Next Generation SSO for SAP Applications with SAML 2.0 SAP TG Solution Management Security April 2010
Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. SAP AG 2009. All rights reserved. / Page 2
Agenda 1. Authentication, SSO, and Identity Federation 2. SAML 2.0 for SAP: SSO and Identity Federation Agreements 3. SAML 2.0: Capabilities Bundled in the Standard SAP AG 2009. All rights reserved. / Page 3
Key Differentiators of User Authentication and Single Sign-On Technologies Direct User Involvement Must the user interactively prove their identity with something they know, have or are? Must an application act on behalf of the user? Private Credentials? User Agent Which type of user agent (e.g. Web Browser, Web Service Consumer, Mobile Clients, NW BC, SAPGUI) is supported by the SSO technology? SSO Cross-Platform Platform support by the SSO technology? Is it a widely adopted standard in the industry or a vendor-specific technology? Platform A SSO Platform B Cross-Domain Use of SSO technology within a security domain (i.e. the corporate Intranet) or across different domains (e.g. in a B2B scenario)? Domain A SSO Domain B SAP AG 2009. All rights reserved. / Page 4
SSO as Means to an End for Security Administration Centralizing User Access Management Single point of access administration via SSO token issuers Assign user rights in various applications with one keystroke based on the propagation of user identity information between trusted systems Use system trust configuration to designate and enforce the use of application servers as trusted gateways into trusted system networks Central User Identity Management Consolidate user information in shared user stores Avoid redundant user information Ease identity de-provisioning Lock or delete users centrally SAP AG 2009. All rights reserved. / Page 5
User Identity Federation Defined SSO Across Business and Application Boundaries SAP AG 2009. All rights reserved. / Page 6
Identity Federation Models Outside of Software Applications Governments as Identity Provider Governments are an Identity Provider because they issue a Passport as proof of identification Every country vouches for its citizens Governments as Service Provider When an USA citizen travels to Germany, Germany verifies the identity of the USA citizen by checking its passport Germany trusts the Identity Provider (USA) to vouch for all its citizens. It still makes its own access control decision (to let the person in or not) based on identity data (including attributes) that is being asserted USA Government (Identity Provider) Trusted Relationship German Government (Service Provider) SAP AG 2009. All rights reserved. / Page 7
Web User SSO to SAP Interactive Applications Today Portal or SAP NetWeaver application server Initial user authentication Trusted SSO ticket issuer Intranet CRM Initial logon Send SSO ticket to user browser ERP BI SSO Groupware Other... Web user s browser: Further distribution of issued SSO ticket SAP applications: Pre-configured as SSO ticket acceptors Synchronization of user information in local identity management required SSO capabilities limited technically to DNS domains borders Single Log-out capabilities require additional component customization SAP AG 2009. All rights reserved. / Page 8
Web browser SAP NetWeaver applications Web User Authentication and SSO to User Interactive SAP Applications Anonymous access Named anonymous users with SAP NetWeaver Portal Interactive user authentication PKI-based authentication SAP user ID / password X.509 client certificates Rule based client authentication 1 Certificate filtering 1 Automated certificate mapping 1 CRL support 1 External authentication SSO via trusted application system SPNego 1 user authentication against a Kerberos infrastructure Header variables 1 SSO Logon tickets Principal solution for SSO in SAP landscapes SAML 1.1 Browser Artifact 1 Interoperable SSO from trusted non-sap token issuers 1 Requires Portal or AS Java Identity Federation, interoperable SSO and Single Log-out Custom authentication 2 SAP SAML 2 IDP planned to be licensed with SAP NetWeaver Identity Management 7.1 and requires SAP NetWeaver 7.2 Java and higher AS platform SAP SAML 2 SP capability planned for release with SAP Business Suite 7.02e, SAP NetWeaver CE 7.2 and AS Java 7.2 Web applications SAP AG 2009. All rights reserved. / Page 9 SAML 2 2 Identity Provider (IDP) for centralized user authentication and SAML 2 SSO token issuing authority Service Provider (SP) for accepting SAML 2 SSO token to grant user access to Web enabled content JAAS Login Module 1 Standardized extensions to out-of-the-box authentication mechanisms
SAP GUI User SSO to SAP Interactive Applications SAP GUI for Windows External SNC security product External SNC security product Uses SNC components and external security product both specific to SAP GUI as user access channel SAP makes available: NTLM SSO library for Windows OS environments (gssntlm.dll) Kerberos SSO library for Windows 2000 OS environments (gsskrb5.dll) SAP certification available for partner SNC products More Information : SNC User Guide in SAP Help Portal (http://help.sap.com) AS ABAP Installation and Configuration Guide in SAP Service Marketplace (http://service.sap.com) SAP AG 2009. All rights reserved. / Page 10
SSO Options for System-Centric Service Applications Today User Client Service Consumer Service Provider Content display Functionality integration Authenticates user Issues SSO token on their behalf Evaluates credentials from Service Consumer Service and protocol specific service enabling components Shares some trust and identity management infrastructure with Web and GUI user access channels Run over various low level communication protocols Except Web services, low level protocols service protocols offer limited interoperability and security configuration scalability SAP AG 2009. All rights reserved. / Page 11
Service Consumer Application (e.g. Portal, CE, PI, BPM, Business Suite, non-sap) Options for Service Authentication and SSO in SAP s Service-Centric Applications Propagate authenticated user identity WSS SAML Token Profiles 1.0 * SSO tickets Securely authenticate consumer application WSS X.509 Certificate Token Profile * X.509 client certificate Authenticate service user WSS Username Token Profile * User ID and Password * supported for WS Protocols only Authentication and SSO information exchanged via: SOAP Protocol for secure interoperability and authentication/sso in cross-vendor Web service-based enterprise applications Transport Protocol for performance, backward compatibility and security in SAP centric service-enabled enterprise applications SAP AG 2009. All rights reserved. / Page 12
SAP s Next Generation Support for Web User SSO and Identity Federation Trust Relationship Application Service Providers (SPs) SAP NetWeaver Identity Management with SAML 2 Identity Provider (IDP) and Security Token Service (STS)* SSO Federation Standardized SAML 2 SSO and Single Log-out Shared infrastructure in user interactive and service applications on the Web Identity management Trust management SOA SSO Federation Efficient user productivity enablement of secure cross-business scenarios * SAML 2 IDP planned for release with a SAP NetWeaver IDM 7.1 license, STS support planned for later SAP NetWeaver IDM releases This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement SAP AG 2009. All rights reserved. / Page 13 SAP Applications 3 rd Party Applications
Agenda 1. Authentication, SSO, and Identity Federation 2. SAML 2.0 for SAP: SSO and Identity Federation Agreements 3. SAML 2.0: Capabilities Bundled in the Industry Standard SAP AG 2009. All rights reserved. / Page 14
SAML 2 in a B2B Application Scenario HRA Enable user access and productivity at reasonable costs ITeIO Must do: Manage employees full range of user identity information in compliance with data privacy legislation Enable access to partner applications in compliance with the partner s access and security policy SAP AG 2009. All rights reserved. / Page 15 Must do: Define access policy requirements Maintain application authorizations for segregation of duty and least privilege Offer self-service options to HRA partner employees, using ITeIO services (shuttles, lunch, etc.)
SSO Agreement Under Aligned User Logon Identifiers with SAML 2 HRA as IDP User identity management prerequisites: Logon id formats and values aligned User authorizations aligned ITeIO as SP abufford abufford Identifier source: Logon Id Logon Alias Profile attribute Identifier source: Logon Id Logon Alias Profile attribute Adam Bufford SAP AG 2009. All rights reserved. / Page 16
Linking User Accounts with Misaligned User Identifiers for SAML 2 SSO HRA as IDP User identity management prerequisites: Logon id formats and values aligned User authorizations aligned ITeIO as SP abufford adam.bufford User identifier maintained in e-mail KPN Windows name X.509 Subject Name user profile attribute Adam Bufford To enable SSO, matching user profile attribute must be provisioned in e-mail KPN Windows name X.509 Subject Name user profile attribute SAP AG 2009. All rights reserved. / Page 17
Linking Federated SSO Accounts with Persistent Federation HRA as IDP User identity management prerequisite: User authorizations aligned ITeIO as SP abufford adam.bufford Logon id alignment bundled in the SAML 2 federated SSO Agreement to federated SSO established: with interactive user agreement triggered by admin with identity provisioning SAP AG 2009. All rights reserved. / Page 18 Adam Bufford Logon id alignment bundled in the SAML 2 federated SSO Consent to federated SSO established: with interactive user agreement triggered by admin with identity provisioning automatic new user account creation
Service Provider Structuring User Authorization Profiles Under the SAML 2 SSO Agreements, Discussed up to This Point Count Authorization Element Authorization Element Count k SAP User IDs 1 1 SAP User IDs (misaligned) k l User Groups 1:1 record relation User Groups s m User Roles SPs and IDP have to manage an overall equivalent number of federated user accounts User Roles t r p Actions/App Roles Permissions Identity Provider Actions/App Roles Permissions v x SAP AG 2009. All rights reserved. / Page 19
Federated SSO with User Attribute Information HRA as IDP Contractual prerequisite: Agree on user attributes to exchange ITeIO as SP abufford employee@idp Issued SAML 2 assertion contains only attributes describing user User profile for application access determined from user attribute values in assertion SAP AG 2009. All rights reserved. / Page 20
Service Provider Structuring of User Authorization Profiles with Transient Federation Agreements Count Authorization Element Authorization Element Count k SAP User IDs n 1 User ID t l m r p User Groups User Roles Actions/App Roles Permissions N:1 record relation SP manages 1 account per multiple IDP user records. Only IDP must manage full user attribute profile Identity Provider User Role / Group Actions/App Roles Permissions t v x SAP AG 2009. All rights reserved. / Page 21
Identity Federation and B2B SSO The Small Script Contracts must define what can be shared to technically enable a federation agreement Contract provides a skeleton about the information that can/must be shared: not all identity information may be shared due to business or compliance reasons. Contract may include special agreements per target application system or target application system group: facilitate trust established indirectly via intermediary identity provider brokers For data protection and privacy reasons, users (administrative or end) can: agree to sharing the requested data by the accessed via federation resource (SP) from the federation authority (IdP) enforce contractual agreement, with deployment of integrity and confidentiality protection assign and audit policies for different trust relationships SAP AG 2009. All rights reserved. / Page 22
Agenda 1. Authentication, SSO, and Identity Federation 2. SAML 2.0 for SAP: SSO and Identity Federation Agreements 3. SAML 2.0: Capabilities Bundled in the Standard SAP AG 2009. All rights reserved. / Page 23
SAML 2.0 Overview Industry standard for cross-vendor SSO and SLO with wide adoption XML-based framework for marshaling security and identity information and exchanging it across administrative and technical domain boundaries SAML profiles describe a variety of end use cases for framework SAML Core technology: Assertions (or claims) about end user subjects Contain statements: authentication, attribute, authorization Issued from a trusted system provider: an active element of a computer/network system Securely identify a principal: an user whose identity can be authenticated Contain a subject: an accountable principal in the context of a secured application SAP AG 2009. All rights reserved. / Page 24
SAML 2.0 in a Nutshell SAML 2.0 deliverables for interactive Web user federation Authentication Context Enables Service providers to require a type and strength of initial authentication at IDP Metadata Supports automated configuration data import and discovery for Identity and Service providers Profiles Combinations of assertions, protocols and bindings to support a specific use case Bindings Mappings of the SAML Protocol messages onto standard messaging and communication protocols Protocols Requests and Responses for obtaining assertions and managing user identifiers Assertions Authentication, Attribute and entitlement information WS Security deliverables for federation with Web services WSS SAML Token Profile Place a SAML 2.0 Assertion in a SOAP Envelope SAP AG 2009. All rights reserved. / Page 25 WS Policy Declare and propagate requirement for a SAML 2.0 Assertion in a SOAP Envelope WS Trust defines mechanisms to negotiate keys and issue, cancel, renew and amend security tokens
Lite Protocol Interoperability Matrix from Liberty http://www.projectliberty.org/liberty/liberty_interoperable SAP AG 2009. All rights reserved. / Page 26 Feature IDP IDP-Lite SP SP-Lite Web SSO, <AuthnRequest>, HTTP redirect MUST MUST MUST MUST Web SSO, <Response>, HTTP POST MUST MUST MUST MUST Web SSO, <Response>, HTTP POST MUST MUST MUST MUST Artifact Resolution, SOAP MUST MUST MUST MUST Enhanced Client/Proxy SSO, PAOS MUST MUST MUST MUST Name Identifier Management, HTTP redirect (IDP-initiated) Name Identifier Management, SOAP (IDP-initiated) MUST MUST NOT MUST MUST NOT MUST MUST NOT OPTIONAL MUST NOT Name Identifier Management, HTTP redirect MUST MUST NOT MUST MUST NOT Name Identifier Management, SOAP (SP-initiated) MUST MUST NOT OPTIONAL MUST NOT Single Logout (IDP-initiated), HTTP redirect MUST MUST MUST MUST Single Logout (IDP-initiated), SOAP MUST OPTIONAL MUST OPTIONAL Single Logout (SP-initiated), HTTP redirect MUST MUST MUST MUST Single Logout (SP-initiated), SOAP MUST OPTIONAL MUST OPTIONAL Identity Provider Discovery (cookie) MUST MUST OPTIONAL OPTIONAL
Thank You! SAP AG 2009. All rights reserved. / Page 27
Further Information SAP Public Web: SAP Developer Network (SDN): www.sdn.sap.com Business Process Expert (BPX) Community: www.bpx.sap.com Related SAP Education and Certification Opportunities http://www.sap.com/education/ SAP AG 2009. All rights reserved. / Page 28
Copyright 2009 SAP AG All Rights Reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warrant. SAP AG 2009. All rights reserved. / Page 29