ep security features

7/29/2019 EP Security Features

1/58

SAP Enterprise Portal 6.0:

User Management &Security

Version: March 13, 2003


2/58

SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 2

Disclaimer

This document contains an overview of the planned User Management & Securityfeatures of the SAP Enterprise Portal 6.0 (some of the features are planned to be

available for Unrestricted Shipment Phase only). It is subject to change. Please

take care that you are always using the newest version of that presentation!

SAP AG assumes no responsibility for errors or omissions in these materials.

These materials are provided as is without a warranty of any kind, either

express or implied, including but not limited to, the implied warranties of

merchantability, fitness for a particular purpose, or non-infringement.

SAP AG shall not be liable for damages of any kind including without limitation

direct, special, indirect, or consequential damages that may result from the use

of these materials.

SAP AG does not warrant the accuracy or completeness of the information, text,

graphics, links or other items contained within these materials. SAP AG has no

control over the information that you may access through the use of hot linkscontained in these materials and does not endorse your use of third party web

pages nor provide any warranty whatsoever relating to third party web pages.


3/58


Overview

New Features EP 6.0

Authentication

Single Sign-On (SSO)

Authorization

User Management

Secure Communication

Secure Network Architecture

Topics


4/58


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


5/58


Enterprise Portal 6.0 Security Features

AuthorizationSecure

Communication

User Management

User

PersistenceStore

Authentication

PortalServer

Single

Sign-On

Third-Party

System


6/58


Architecture Overview

Web Server

Java Application Server SAP J2EE Engine

SAP Enterprise Portal 6.0

Web Browser,

PDA, etc.

Backend Systems

Java Application Server SAP J2EE Engine

Portal Server

Portal Runtime (PRT)

Portal Services

User Management Service

User Group RolePersistence

Manager

Database

LDAPDirectory

SAP

System

Persistence

Authentication SSO


7/58 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 7

Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics



New Features EP 6.0 Authentication

Multiple authentication methods in parallel

Multiple user sources in parallel

Anonymous users

Logon without authentication

Authorization depending on authentication method

iView requires certain logon methods (for example digitalcertificates)

Interface for pluggable third-party authentication

Java Authentication and Authorization Service (JAAS) standard

Partner certification program Web access management products

Other external authentication services (for example hardwaretokens)



New Features EP 6.0 Single Sign-On (SSO)

SAP logon ticket expiration recovery

Recovery of previous state of the portal if SAP logon ticket expires

and user has to logon again

Ticket Verification Library for UNIX platforms

Web Server Filter for additional Web server platforms

Portal Server Certificate

Self-signed certificate

Issued by SAP Trust Center Service



New Features EP 6.0 Authorization

Authorization for Portal Content

All content under administrative control of the portal

Based on Access Control Lists (ACLs)

Code Authorization

Java Security Manager



New Features EP 6.0 User Management

Web-based user administration

End user self-registration User can create account in the portal

Workflow for approval of registration request by administrator

Password management & policies

Configurable expiration dates Initial passwords and change at first login

Limit of failed logon attempts

Flexible user persistence layer

LDAP directory, database or SAP system as user store

Delegated administration



Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics



Authentication Initial Logon Procedure

Verification of the users identity

Initial logon procedure to authenticate user

Various authentication methods

User ID / password

X.509 digital certificates

Third-party authentication Windows authentication

SAP authentication

Others through JAAS interface

Anonymous users

Logon without authentication



Authentication Schemes

Define the authentication process

Credentials to be supplied

User interaction required (e.g. logon screens)

Priority of the authentication scheme (how strong it is)

Attached to the users session

Allow to enforce different authentication mechanisms for differentcontent (iViews)

Re-authentication required in case the iView requires a stronger

authentication scheme



Authentication: User ID / Password

Logons are provided as

Form-based logon (iView)

Basic authentication (HTTP Status 401)

Portal Server verifies the provided user ID / password against

user persistence store

SAP logon ticket is issued (later used for Single Sign-On)

User ID / PW User ID / PW

Verification

SSL

User ID Mapping

PortalServer

Portal

Database

User

Persistence

Store

SAP Logon Ticket

SSL



Authentication: Digital Certificates

Authentication of user through SSL protocol

User presents his digital certificate to Web server during SSL

handshake

Web server performs SSL client authentication

Portal Server checks if user presented the correct certificate

Prerequisite: Client certificate has to be mapped to a portal user

SAP logon ticket is issued (later used for Single Sign-On)

SAP Logon TicketUser ID Mapping

PortalServer

Portal

Database

User

Persistence

Store

X.509

Certificate

Compare Certificate

X.509

Certificate

SSLSSL



Getting a Digital Certificate

Digital certificates must be X.509v3 compliant

Various options possible: Using SAP Trust Center Service

For SAP users only

Free of charge

Portal Server acts as Registration Authority (RA)

Setting up internal PKI system Buy software from CA product vendor

Using external PKI system

Contract with Trust Center Service



Log on using SAP user ID and password and

initiate the SAP Passport request1

Specify naming convention and trigger key

generation

2

WebBrowser

PortalServer

SAP Trust Center Service: Enrollment Process

Log on using the SAP Passport6

Web browser generates key pair and

sends the SAP Passport request3

SAP Trust

Center

Service

Send approved certificaterequest4

Verifies naming conventionsand issues certificate

5


19/58


Third-Party Authentication

Authentication using an external authentication service

Windows authentication SAP Web AS or R/3 system authenticationOther authentication methods through pluggable JAAS Login

Modules

Integration of external Web Access Management (WAM) products

possible


20/58


Windows Authentication

Authentication is delegated to Windows operating system*

Process with HTTP Basic Authentication:

User has to enter his or her Windows user ID and password(HTTP Basic Authentication)

Windows Domain Controller authenticates the portal user

When the Enterprise Portal is accessible from the Extranet

Process with Windows Integrated Authentication (NTLM):

Previous logon to Windows operating system can be reused

User is not required to reenter his or her Windows authenticationcredentials

When the Enterprise Portal is a pure Intranet portal and only MS IEis used

* Requires Microsoft IIS 5.0 as Web server


21/58


SAP Web AS or R/3 System Authentication

SAP users can be synchronized with users in an LDAPdirectory, but passwords are not synchronized*

Authentication directly against SAP Web Application Server or

R/3 System

Process: Portal user enters his or her SAP user ID and password

User credentials are authenticated against the SAP Web

Application Server or another SAP R/3 System directly

If authentication is successful, the Portal Server logs the user on

to the portal

* Only needed for SAP Web Application Server 6.10 and SAP Basis 4.5B or 4.6x


22/58


Pluggable Authentication

Plug-in interface for authentication modules

Interface defined by Java Authentication and AuthorizationService (JAAS) standard

Each authentication scheme can define one or more JAAS

LoginModules

http://java.sun.com/products/jaas
http://java.sun.com/products/jaashttp://java.sun.com/products/jaas


23/58


Integration of Web Access Management Products

External Web Access Management (WAM) product authenticates

the portal user

Technical integration using JAAS LoginModule:

Reading HTTP header variable

Custom implementation (e.g. to verify a provided cookie)

Portal Server logs the user on to the portal (user must reside inportal user persistence store)

Seamless integration, only configuration required

Partner certification program for WAM vendors

or integration on a project-specific basis

T i


24/58


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics

SSO SAP L Ti k t


25/58


SSO SAP Logon Tickets

SAP logon tickets represent the user credentials

Portal Server issues an SAP logon ticket to a user after

successful initial authentication

SAP logon ticket is stored as per session cookie on the client

browser

SAP logon ticket is used to authenticate user to applications

User gets access to multiple applications and services

After initial logon no further user logons required

Cross domain support

SAP L Ti k t SSO P


26/58


SAP Logon Tickets SSO Process

Any otherWeb page

Internet

SAP Logon Ticket

ExternalSystem

Intranet

SAP System

Initial Logon

SAP L Ti k t C t t


27/58


SAP Logon Ticket Contents

SAP logon tickets contain:

User ID(s)

Authentication scheme

Validity period

Issuing system

Digital signature

SAP logon tickets do NOT contain any passwords!

Strong Security:

Digitally signed by Portal Server

Authenticity and integrity protection through digital signature

SAP L Ti k t & S it


28/58


SAP Logon Tickets & Security

SAP logon ticket serves as authentication token andtherefore needs to be protected from unauthorized usage

Validity period

Authenticity and integrity protection using.digital signature

Confidentiality protection through SSL protocol.while in transport

Set cookie as HTTPOnly in order to prevent.XSS attacks (for Microsoft IE 6.0 SP1)

V if i th SAP L Ti k t SAP S t


29/58


Verifying the SAP Logon Ticket: SAP Systems

Component

System

Step 2:

Logon using the user ID which is stored in the SAP logon ticket.

No additional authentication using password or certificate necessary.

Step 1:

Verification of the digital signature provided with the SAP logon ticket.

SAP

Portal Servers

public-key

certificate

SAP Logon Ticket

Verif ing the SAP Logon Ticket Non SAP S stems


30/58


Verifying the SAP Logon Ticket: Non-SAP Systems

The non-SAP component must:

Make sure the SAP logon ticket has been issued by a trusted

Portal Server

Accept the certificate of the Portal Server

Verify the Portal Servers digital signature in the SAP logonticket

Ticket Verification Library that can be linked to non-SAP systems

or Web Server Filter are provided

Extract the user ID from the SAP logon ticket Ticket Verification Library or Web Server Filter are provided that

extract the user ID from the SAP logon ticket

SSO to non-SAP Components Using SAP Logon


31/58


Two alternatives:

SSO to non SAP Components Using SAP LogonTickets

Non-SAPComponent

System

1

Portal Servers

public-key certificate

2

HTTP Header Field:

Application User ID

Filter

Web Server Filter

WebServer

SAP Logon Ticket

Application Programming Interface (API)

Ticket Verification

Library

1

Portal Servers

public-key

certificate

2

3

Application

User ID

Non-SAP

Component

System

SAP Logon Ticket

SSO Account Aggregation


32/58


SSO Account Aggregation

If the external system does not support SAP logon tickets

Portal components connect to the external system with the userscredentials (user ID and password)

User mapping and credentials information are stored in the Portal

Database

Administrator maps users using administration iView Typically to map groups and roles

User maps own credentials using portal personalization function

Portal User: SAP User: Siebel UserID/Password:Michael_Schumacher d040011 903845233, {yu323ab}___

Anna_Kournikova i052340 230982029, {34u0nap}___

Tiger_Woods i043536 324098211, {wq9itxm1}__

Cathy Freeman i048347 202377724, {12onxc85}__

Topics


33/58


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics

Authorization Concept for Portal Content


34/58


Authorization Concept for Portal Content

Objects in the Portal Content Directory (PCD) are controlled by

Access Control Lists (ACLs)

ACL defines permissions for principals (user, group or role)

For example, ACL specifies the roles that can access the iView

ACL Service

Enforces permissions for portal objects at runtime

Permissions Editor

GUI for administering ACLs for portal objects



35/58



Portal object creator is automatically the ACL owner

Only the ACL owner can Add or remove owners for the objects ACL

Grant permissions to a principal

Inheritance of permissions

If no ACL exists for a PCD object, the permissions are inherited

from the parents ACL

Administrator permissions

None

Read

Write

Full Control (ACL owner)

End-User permissions

On/Off

Read

Full Control

Write

Design Time

Run TimeOn/Off

Code Authorization


36/58


Code Authorization

Protection mechanism for portal code or sensitive areas in the file

system

Uses Java access control mechanisms

Java Security Manager

Controls what application code has access to portal code

Policy file with permissions

Topics


37/58


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics

Architecture Overview User Management Engine


38/58


SAPEnterprise

Portal

ApplicationsAccessing User

Management

User Management

Core Layer

Persistence Manager

Database

Replication

Manager

LDAP

Directory

SAP

System

External

System

Persistence

Adapters

User

API

User

Account

API

Group

API

Role

API

Architecture Overview User Management Engine

User Persistence

Store

Persistence Manager


39/58


Persistence Manager

Central place for reading and writing user-specific data

Users

Groups

Role assignments

Uses Persistence Adapters to read/write data

Supports database, LDAP directory and SAP system asrepository

User Management

Core LayerPersistence Manager

DatabaseLDAP

Directory

SAP

System

Persistence

Adapters

User Persistence

Store

Persistence Manager


40/58


Persistence Manager

User Partitioning

Specific user sets can be distributed across different repositories

Persistence Manager

DatabaseLDAP

DirectoriesSelf-registered,

external usersInternal users

Example:

Persistence Manager

DatabaseLDAP

DirectoryRole assignments

(portal-specific data)

General user data

(application independent)

Example:

Attribute Partitioning

Specific user attributes can be distributed across different

repositories

Persistence Supported Repositories


41/58


Persistence Supported Repositories

Portal Database

Oracle 9.2

Microsoft SQL Server 2000

LDAP Directory

Novell eDirectory

Sun ONE Directory Server Microsoft ADS

Siemens DirX

SAP System

SAP Web Application Server 6.20 or higher

For details please see the Product Availability Matrix at

http://service.sap.com/pam60

Portal Database
http://service.sap.com/pam60http://service.sap.com/pam60


42/58


Portal Database

Basic user data

Basic group data

User groupassignment

User/group roleassignment

User mapping (forSSO purposes)

User Roles

(Metadata)

Content roleassignment

Users

personalization data

PortalServer

PCD InstanceUM Instance

LDAP Directory Portal Database SAP System

User

Persistence

Store

Portal

Database

Store portal-specific data

Replication Manager


43/58


Replication Manager

Replication of user data to external systems

Provisioning for external systems that cannot use supported userrepositories

Notification when users are created or modified

Data exchange via XML documents

One-way replication of user data (Portal External System)

Replication Manager

External

System

User Management

Core Layer

Replication Supported External Systems


44/58


Replication Supported External Systems

External System

SAP Basis 4.6D,SAP Web Application Server 6.10 or higher

Replication Manager

BW SRM

Portal User

Provisioning to

SAP Systems

Example:

CRM

User Management with SAP Systems: DirectoryI t ti


45/58


Integration

LDAP Directory

LDAP

Synchronization*

* Since CUA release 6.10

Central User Administration

(CUA)

Child Systems

of CUA

Mapping on directory

schema

Synchronization procedure

User Administration


46/58


User Administration

Administration GUI completely based on iViews

User Administration Functions: Create users

Copy users

Modify users

Search for users

Assign users and groups to role(s)

Set or auto-create password

Set date & time for user account activation

Lock/unlock users

View user account history

Approve/deny self-registered users

Adapt attributes contained in self-registration

E-Mail notifications for specified events

Password Management


47/58


Password Management

Administration Functions

Configure password policies

Set initial password for user

Let system auto-create password for user

Reset password

Customizable Forgot Password process

Password Policies Min/max. length

Numeric characters allowed/mandatory

Password different from UID

Mixed case required

Special characters required

Password expiry time period (days)

Password must be changed at next logon

Number of failed logon attempts before account is locked

User Self-Service


48/58


User can change his or her profile

User can set a new password During logon (for initial passwords, when expired)

By changing user profile

User can request new password (sent to user by E-Mail)

Use self-registration User fills out a simple registration form

User immediately becomes a guest user

User waits for approval by administrator to become a registered user

Security Logging & Auditing


49/58


y gg g g

Logging of all security relevant information

User login (successful/failed)

IP address of user logged in

User logoff

User created/modified

User approval/denial

User locked/unlocked

Role assignment changed

Topics


50/58


Overview

New Features EP 6.0

Authentication


Authorization

User Management



p

Secure Communication Features


51/58


Secure, encrypted communication between client, Portal Server,

persistence layer, and backend systems

Support of industry-standard security protocols

Secure Sockets Layer (SSL)

Secure Network Communications (SNC)

Features Confidentiality

Authenticity

Integrity

Secure Communication Overview


52/58


Web

Browser

Web

ServerSSL

Database

LDAP

Directory

SAP

System

SSL

User Persistence Store

SNC

SSL

SSL

SAP

System

SNC

Web Appl.

(SAP,

non-SAP)

SSL

Backend Systems

HTTP

HTTP

LDAP

RFC

RFC

DMZ Intranet

HTTP

JDBC

Portal Server

Dispatcher

SAP J2EE Engine

P4

Topics


53/58


Overview

New Features EP 6.0

Authentication


Authorization

User Management



p

Secure Network Architecture Overview


54/58


Network architecture needs to protect your business

needs without allowing unauthorized access

Highly sensitive systems and components need to beprotected (Portal Server, Persistence Layer, Backend

Applications)

Locate them in a separate area that is sealed off fromnetwork attacks from outside and inside

Application servers, database servers, and directoryservers should only be accessible via a demilitarizedzone (DMZ) that is protected by firewalls

Secure Network Architecture Enterprise Portal 6.0


55/58


DMZ BackendFront End

Client

Web Servers

(with Plug-In)

External

Firewall

Internal

Firewall

Intranet

Portal Servers

(incl. Content

Management)

Persistence Layer

Firewall

Application

Servers

Retrieval &

Classification

(TREX)

Database

Servers

Corporate

Directory Server

Topics


56/58


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Enterprise Portal 6.0 A Portal For More Security


57/58


Authentication using various methods

User ID/password, digital certificates, third-party authentication


Secure, digitally signed SAP logon tickets

Account aggregation via user ID/password mapping

Authorization ACL-based authorization for portal content

Secure communication

Between client, portal, and enterprise application servers (SSL, SNC)

User Management Support for LDAP directory servers, databases or SAP systems as user

persistence store

User self-registration (incl. approval process)

Delegated administration


58/58

Questions?

ep security features

Documents