14

support for Web service-based SSO NetWeaver Identity Management 7.2 NetWeaver Single Sign- On 1.0 Identity Center Virtual Directory Server SAML 2.0 IdP STS E-SSO Secure Login SAML 2.0 IdP STS Min. Java 7.0 SP 14 min. Java 7.20 min. Java 7.20 SAML 2.0 WS Consumer AS ABAP 7.02 / 7.30 No AS Java SAML 2.0 WS Provider AS ABAP 7.02 / 7.01 No AS Java 2011 AG. All rights reserved. Internal 15

Solution in Detail: Secure Login NetWeaver Single Sign-On Identity Federation Secure Login Enterprise SSO Web Access Mgmt Secure Communication

What is Secure Login? Secure Login allows re-using an initial user authentication, such as a Kerberos ticket or system authentication, for subsequent log-ins to connected systems within an enterprise IT landscape. Secure Login offers flexibility regarding the initial authentication mechanism. The solution offers a standards-based (X.509) SSO technology, but does not require the implementation of a full-blown, costly Public-Key Infrastructure (PKI). It combines maximum security, such as reauthentication, with ease of use and minimum implementation requirements. 2011 AG. All rights reserved. Internal 17

Secure Login: Solution architecture R Frontend NWBC Gui Client System Secure Login Client Secure Login Library PSE Service Browser Key Store R Web Browser SLWC (Applet) Enterprise Single Sign-On Policy Store Non- client HTTP(S) DIAG, SNC R Java Stack ABAP Stack Secure Login Server Non- Backend Backend Backend System System System or Java Crypto Secure Login Library Backend Library System Backend System Backend System Authentication Backend System Server (e.g. Backend User System Management) Config Data NetWeaver CE 7.2 2011 AG. All rights reserved. Internal 18

Secure Login: Platform availability Mozilla Firefox 64Bit is not available (Status May 2011) 2011 AG. All rights reserved. Internal 19

Single sign-on with Secure Login via Kerberos User authenticated via Microsoft Active Directory 1 start GUI 2 request Microsoft Active Directory security token 4 authenticate via security token secure communication 3 Business Suite Authentication through standardized security tokens based on Kerberos Low implementation effort Tight integration between GUI, Windows client and Windows Active Directory Strong encryption and single sign-on to standard Windows GUI 2011 AG. All rights reserved. Internal 20

Single sign-on with Secure Login via X.509 certificates User will be prompted for credentials 5 1 authenticate via start GUI certificate new capabilities 2 call Login Server 3 Authentication Server validate (AD, LDAP,...) secure communication 4 create Business Suite automatic creation of certificate Out-of-the-box generated certificates can be used for GUI and Web applications Low entry barrier into X.509 certificate based access PKI integration available but not required, short lived X.509 certificates can be generated Strong encryption Digital signatures via SSF integration 2011 AG. All rights reserved. Internal 21

Strong authentication with Secure Login User authenticated via Microsoft Active Directory 1 start GUI 2 request security token 4 authenticate via security token secure communication 3 Business Suite new capabilities Microsoft Certificate Store Authentication via smart card and existing PKI (Microsoft CA) PKCS#11 also supported Low implementation effort Strong encryption Multi-factor authentication 2011 AG. All rights reserved. Internal 22

Re-authentication with Secure Login User is already authenticated and has already received an SSO token 1 Starts business critical transaction Gets prompted for 4 re-authentication 5 Sends credentials 2 Receives access request Secure Login Server NetWeaver CE 7.20 6 authenticate via security token secure communication Triggers 3 re-authentication Business Suite Re-authentication to secure business-critical transactions Possibility to configure the enforcement of an additional authentication step (user re-enters credentials) for critical transactions 2011 AG. All rights reserved. Internal 23

Web client: Zero footprint client software 1 Secure Login Server Web Interface 2 validation Authentication Server (AD, LDAP, RSA...) Client new capabilities 3 authenticate via certificate and secure communication 4 Application Server (Java, ABAP) Provides certificate to GUI and internet browser (SSO enablement) Secure connection between GUI and application server Support of GUI Java No distribution of client software 2011 AG. All rights reserved. Internal 24

Digital signatures via SSF API and Secure Login Library Business Suite PLM SRM SCM CRM ERP SSF Call Interface SSF API Cryptolib Secude Login Library Industry Solutions Digital signatures for legally binding contracts Integration with SSF API Out of the box support for a set of transactions Consistent with SSO mechanisms Easy and flexible to implement Generation of X.509 certificates and smart card support NetWeaver 2011 AG. All rights reserved. Internal 25

Digital signatures step by step 1. transaction triggers digital signature System 3. User information is transferred client / UI End-user desktop 2. User authenticates and digital certificate is received 4. application digitally signs document and stores data Supported out of the box for a set of transactions; additional programming/integration necessary if: ABAP programming for other transactions not yet supporting SSF Integration of Secure Login Library with client actions Hardware support needed 2011 AG. All rights reserved. Internal 26

Solution in Detail: Enterprise Single Sign-On NetWeaver Single Sign-On Identity Federation Secure Login Enterprise SSO Web Access Mgmt Secure Communication

What is Enterprise Single Sign-On? Enterprise Single Sign-On (E-SSO) helps users authenticate to multiple non- systems or applications without the need to remember every password or logon dialog. After the end user has successfully authenticated to the E-SSO, further logon procedures to applications running under the system s control are carried out automatically by E-SSO. E-SSO supports: Windows applications, Java applications, Web-based applications, Web site forms, and Terminal emulators. If you do not have a smart card you can use a soft token to store the credentials. E-SSO installs plug-ins (toolbar) for Internet Explorer and/or Firefox to facilitate SSO to protected web sites. 2011 AG. All rights reserved. Internal 28

Scope and highlights of Enterprise Single Sign-On E-SSO Windows Client Secure store Provides access to: Single sign-on to applications that don not support standardized authentication tokens Web applications Windows applications Java applications Databases Terminal emulators Highlights: Wizard-based Automatic and/or drag & drop authentication Primary authentication 2011 AG. All rights reserved. Internal 29

Solution in Detail: Web Access Management NetWeaver Single Sign-On Identity Federation Secure Login Enterprise SSO Web Access Mgmt Secure Communication

What is Web access management? Web access management controls access to Web resources, providing: Authentication management Policy-based authorizations Auditing and reporting Single sign-on CA SiteMinder Web access management solution is an -endorsed business solution. It complements the security features in the NetWeaver technology platform by controlling user access to applications and helping securely deliver essential information to millions of employees, partners, suppliers and customers. 2011 AG. All rights reserved. Internal 31

Endorsed Business Solution for Web Access Management: CA SiteMinder CA SiteMinder for WAM to NetWeaver Application Server MOBILE DEVICE USERS WEB SERVICES & FEDERATED APPLICATIONS WEB or PROXY SERVER Web Agent WebAS Application Server AGENT POLICY SERVER Extends web-based single sign-on to NetWeaver Application Server systems to offer Web Access Management Offers policy-based authentication and authorization in web environments Integration via certification against standard APIs for JAAS login modules Successful, long-term partnership between and CA USER STORE 2011 AG. All rights reserved. Internal 32

Solution in Detail: Secure Communication Channel NetWeaver Single Sign-On Identity Federation Secure Login Enterprise SSO Web Access Mgmt Secure Communication

What is a secure communication channel? A secure communication channel uses an encryption algorithm to render the transmitted data unreadable during transport, protecting the information passing through the channel. offers free encryption libraries for the communication between Application Servers and between Clients and Servers (based on the SNC interface and Kerberos technology, planned to be available in October / November 2011). A secure communication channel provides: Compliance Integrity Confidentiality 2011 AG. All rights reserved. Internal 34

Securing the communication channel between client and standard Windows GUI NetWeaver Business Client Standard Win GUI RFC client BEX browser Clients SNC SNC app server SNC app server Application servers Included in NetWeaver license Encryption between client and application server Based on SNC and Kerberos Encryption of communication channel only No single sign-on Planned to be available with SP1 around Oct/Nov 2011 as pat of the GUI installation 2011 AG. All rights reserved. Internal 35

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information