sap ad integration of sso and user management_sap

5/28/2018 SAP AD Integration of SSO and User Management_SAP

1/56

Andr Fischer ([email protected])Project Manager CTSC

Michael Sambeth ([email protected])NetWeaver Practice Unit Enterprise Portal

SAP Active DirectoryIntegration SSO and

Usermanagement


2/56

Agenda

Introduction

User Management

Single Sign On

Conclusion

A d


3/56

Agenda

Introduction

User Management

Conclusion

Single Sign-on

Wh t th t


4/56

What the user wants

ERP CRM ESS Groupware

Intranet WorkflowInternet

...

Portal

Logon

Access

Wh t th d i i t t t


5/56

What the administrator wants

Central user management

Single point of administration

Assign user rights in various applications with one keystroke

Lock or Delete users centrally

Central user repository

Avoid redundant user information

Wh t th i it ?


6/56

What are the prerequisites ?

Integrated Cross-Application User Management

Central storage of user information Group assignement

Basic user data

Application specific user data

Standard Access protocol Interoperability, Multi vendor and platform support

Solution: LDAP

LDAP Directories serve as central repository for user master data.

Access to this data is provided using the standardized Lightweight

Directory Access Protocol (LDAP).

Applications from multiple vendors and platforms can work as LDAP clients

-> Interoperatibility

Authentication



7/56


Single Sign-On (SSO)

User authenticates once against a security system User is afterwards automatically authenticated to access other systems

Authentication against external applications is transparent for the user

Logon-Procedure for initial authentication must be secure

Solution

SAP Logon Tickets

E.g. with SAP Enterprise Portal, SAP WebAS,...

and how can it be realized in a Microsoft Environment !


8/56

and how can it be realized in a Microsoft Environment !

SAP

Enterprise Portal / Web AS can use LDAP Directories as User Repository(User Persistence Store)

Enterprise Portal provides SSO to SAP and MS backend systems using SAP

Logon Tickets

SAP provides a Directory Interface for User Management via LDAP mySAP HR can create / update users in LDAP Directories

SAP user data can be synchronized with user data in LDAP Directories

Microsoft Active Directory

Supports LDAP

Active Directory is SAP certified (BC-USR-LDAP)

Windows authentication can be used as external authentication for mySAPEnterprise Portal (SSO to EP)

The big picture


9/56

ActiveDirector

The big picture

Authentication

UME (Web AS Java)SAP Enterprise Portal

Use as user

repository

mySAPHR

Create and

modify users

Use as user

repository

UME(Web AS Java)

Java

Application

WebDynpro CUA

Synchronize

user data

mySAP

Systems

User data

3rd party

pplications

Microsoft based

applications

SSOSSOSSO SSOSSOSSO

SSO

SAP

ISAPI Filter

Agenda


10/56

Agenda

User Management

nterdu tion

Conclusion

Single Sign-on

User Management (step 1)


11/56

ActiveDirector


UME (Web AS Java)SAP Enterprise Portal

Use as user

repository

mySAPHR

Create and

modify users

Use as user

repository

UME(Web AS Java)

Java

Application

WebDynpro CUA

Synchronize

user data

mySAP

Systems

User data

mySAP HR

Create modifyDirectory users

Active Directory

Assign groups andpassword

SAP EP & SAP J2EE

Use Directory as

user repository for

EP and JAVA users

CUA Create /

Synchronize SAP

ABAP users using

BC-LDAP-USRinterface

my n er ace


12/56

my n er ace

Goal

Create / modify users in the directory server automatically from employedata stored in mySAP HR

Reason

mySAP HR is master system for (basic) employee data

First name

Last name

Employee number

Manager

.

Optimize Administration of users

Reduction in operational costs

Correctness of data Speed of the process

Restriction

Only export of data

User information in Active Directory


13/56

User information in Active Directory

distinguishedName:

sn:

givenName:

employeeNumber:

sAMAccountName

userPrincipalName

mail:

memberOf:

CN=Andre Fischer, CN=Users, DC=MSCTSC, DC=SAP,DC=CORP;

Fischer

Andre

0123456

M0123456

[email protected]

[email protected]

CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;CN=Domain Admins,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;

CN=SAP Users,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;

Attributes that can be provided by mySAP HR

Attributes that are provided by Active Directory

and Exchange Administration

Data export from mySAP HR using LDAP interface


14/56

Data export from mySAP HR using LDAP interface

Employee data:

Personel number

First NameLast Name

...

WebAS>= 6.10

Extraction

Active

Directory

SAP HR

SAP data field ->

LDAP attribute

Mapping

RFC LDAP

Create / update users

User attributes

Cn

SngivenName

...

LDAP

=4.6C

>=4.7

Results of export using mySAP HR LDAP interface


15/56

Results of export using mySAP HR LDAP interface

=> New users are created as deactived accounts in Active Directory

=> Existing user accounts will be updated



16/56

ActiveDirector


UME (Web AS Java)

SAP Enterprise Portal

Use as user

repository

mySAPHR

Create and

modify users

Use as user

repository

UME(Web AS Java)

Java

Application

WebDynpro CUA

Synchronize

user data

mySAP

Systems

User data

mySAP HR


Active Directory


SAP EP & SAP J2EE

Use Directory asuser repository for

EP and JAVA users

CUA Create /

Synchronize SAP

ABAP users using


Active Directory - Useradministration


17/56

Active Directory Useradministration

Activate account

Assign groups

Set / Reset password

Perform additional

administrative tasks



18/56

ActiveDirector

g ( p )

UME (Web AS Java)


Use as user

repository

mySAPHR

Create and

modify users

Use as user

repository

UME(Web AS Java)

Java

Application

WebDynpro CUA

Synchronize

user data

mySAP

Systems

User data

mySAP HR


Active Directory


SAP EP & SAP J2EE


EP and JAVA users

CUA Create /

Synchronize SAP

ABAP users using


Architecture: User Management Engine


19/56

g g

Basic user data

Basic group data

User group

assignment

User/group role

assignment

User mapping (for

SSO purposes)

User Roles

(Metadata)

Content role

assignment

Users

personalization data

PortalServer

PCD InstanceUM Instance

User Persistence Store

LDAP or

Portal Database or

SAP System

Portal

Database

Store portal-

specific data

UME: Active Directory as User Persistence Store


20/56

y

Portal Users are stored in the Directory

Active Directory groups can be assigned to Portal Roles

Portal specific information is stored in portal database

group role assignment User role assignement

Portal User Id = sAMAccountName (default)

Multiple domains are supported if an attribute is used as portal

user id that is unique in the complete forest (the

sAMAccountName is only unique in a domain)

LDAP access of the portal to the directory should be secured by

SSL

UME result


21/56

User can log on

to SAP EPimmediately

User is

assigned toroles that are

assigned to the

user or the

groups the userhas been

assigned to



22/56

ActiveDirector

UME (Web AS Java)


Use as user

repository

mySAPHR

Create and

modify users

Use as user

repository

UME(Web AS Java)

Java

Application

WebDynpro CUA

Synchronize

user data

mySAP

Systems

User data

mySAP HR


Active Directory


SAP EP & SAP J2EE


EP and JAVA users

CUA Create /

Synchronize SAP

ABAP users using


verv ew user sync ron sa on


23/56

y

SAP ABAP user management data can be synchronized with a LDAPdirectory with systems based on WebAS 6.10 or higher

SAP Systems with Release 4.5 and higher can be integrated into LDAPusing CUA

LDAP directory interface provides mapping capabilities LDAP attributesand SAP data fields

SAP User synchronisation and distribution can be performed by

background jobs

CUA onWebAS

Mandatory for 4.5 & 4.6optional for 4.7 and high

LDAP ALELDAP

4.7 andhigher

onnec or


24/56

SAP Application Server

Call Function

LDAP_XXX

Work Process LDAP

Connector

Function

LDAP_XXX

Connection with

LDAP Server

Domain Controller:

Active Directory

RFC

LDAP

Executable LDAP_RFC shipped since Release 4.6A

Loads LDAP Library of operating system at runtime

onnec or as erv ce on n ows


25/56

SAP Application Server

Call Function

LDAP_XXX

Work Process LDAP

Connector

Function

LDAP_XXX

Connection with

LDAP Server

Domain Controller: Active Directory

RFC

LDAP

If operating system of SAP Application Server

does not provide a LDAP Library

LDAP connector runs as Service on Windows

Result of SAP user LDAP synchronisation


26/56

User is created / updated

with basic user datafrom LDAP directory

First Name

Last Name

eMail

Roles (optional)

Users are created

without password Passwords are not

needed if SSO usingSAP Logon Tickets isused

No security risk sinceusers cannot log oneithout using SSO viaEnterprise portal usingan initial password

Q&A: Usermanagement with Microsoft Active Directory


27/56Agenda


28/56

Single Sign-on

User Management

Conclusion

Introduction

What is Single Sign-on (SSO)?


29/56

Single Sign-on

User authenticates once against a securitysystem

User is afterwards automatically authenticated to

other systems

Authentication

Initial check of user credentials (for example

username/password)

Why using Single Sign-on ?


30/56

Typical situation

In a complex system landscape an employee has many user IDs with differentpasswords

Different procedures for each system to roll-out, reset and change

new/existing passwords

Users find continuous password changing for many systems annoying

Solution: Single Sign-on Users only have to remember one password to gain access to every system

Administration costs and effort are drastically reduced

Problems

High administration cost and effort Security risk: Users write passwords down and store them where they can easily

be found

Authentication Methods Initial Logon Procedure


31/56

Enterprise Portal 6.0 supports various authentication methods

User ID / password LDAP Directory (for example Active Directory)

Portal Database

SAP System

X.509 digital certificates

Third-party authentication

Integrated windows authentication

SAP authentication (SAP Web AS or R/3)

Others through JAAS interface (pluggable JAAS login modules, e.g. RSA)

SAP integrates into existing Active Directory landscapes

Initial logon procedure to authenticate user can be delegated to ActiveDirectory

No additional costs since no 3rd party software is required Authentication methods can also be used if portal runs on UNIX

SAP provides necessary interfaces and tools

UME: LDAP Adapter for Active Directory

ISAPI Filter for IIS (IISProxy.dll)

SSO Microsoft Windows Logon to Enterprise Portal


32/56

Prerequisites

Separate Webserver: IIS withIISProxy.DLL filter

Browser: Microsoft Internet Explorer

Authentication of users is delegated tothe operating system Previous logon to Windows operating

system can be reused

User is not required to reenter his or herWindows authentication credentials

Limitations Multiple domains are now supported*.

In this case an attribute that is unique inall domains has to be used as portallogon id (for exampleuserPrincipalName)

Can only be used in Intranet scenarios

*Solution is available for EP 6.0 SP2 on project basis

** EP


33/56

Prerequisites User Persistence Store: Active

Directory

Authentication of users is delegatedto the operating system

User must enter his or her Windows

authentication credentials

Typical scenarios

Extranet scenarios

Intranet scenarios where a secondlogin using the same username /

password should be use

Active

Directory


2. LDAP bind

Check

credentials

1.

Login

3.

SAP Logon

Ticket issued

Overview SSO from EP to backend systems


34/56

SAP EP provides SSO to

backend systems using SAP Logon Tickets

Account Aggregation

SAP Logon Tickets can beused for SSO to:

SAP Applications

Web based applicationswith the SAP Web Server

filter

JAVA and C applications

using SAPs sharedlibrary

Microsoft Applications

using SSO2KerbMap

Module *

3rd party

Applications


SAP WeServer

Filter o

Shared

Library

SSO22KerbMapModule

SAP Logon Ticket

Initial Logon orSSO

New

SAP Logon Ticket

* Active Directory 2003 required

SSOSSOSSO

SSO Account Aggregation


35/56

Features:

Account aggregation can be used if the external system does notsupport SAP logon tickets

System is maintained in portal system landscape

Portal components connect to the external system with the userscredentials (user ID and password), e.g. with SAP AppIntegrator

Credentials submitted via HTTP GET Query String or HTTP POST body

User mapping and credentials information are securely stored in thePortal Database

Drawbacks and Limitations: Redundant administration of credentials

Stored credentials have to be changed if password changes in abackend syste

Administrative overhead

Security update of MS IE http://user:[email protected]

Username and password must not be sent in a URL via the network

Conclusion: Seamless SSO technique such as SAP Logon Tickets is preferred

SSO SAP Logon Tickets


36/56

Portal Server issues an SAP logon ticket to a user aftersuccessful initial authentication

SAP logon ticket is stored as per session cookie on the client

browser

SAP logon ticket is used to authenticate user to applications

User gets access to multiple applications and services

After initial logon no further user logons required

SAP logon tickets contains user name(s)

SAP Logon Ticket is signed using digital signatures

Verifying the SAP Logon Ticket


37/56

Backend

System

Step 2:

Retrieval of the user ID which is stored in the SAP logon ticket.

=> No additional authentication necessary.

Step 1:

Verification of the digital signature provided with the SAP logon ticket.

=> Application needs access to issuing servers public-key certificate

Portal

Servers

public-key

certificate

SAP Logon Ticket


38/56

SAP Reference System


39/56

Contains the SAP User IDs

Used for mapping between SAP Users and Portal Users in EP

SAP Users can be created / modified using LDAP directory

interface

Users have only to logon once to the SAP reference system

SAP CUA system can be used as SAP Reference system

Portal SSO

SSO to SAP components using SAP Logon Tickets


40/56

Initial

Logon

SSO

SAP

Logon

Ticket

SAP

Logon

Ticket

SAP

Logon

Ticket

SAP

LogonTicket

WebDynpro

BSP-Pages

SAPGUI for HTML

SAPGUI for Windows

Windows

Web

WebAS

SAP

SAP

ITS

SAP

Web

Dynpro

Web Server Filter, Shared Library and Java classes


41/56

Web Server Filter

available for several Web Servers (IIS, Apache, iPlanet) verifies SAP Logon Ticket and extracts portal user id

Adds portal user id to http header

Example: Use by ASP applications

Shared Library

Dynamic Link Library for verifying SSO Tickets in third partySoftware

Native support of SSO using SAP Logon Tickets for applicationswritten in C, Visual Basic

SAP provides C samples

Java Classes Java Classes provided by SAP

Operating System independent

Javadoc on SDN contains JAVA samples

SSO to MS based backend systems innovation


42/56

Goal:

Use of Kerberos for authentication on MS backend servers

Windows authentication (Kerberos) is the preferred authenticationmethod in Microsoft environments

Problem:

Kerberos does not work well across the Internet (firewall config)

Windows integrated authentication can only be used in intranetscenarios (firewall config, trusted domains)

To perform Kerberos on a clients behalf the server needs to havethe clients primary credentials (RFC 1510)

Clients password OR

Clients ticket granting ticket (TGT) and the corresponding session key

But, Windows Server must NOT know the clients password whichwould be a severe breach of trust

Solution: SSO22KerbMap Module


43/56

Kerberos Constrained Delegation with Protocol Transition

Authentication

Managability /

Constraints

On behalf

of a end user

Applicable where

Kerberos would notWork natively, e.g.

over the Internet

Kerberos constrained delegation using protocol transition


44/56

Microsoft has enhanced its implementation of the Kerberosprotocol

Constrained delegation: Service may request a (constrained)Kerberos ticket on behalf of a user for specified services only

Protocol transition: Client may be authenticated using othermethods than Kerberos

SAP has developed the SSO22KerbMap Module (ISAPI Filter)

Protocol transition: Filter allows authentication using SAP LogonTickets

Constrained delegation: Filter can aquire Kerberos Tickets on behalfof user that is authenticated by a SAP Logon Ticket

IIS

Clients

ISAPI

FIlter

(SSO22

Kerb

Map

Module) IIS Back-end Server

Active Directory

Kerberos

Constrained

Delegation

SAP Logon TicketsIIS Back-end Server

SSO22KerbMap Module - Flowchart


45/56

ADS 2003

Windows

BackendApplicationIIS

Kerberos

Client(IE)

HTTP (S)

2

4

1

3+5

6

1. Client with (valid) SAP Logon Ticket

2. Authentication to IIS. ISAPI Filter DLL checks validity of SAP Logon Ticket

3. Identification: ISAPI Filter searches for a user in Active Directory with the user

id contained in SAP Logon Ticket.

4. Impersonation as user (LogonAsUser)

5. Constrained Delegation managed by ADS

6. Kerberos Authentication when connecting to backend service as fullyqualified Windows Domain User

7. Windows backend application/service accepts contrained kerberos ticket

Impersonation

Identification +

Constraineddelegation

7

SAP Logon

Ticket

Configuration of delegation in Active Directory


46/56

Sample configuration

in ADS forOutlook Web Accesss

Architecture


47/56

Client

Extranet

Global catalogserver

Exchange

back-end servers

Client - Intranet

Firewall

Outlook Web Access using SSO22KerbMap Module


48/56

Exchange

Frontend Server

1

3Impersonation

Kerberos ticket

Check SAP Logon

Ticket

Active

Directory

Check if server is trusted

for delegation

2

Exchange

Backend Server(s)

SSO22K

erbMap

ModuleS

SO22KerbMap

M

odule

passthrough

authentication

Outlook WebAccess for Exchange 2003


49/56

Portalized Outlook WebAccess


50/56

* German localization

Summary


51/56

Kerberos Constrained Delegation with Protocol Transition

Authentication

to backend

ADS 2003

Microsoft

S4U2-

Kerberos

Extensions

SAP Logon Ticketsfor Authentication

on IIS web server

Agenda


52/56

Conclusion

User Management

Single Sign-on

Introduction

Conclusion

SAP E t i t l t t d d LDAP


53/56

SAP Enterprise portal supports open standard LDAP

integrates into exisiting LDAP Directories Existing groups can be used for role assignment

SAP Enterprise portal provides SSO using SAP Logon Tickets to

SAP systems

MS based applications

SAP provides DLL to use integrated windows authentication as

SSO to EP

SAP Enterprise Portal serves as an

end-to-end SSO solution

Q&A: Single sign-on to Microsoft Systems


54/56

References

SSO2KerbMap Module Download & Dokumentation:


55/56

SSO2KerbMap Module Download & Dokumentation:

SAP Software Distribution Center: http://service.sap.com/swdc -> Searchand search for the string sso22kerbmap

SAP Note 735639 SSO2 To Kerberos Mapping Filter: Known issueshttp://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=DISPL_TXT&_NNUM=735639&_NLANG=E

SAP Application Integrator HowTo:

http://service.sap.com/EP60howtoguides

Customizing MS Outlook Web Access:

http://www.microsoft.com/technet/prodtechnol/exchange/2000/library/CUSTOWA.mspx

http://www.msexchange.org/articles/Exchange_2003_Outlook_Web_Access_Themes.html

Microsoft 2003 Kerberos Constrained Delegation: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog

ies/security/constdel.mspx

http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express

Copyright 2004 SAP AG. All Rights Reserved


56/56

permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,

OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix

and Informix Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.

ORACLE is a registered trademark of ORACLE Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and

other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium,

Massachusetts Institute of Technology.

JAVA is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented

and implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned

herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in

several other countries all over the world. All other product and service names mentioned are the trademarks of

their respective companies.

sap ad integration of sso and user management_sap

Documents

sso user

ldap directories sap

sap webas

user master data

user logonprocedure

security system user

saplogon tickets sap

sap enterprise portal