Test Plan Security Assertion Markup Language Protocol Interface BC-AUTH-SAML 1.0



Similar documents
Security Audit Log (BC-SEC)

BC407 Reporting: QuickViewer, InfoSet Query and SAP Query

NWBC10 NetWeaver Business Client

Capacity Planning in the Process Industry

HR Data Retrieval in a LDAP- Enabled Directory Service

BC481 SAP Interactive Forms by Adobe

FSC130 SAP Bank Communication Management

BC450 ABAP Performance: Analysis and Optimization

Electronic Data Interchange / IDoc Interface (SD-EDI)

BW370 BI Integrated Planning

Business Partner Master Data (LO-MD-BP)

Product Lifecycle Management (PLM)

PE Training and Event Management. SAP ERP Central Component

Quality Management (QM)

BIT300 Application Link Enabling (ALE) Technology

BIT601 SAP Workflow Definition and Use of Customer-Specific Workflows

BC401 ABAP Objects. Course Outline. SAP NetWeaver. Course Version: 99 Course Duration: 5 Day(s) Publication Date: 2014 Publication Time:

Maintenance Bills of Material (CS-BD/PM-EQM-BM)

SAP Web Application Server Security

Sales and Distribution (SD) Workflow Scenarios

Connection with External Time Recording Systems

Service Level Reporting for Business Process Monitoring

How To Distribute Organizational Management In A Distributed System

CREATING A PURCHASE ORDER STORE RECORD WEB SERVICE

Capacity Leveling in PP-SOP and LO-LIS-PLN

6$3%XVLQHVV,QWHOOLJHQFH 0DQDJHPHQW,QIRUPDWLRQ 6ROXWLRQVIURP6$3 ,QWHUQDWLRQDO +(58* Steve Whitby. SAP UK Ltd.

SAP GUI Scripting Security Guide

Security Guide SAP GUI for Windows

PA-ER E-Recruiting. SAP ERP Central Component

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Payments HELP.PYINT. Release 4.6C

Engineering Change Management (LO-ECH)

Settlement (CO) HELP.COABR. Release4.6C

Balance Sheet Valuation (MM- IM-VP)

Performance Best Practices Guide for SAP NetWeaver Portal 7.3

Developing Applications for Integration between PI and SAP ERP in Different Network Domains or Landscapes

Download and Install Crystal Reports for Eclipse via the Eclipse Software Update Manager

Integration of SAP central user administration with Microsoft Active Directory

BW362 SAP BW powered by SAP HANA

BW362 SAP NetWeaver BW, powered by SAP HANA

Monitoring and Management of Landscapes with SAP NetWeaver Administrator. Dieter Krieger, SAP AG

Backup & Restore with SAP BPC (MS SQL 2005)

Single Sign-On between SAP Portal and SuccessFactors

Introduction to SAP BusinessObjects Information Design Tool

E-Recruiting Job Board Integration using XI

Change and Transport System - Overview (BC-CTS)

Configuring Distribution List in Compliant User Provisioning

Sales Rush Sales Order Processing S01- Lean Baseline Package. SAP Lean Baseline Package Version: V1.500 Country: UK Language: EN Date: February 2006

Process Archiving using NetWeaver Business Process Management

Dangerous Goods Management (EHS-DGP)

R/3 and J2EE Setup for Digital Signature on Form 16 in HR Systems

Confirmation HELP.PSCON. Release 4.6C

Compensation Management (PA- CM)

Extract Archived Data from SAP ERP

How To Configure MDM to Work with Oracle ASM-Based Products

How to Create Web Dynpro-Based iviews. Based on SAP NetWeaver 04 Stack 09. Jochen Guertler

The Payroll Process HELP.PYINT. Release 4.6C

3 rd party Service Desk interface

Collaboration Technology Support Center - Microsoft - Collaboration Brief

Implementing Outlook Integration for SAP Business One

SAP NetWeaver MDM 5.5 SP3 SAP Portal iviews Installation & Configuration. Ron Hendrickx SAP NetWeaver RIG Americas Foundation Team

Partial Period Remuneration (Factoring)

How to Configure Access Control for Exchange using PowerShell Cmdlets A Step-by-Step guide

Global Transport Label - General Motors -

SAP List Viewer (ALV): Classic

BC - XBP Background Processing, Job Scheduling System Test Catalogue for BC-XBP 6.10 (Version 2.0) and BC-XBP 7.0 (Version 3.0)

Budget Control by Cost Center

How to configure BusinessObjects Enterprise with Citrix Presentation Server 4.0

Utilities for downloading and uploading OO ABAP classes in XML format

SEM and Budget Preparation. David Reifschneider Sr. Consultant, SAP SI America

SAP GRC Access Control: Background jobs for risk analysis and remediation (formerly Virsa Compliance Calibrator)

DATA ARCHIVING IN SAP R/3 ENTERPRISE. Georg Fischer PM Data Archiving SAP AG

Sabine Reich SAP. Test Workbench - Introduction

Posting Messages into XI

How to Set Up an Authorization for a Business Partner in Customer Relationship Management (CRM) Internet Sales: Sample Case

Using the Corrections and Transport System (CTS) with SAP BW

SAP NetWeaver 04 Security Guide. Security Guide for SAP Mobile Infrastructure

Integration of SAP Netweaver User Management with LDAP

How To Balance In Sap Bw

Methodology to Implement SAP Process Integration

Integrate Third Party Collaboration Tools in the SAP NetWeaver Portal. SAP NetWeaver Product Management

IDoc Interface / Electronic Data Interchange (BC-SRV-EDI)

SAP CCMS Monitors Microsoft Windows Eventlog

SAP Business Partner (SAP BP)

Ronald Bueck SBO Product Definition

How to Configure and Trouble Shoot Notification for Process Control 2.5

Integration of Universal Worklist into Microsoft Office SharePoint

SAP Web SAP Logging & Tracing API. Jeff Gebo SAP Labs, LLC.

OData in a Nutshell. August 2011 INTERNAL

Integrating Easy Document Management System in SAP DMS

UI Framework Simple Search in CRM WebClient based on NetWeaver Enterprise Search (ABAP) SAP Enhancement Package 1 for SAP CRM 7.0

How to Schedule Report Execution and Mailing

Eliminating Authentication Pop- Ups in SAP Landscapes

SAP xapp Resource and Portfolio Management (SAP xrpm)

RUN BETTER Become a Best-Run Business with Remote Support Platform for SAP Business One

Matthias Steiner SAP. SAP HANA Cloud Platform A guided tour

USDL XG WP3 SAP use case. Kay Kadner

Implementing SSO between the Enterprise Portal and the EPM Add-In

prioritize XI messages on integration server

Transcription:

Test Plan Security Assertion Markup Language Protocol Interface BC-AUTH-SAML 1.0 SAP WebAS 6.40 Version 1.0 1.0 1

Copyright Copyright 2004 SAP AG. All rights reserved. No part of this documentation may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. SAP AG further does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP AG shall not be liable for any special, indirect, incidental, or consequential damages, including without limitation, lost revenues or lost profits, which may result from the use of these materials. The information in this documentation is subject to change without notice and does not represent a commitment on the part of SAP AG in the future. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, WINDOWS, NT, EXCEL, Word and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, OS/2, DB2/6000, Parallel Simplex, MVS/ESA, RS/6000, AIX, S/390, AS/400, OS/390, and OS/400 are registered trademarks of IBM Corporation. ORACLE is a registered trademark of ORACLE Corporation, California, USA. INFORMIX -OnLine for SAP and Informix Dynamic Server TM are registered trademarks of Informix Software Incorporated. UNIX, X/Open, OSF/1, and Motif are registered trademarks of The Open Group. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Laboratory for Computer Science NE43-358, Massachusetts Institute of Technology, 545 Technology Square, Cambridge, MA 02139. JAVA is a registered trademark of Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, CA 94303 USA. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, SAP Logo, mysap.com, mysap.com Marketplace, mysap.com Workplace, mysap.com Business Scenarios, mysap.com Application Hosting, WebFlow, R/2, R/3, RIVA, ABAP, SAP Business Workflow, SAP EarlyWatch, SAP ArchiveLink, BAPI, SAPPHIRE, Management Cockpit, SEM, are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies. SAP AG assumes no responsibility for errors or omissions in these materials. All rights reserved. SAP AG1.0 2

1 Test plan SAML Interoperability (BC-AUTH-SAML 1.0)...4 1.1 Test overview...4 1.2 Test environment...4 2 Preparations for the test day...5 2.1 Testing of the application before the certification day...5 2.2 Setup options...5 3 The test procedure...7 3.1 Setup of the SAP J2EE Engine...7 3.2 Access to resource without SAML...8 3.3 Access to resource with SAML using ArtifactReceiver...8 3.4 Access to resource with SAML without ArtifactReceiver (optional)...8 3.5 Check of one-time behavior of source site for artifact query...9 3.6 Artifact query using client certificate (optional)...9 3.7 User mapping from source site (optional)...9 SAP AG1.0 3

1 Test plan SAML Interoperability (BC-AUTH-SAML 1.0) 1.1 Test overview The BC-AUTH-SAML 1.0 certification tests the interoperability of a third party SAML (Security Assertion Markup Language) source site (see SAML specification at http://www.oasis-open.org/specs/index.php#samlv1.1) with the SAP Web Application Server (WebAS) Java 640 as of Stack 9 or the SAP Enterprise Portal 6.0 as of Stack 9. The WebAS supports the versions 1.0 and 1.1 of the SAML Browser/Artifact profile for authentication to web resources. Objective of the test is the demonstration that a resource hosted on the WebAS can be visualized in a web browser (Microsoft Internet Explorer or Mozilla Firefox) without explicit authentication to the WebAS, using the SAML source site implementation of the certified product. The realization of the visualization (for example a portal application) and the steps needed to authenticate to the visualization component (if required) are not stipulated. If the vendor only offers a programmatic API to the SAML source site function and is unable to bring in an external portal application that makes use of this implementation, the vendor may create a servlet running in an external web container that uses the API to create a SAML artifact using some authentication data and send a HTTP redirection to a web browser that points to the resource on the J2EE Engine. 1.2 Test environment The BC-AUTH-SAML 1.0 certification procedure requires the following preconfigured hardware and software. Provided by SAP: A current SAP WebAS of release 6.40 Stack 9 or above including a Java stack with the Java Cryptographic toolkit (required for SSL) being installed. A client system with Microsoft Internet Explorer 6.0 or later and Mozilla Firefox 1.0 or later being installed. Provided by vendor: The third party SAML source software including required hardware. Any installation and configuration tools required as part of the security product s infrastructure. SAP AG1.0 4

2 Preparations for the test day The third party vendor has to provide in advance documentation on how to integrate the SAP engine into the SSO environment of his product. Documentation about the setup and use of SAML in the WebAS can be found at the SAP help portal at http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm where also information about the SAP provided test application can be found, which is used during the tests http://help.sap.com/saphelp_nw04/helpdata/en/07/1cf2f1c3227d439c6481127952c8f3/frameset.htm This documentation also lists the constraints of the SAP implementation (e.g. no support for digital signatures). Some of the listed limitations are removed according to SAP Note 794794. SAP Note 741157 provides further details regarding the SAML implementation in the WebAS. 2.1 Testing of the application before the certification day Before scheduling the certification day, the vendor is required to demonstrate beforehand that the main use case (see 3.3) can be achieved. This requires that the vendor installs and configures a SAP WebAS Java of the required version and performs the configuration steps needed to make the WebAS Java accept SAML artifacts for authentication. A screen-capture showing the web resource /samlssodemo_dest/destination of the WebAS Java demonstrates the success. This web resource is part of the SAML test Application delivered with the WebAS Java which is able to determine that the authentication was performed using SAML Browser/Artifact profile. 2.2 Setup options The connection between the SAML destination service and the SAML source site (assertion SAP AG1.0 5

query for artifact) needs to be protected by SSL. If the SAML source site does not support SSL protected connections for the assertion retrieval callback channel, the certificate will not be issued. For convenience in local testing without Java Cryptographic toolkit, it is possible to disable the enforcement of SSL in the WebAS Java for the SAML Browser/Artifact profile by setting the option saml Configuration Settings PermitInsecureConnections to true using the Configuration Adapter in the Visual Administrator. To authenticate the assertion retrieval, the WebAS supports basic authentication as well as client certificate. The supported authentication methods of the source site will be documented in the certification document. Each supported authentication method will be tested during certification and the result for each of them is documented. If none of the authentication methods works successfully, the certificate will not be issued. The WebAS in the standard delivery does not provide means for a user mapping between the externally provided user name (element NameIdentifier in the SAML assertion) and the internal user names. If possible, the SAML source site should offer user name mapping. If this function is available, its usage will be part of the test. If the source site implementation does not offer user mapping, this will be documented in the certification document. In this case a workaround in the WebAS will be used that performs such user mapping. This workaround is not available to customers. Customers will then need to create own mapping code in the WebAS. This fact will be stated in the certification document. SAP AG1.0 6

3 The test procedure 3.1 Setup of the SAP J2EE Engine The following description is an extract of the documentation of the WebAS Java, describing the steps needed to prepare the SAML test application to be accessible with SAML. Start the service SAML on all server nodes. Start the application sap.com/tc~sec~app on all server nodes. Log on to resource /samlssodemo_source/setup and enter the following data: o Configure as source site: Remove checkbox o Configure as destination site: Set checkbox o Key: SAMLCertification o Source ID (Hex): Enter the source ID that the source site implementation will use to identify itself in the artifact. Enter the data as 20 bytes in hexadecimal notation (no gaps; letters can be entered in either upper or lower case style). o Responder Destination Name: SAMLCertification o Responder URL: Enter the URL of the SAML responder service of the source site implementation to which the request for the assertion shall be sent o User for site: Leave the proposal SAML_DEST / abcd1234 o User for responder: If the authentication to the responder service of the source site supports basic authentication, enter the required logon data into these fields. If only client certificate is supported, leave the proposal SAML_RESP / abcd1234. In a later step, the client certificate will be configured. o SAML without mapping module: Set this radio button if the SAML source site supports user mapping and can fill the NameIdentifier element of the SAML assertion with a freely configurable username. For this test, the source site must issue the assertions with NameIdentifier SAML_DEST. o SAML with mapping module: Set this radio button if the SAML source site does not support user mapping and fills the NameIdentifier element of the SAML assertion with a fixed attribute from its own user repository (e.g. with a DN from a directory). In this case, configure a mapping from the external username (as appearing in the NameIdentifier element) to the internal user SAML_DEST. If this option is chosen, then before submitting the web page further steps are required in the Visual Administrator Tool of the WebAS: In service Security Provider, navigate to Runtime User management Manage Security Stores. Button Add Login Module In dialog Choose editor for login module options leave defaults and press OK. Class Name: com.sap.security.core.server.saml.app.ssotest.dest.samlmappingmodule Display Name: SAMLMappingModule SAP AG1.0 7

o Description: SAML mapping module Select all lines in table Authentication Mechanisms and press the Add button for Suitable Authentication Mechanisms. OK Basic authentication as fallback: Set checkbox. Submit the web form by pressing Configure. In the resulting protocol no errors should be noted. 3.2 Access to resource without SAML To verify that the resource is correctly configured for basic authentication as fallback, access the resource /samlssodemo_dest/destination with the web browser. A logon popup must appear. After logging on as SAML_DEST with password abcd1234, the resource is shown, but a warning appears that the resource was not accessed using SAML. 3.3 Access to resource with SAML using ArtifactReceiver Authenticate to the SAML source site and perform the steps needed there to make the web browser visualize the resource /samlssodemo_dest/destination hosted by the WebAS Java. In this test, the source site must make the web browser to sent a HTTP GET request to the WebAS Java targeting the resource /saml/receiver with the two parameters SAMLart (for the artifact) and TARGET (for the resource to be shown finally, in this case the /samlssodemo_dest/destination ). The test is successful if the resource appears in the web browser without needing to authenticate the user SAML_DEST. In the table showing the data extracted by the SAML login module, the user name contained in the artifact can be seen. If the source site performed the user mapping, here the name SAML_DEST will appear, otherwise the external username will appear. 3.4 Access to resource with SAML without ArtifactReceiver (optional) In this test, the source site must make the web browser to sent a HTTP GET request to the WebAS Java targeting the resource /samlssodemo_dest/destination with the parameter SAMLart (for the artifact). The test is successful if the resource appears in the web browser without needing to authenticate the user SAML_DEST. The ability of the source site to let the web browser access the target resource directly (without using an ArtifactReceiver) will be noted in the certification document. SAP AG1.0 8

3.5 Check of one-time behavior of source site for artifact query According to the SAML specification, an artifact that was once resolved to an assertion cannot be used to repeat this resolution. In order to verify that the source site implements this security relevant part of the specification, perform the test as described in 3.3 and extract the GET request that was finally sent to the WebAS Java. If the resource appears exclusively in the browser window this can be done by copying the URL from the URL input field. If the resource appears embedded in a portal application this can be done by viewing the page source and extracting the URL from there. Remove all session information from that URL (e.g. j_sessionid) except the SAMLart parameter, then open a new web browser window and let the browser request the modified URL. Result: The resource must NOT be delivered and you get a logon popup for basic authentication. In the log file of the WebAS Java (security.<n>.log), you find information that the artifact could not be resolved from the source site. If available, a log file of the source site should contain information that an artifact was requested that does not exist (or was already consumed). 3.6 Artifact query using client certificate (optional) If the source site supports artifact query using client certificate for authentication, configure the callback channel from WebAS Java to the source site for client certificate. The configuration of the callback channel user is done in the Destination Service. After having changed the authentication method from Basic to Client certificate, repeat test 3.3. 3.7 User mapping from source site (optional) During the setup, you have decided whether to use SAML without mapping module or SAML with mapping module, depending on the capabilities of the source site. In this test the other option will be tested, if supported by the source site. For this, reconfigure the WebAS Java according to the instructions of 3.1 and repeat test 3.3. SAP AG1.0 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information