AAI: SAP NETWEAVER INTEGRATION. André Hunziker and André Wahlig, ETH Zürich ID-BI Februar 2010



Similar documents
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

AA enabling a closed source legacy application

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

SAP NetWeaver AS Java

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Setup Guide Central Monitoring of SAP NetWeaver Proces Integration 7.3 with SAP Solution Manager 7.1. Active Global Support February 2011

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Angel Dichev RIG, SAP Labs

Agenda. How to configure

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Authentication and Single Sign On

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Federating with Web Applications

SAML single sign-on configuration overview

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SAP Single Sign-On 2.0 Overview Presentation

Integration of Shibboleth and (Web) Applications

Perceptive Experience Single Sign-On Solutions

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Configuration for collaboration with a second SAP Solution Manager Service Desk

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Computer Services Documentation

Enabling SSL and Client Certificates on the SAP J2EE Engine

Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Get Success in Passing Your Certification Exam at first attempt!

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Spring Security SAML module

Groups Inside FHNW: Why it s not just another AAI SP

How To Use Saml 2.0 Single Sign On With Qualysguard

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

IBM WebSphere Application Server

Copyright: WhosOnLocation Limited

Logout Support on SP and Application

Shibboleth N-Tier Support. Chad La Joie

Gateway Apps - Security Summary SECURITY SUMMARY

SAP WEB DISPATCHER Helps you to make decisions on Web Dispatcher implementation

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

Connecting Web and Kerberos Single Sign On

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

E-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine.

Shibboleth Identity Provider (IdP) Sebastian Rieger

SAML Authentication within Secret Server

Integration of Office 365 with existing faculty SSO

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Federated Identity Management

Introducing Shibboleth

Authentication and Single Sign-On. Patrick Hildenbrand NW PM Security, SAP AG

Using Shibboleth for Single Sign- On

Disclaimer. SAP 2008 / SAP TechEd 08 / SIM202 / Page 2

Unleash the Power of Single Sign-On with Microsoft and SAP

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH

Web Single Sign-On Authentication using SAML

Enabling Single Signon with IBM Cognos ReportNet and SAP Enterprise Portal

IAM Application Integration Guide

Configuring. Moodle. Chapter 82

Shibboleth 2: A Guide for Deployers. Scott Cantor cantor.2@osu.edu Internet2 / The Ohio State University

SAML SSO Configuration

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Automated Testing of SAML 2.0 Service Providers. Andreas Åkre Solberg UNINETT

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Authentication Methods

PingFederate. Integration Overview

Availability Monitoring using Http Ping

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

SAP SECURITY OPTIMIZATION

End-to-end Business Process Integration at the Speed of Business: A Customer's Perspective

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

Web app AAI Integration How to integrate web applications with AAI in general?

Single Sign on Using SAML

PingFederate. SSO Integration Overview

Enabling SAML for Dynamic Identity Federation Management

SAML Federated Identity at OASIS

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Enabling Single Signon with IBM Cognos 8 BI MR1 and SAP Enterprise Portal

Using SAML for Single Sign-On in the SOA Software Platform

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP. Version: Demo. Page <<1/10>>

Enabling SSO between Cognos 8 and WebSphere Portal

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

External Authentication with WebCT. What We ll Discuss

Enabling Single-Sign-On on WebSphere Portal in IBM Cognos ReportNet

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Configuring HTTPs Connection in SAP PI 7.10

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

CA Nimsoft Service Desk

Security and Your SAP System When Working with Winshuttle Products

How-To Guide SAP NetWeaver Document Version: How To Guide - Configure SSL in ABAP System

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Single Sign-on (SSO) technologies for the Domino Web Server

SAML Single-Sign-On (SSO)

SAML 2.0 SSO Deployment with Okta

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Transcription:

AAI: SAP NETWEAVER INTEGRATION André Hunziker and André Wahlig, ETH Zürich ID-BI

Agenda ETH Zürich Company profile Introduction / Starting Point ETHZ SAP System Landscape 3rd party SSO solution selection process and solution SAML Implementation SAP SAML support and configuration Shibboleth Identity Provider 2.x custom configuration Lessons learned SAP SAML roadmap 2

Campus City Zürich (Headquarters) 3

New Campus Science City 4

Organisation (01.10.2008) 5

Mission and Application ETH Zürich [ref: http://www.ethz.ch/about/missionstatement ] Mission ETH Zurich imparts to its students the highest state of knowledge and practical skills. It seeks to enable young people to find their orientation in a complex and rapidly changing world, Commitment In education, research, and services the ETH Zurich measures itself against the highest recognized international standards. It promotes science and scientific activity for their own sakes, Application Education: The basis of education at ETH Zurich is formed by the core areas of engineering, Research: At the ETH Zurich teaching and research are closely linked. Equal standing is assigned Location Zurich: ETH Zurich benefits greatly from Zurich's urban setting. It feels closely tied to and responsible towards the city and. 6

Facts and Figures ETH Zürich Akademie Professuren 372 Studenten 15 000 Organisation Organisationseinheiten: ~ 1 000 (Kostenstellen) Mitarbeiter: 9 000 [ 7 000 FTE] Gegründet 1855 als Polytechnische Hochschule Zürich Zwei Zentren/Lokationen, 150 Gebäude (alle in Zürich) Finanzen 125Mi 1.25 Mia CHFJ Jahresbudget t[08mi 0.8 Mia EUR] ~ 20% finanziert über Drittmittel und Funds rising 7

Ausgangslage Prozesse welche mit SAP abgewickelt werden «Nur» Support Prozesse in den Verwaltungseinheiten Finanzen (Kreditoren, Debitoren, Anlagenwirtschaft, Steuern, Controlling, Budgetierung, Kameralistik (Fonds Management) Personal (Pers. Management, Payroll, Org. Management) Logistik (Material Management, S& D, Inventar) Verantwortlichkeit Support: Support Desk, End-User Schulung, Applikationsbetrieb Projekte: Eigenentwicklungen, Prozessberatung, Customizing Externe Consultants: Überwachen / Qualitätssicherung externe Berater Vertrag: SAP Lizenzverwaltung, Information/Koordination Common Tasks: Strategieumsetzung/Beratung, interne Koordination von übergreifenden Vorhaben SAP Environment SAP R/3, 3 000 named User, ABAP, JAVA November 2009 CCSAP / ETH Zürich 8

ETHZ SAP system landscape 9

Challenge and possible solutions SAP NetWeaver Portal 3rd partysso Connection External Webapplication PHP application with SOAP support SWITCH/Shibboleth integration Via header variable or SAML assertions SAP WebServer Filter for SSO with Non-SAP Applications Old SAP standard no further development (SAP Note 442401) SAP Ticket Library Needs to be developed in 3rd party application (only Java and C) Encrypted Link Custom development solution 10

Solution SAML assertions Use You can use SAML for Single Sign-On in a scenario where a user is authenticated on an external authentication system that acts as an SAML authority. Based on this authentication, the user receives an SAML assertion (upon request) that he or she can use to access the AS Java. Prerequisites - Assertions must have exactly one AuthenticationStatement element. The authentication statement must have a NameIdentifier element. - To protect the data exchange, SSL is required for the connection between the source and destination sites SAP Help: http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm 11

SAP NetWeaver SAML 1.0 support (09/2009) 12

ETHZ SAP use case SAML vs Header 13

SAP SAML configuration - overview Change the startup mode for SAML service Create SWITCH compatible certificate for Shibb. Auth. Create HTTP destination for IdP Configure SAML service parameter Add SAML login module stack 14

SAP SAML configuration SAML Service 15

SAP SAML configuration create Certificate Create Certificate (no SAP NW VA standard)./keygen.sh -y 3 -h #HOSTANAME# -e #ENTITYID# where #ENTITYID usually is https://#hostname#/shibboleth./keygen.sh -y 3 -h sap-epq.ethz.ch -e https://sapepq.ethz.ch:50001/irj/portal Result: sp-cert.pem und sp-key.pem pkcs #12 certificate C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES - certpbe PBE-SHA1-3DES -export -in <Public Certificate Filename> - inkey <Private Pi Key Filename> -out <PKCS#12 Filename> -name "<Display Name>" openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in sp-cert.pem -inkey sp-key.pem -out switchcert_tmp1.pfx -name "switch-cert2 16

SAP SAML configuration create Certificate Load Certificae into NW key store Server -> Key Storage -> service_ssl: Entry -> Load switch- cert2.pfx Get fingerprint for Shibboleth config openssl x509 -fingerprint -sha1 -in /path/to/the/certificate.pem sap-epq:eptadm 60> openssl x509 -fingerprint -sha1 -in sp-cert.pem 17

SAP SAML configuration HTTP destination 18

SAP SAML configuration SAML service 19

SAP SAML configuration Login module Adjust Firewall rules 20

Shibboleth Identity Provider 2.x custom configuration Create a metadata file for the SAP service as you would for standard Service Provider. Important is to include a custom NameIDFormat for in the EntityDescriptor, e.g.: <NameIDFormat>urn:mace:switch.ch:aaitest:nameIdentifier:principal</NameIDFormat> h t Id tifi i i t Add <Metadataprovider> to relying-party.xml to load local metadata file with custom NameIDFormat value. E.g. with <MetadataProvider id="fsmd-eth-sap" xsi:type="filesystemmetadataprovider" xmlns="urn:mace:shibboleth:2.0:metadata" metadatafile="/opt/shibboleth-idp/metadata/metadata.sap.xml" /> Extend the attribute-resolver.xml to configure an attribute that shall be used as SAP user name by adding a NameID encoder to the 'uid or another AttributeDefinition: <resolver:attributeencoder xsi:type="saml1stringnameidentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameformat="urn:mace:switch.ch:aaitest:nameidentifier:principal" /> 21

Lessons Learned Get all needed config data before starting implementation Pain Points AAI Session TimeOut 30min could be increased Disabled IPv6 on SAP server Login Screen changes for SAP Portal 22

SAP SAML 2.0 support 23

Questions and Answers André Hunziker und André Wahlig, ETH Zürich Informatikdienste Web: http://www.sap.ethz.ch / M@il: andre.hunziker@id.ethz.ch andre.wahlig@id.ethz.ch November 2009 CCSAP / ETH Zürich 24

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information