sap enterprise portal 6.0: user management & security

SAP Enterprise Portal 6.0:User Management &Security

Version: November 24, 2003

SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 2

Disclaimer

This document contains an overview of the planned User Management & Securityfeatures of the SAP Enterprise Portal 6.0 (some of the features are planned to beavailable for Unrestricted Shipment Phase only). It is subject to change. Pleasetake care that you are always using the newest version of that presentation!

SAP AG assumes no responsibility for errors or omissions in these materials.

These materials are provided “as is” without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties ofmerchantability, fitness for a particular purpose, or non-infringement.

SAP AG shall not be liable for damages of any kind including without limitationdirect, special, indirect, or consequential damages that may result from the useof these materials.

SAP AG does not warrant the accuracy or completeness of the information, text,graphics, links or other items contained within these materials. SAP AG has nocontrol over the information that you may access through the use of hot linkscontained in these materials and does not endorse your use of third party webpages nor provide any warranty whatsoever relating to third party web pages.


Overview

New Features EP 6.0

Authentication

Single Sign-On (SSO)

Authorization

User Management

Secure Communication

Secure Network Architecture

Topics


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


Enterprise Portal 6.0 – Security Features

AuthorizationSecure

Communication

User Management

UserPersistence

Store

Authentication

PortalServer

SingleSign-On

Third-PartySystem


Architecture Overview

Web Server

Java Application Server – SAP J2EE Engine

SAP Enterprise Portal 6.0

Web Browser,PDA, etc.

Backend Systems

Java Application Server – SAP J2EE Engine

Portal ServerPortal Runtime (PRT)

Portal Services

User Management Service

User Group Role PersistenceManager

Database

LDAPDirectory

SAPSystem

Persistence

Authentication SSO …


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


New Features EP 6.0 – Authentication

Multiple authentication methods in parallel

Multiple user sources in parallel

Anonymous usersLogon without authentication

Authorization depending on authentication methodiView requires certain logon methods (e.g. digital certificates)

Interface for pluggable third-party authenticationJava Authentication and Authorization Service (JAAS) standard

Partner certification program (planned)Web access management productsOther external authentication services (e.g. hardware tokens)


New Features EP 6.0 – Single Sign-On (SSO)

SAP logon ticket expiration recoveryRecovery of previous state of the portal if SAP logon ticket expiresand user has to logon again

Ticket Verification LibraryUNIX platforms (planned)Java language


New Features EP 6.0 – Authorization

Authorization for Portal ContentAll content under administrative control of the portalBased on Access Control Lists (ACLs)


New Features EP 6.0 – User Management

Web-based user administration

End user self-registrationUser can create account in the portalWorkflow for approval of registration request by administrator

Password management & policiesConfigurable expiration datesInitial passwords and change at first loginLimit of failed logon attempts

Flexible user persistence layerLDAP directory, database or SAP system as user store

Delegated administration


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


Authentication – Initial Logon Procedure

Verification of the user’s identity

Initial logon procedure to authenticate user

Various authentication methodsUser ID / passwordX.509 digital certificatesThird-party authentication

Windows authenticationWeb Access Management (WAM) productsOthers through JAAS interface

Anonymous usersLogon without authentication


Authentication Schemes

Define the authentication processCredentials to be suppliedUser interaction required (e.g. logon screens)Priority of the authentication scheme (how strong it is)

Attached to the user’s session

Allow to enforce different authentication mechanisms for differentcontent (iViews)

Re-authentication required in case the iView requires a “stronger”authentication scheme


Authentication: User ID / Password

Logons are provided asForm-based logon (iView)Basic authentication (HTTP Status 401)

Portal Server verifies the provided user ID / password againstuser persistence store

SAP logon ticket is issued (later used for Single Sign-On)

User ID / PW User ID / PW

Verification

SSL

User ID Mapping

PortalServer

PortalDatabase

UserPersistence

Store

SAP Logon Ticket

SSL


Authentication: Digital Certificates

Authentication of user through SSL protocolUser presents his digital certificate to Web server during SSLhandshakeWeb server performs SSL client authentication

Portal Server checks if user presented the correct certificatePrerequisite: Client certificate has to be mapped to a portal user

SAP logon ticket is issued (later used for Single Sign-On)

SAP Logon Ticket User ID Mapping

PortalServer

PortalDatabase

UserPersistence

Store

X.509Certificate

Compare Certificate

X.509Certificate

SSLSSL


Getting a Digital Certificate

Digital certificates must be X.509v3 compliant

Various options possible:Using SAP Trust Center Service

For SAP users onlyFree of chargePortal Server acts as Registration Authority (planned)

Setting up internal PKI systemBuy software from CA product vendor

Using external PKI systemContract with Trust Center Service


Log on using SAP user ID and password andinitiate the SAP Passport request1

Specify naming convention and trigger keygeneration

2

WebBrowser

PortalServer

SAP Trust Center Service: Enrollment Process

Log on using the SAP Passport6

Web browser generates key pair andsends the SAP Passport request

3

SAP TrustCenterService

Send approved certificaterequest4Verifies naming conventions

and issues certificate

5


Third-Party Authentication

Authentication using an external authentication service

Windows authentication

Integration of Web Access Management (WAM) products

Other authentication methods through pluggable JAAS LoginModules


Windows Authentication

Authentication is delegated to Windows operating system*

Process with HTTP Basic Authentication:User has to enter his or her Windows user ID and password(HTTP Basic Authentication)Windows Domain Controller authenticates the portal userWhen the Enterprise Portal is accessible from the Extranet

Process with Windows Integrated Authentication (NTLM):Previous logon to Windows operating system can be reusedUser is not required to reenter his or her Windows authenticationcredentialsWhen the Enterprise Portal is a pure Intranet portal and only MS IEis used

* Requires Microsoft IIS 5.0 as Web server


Integration of Web Access Management Products

External Web Access Management (WAM) product authenticatesthe portal user

Technical integration using JAAS Login Module:Generic module provided for reading HTTP header variablesCustom implementation (e.g. to verify a provided cookie)

Portal Server logs the user on to the portal (user must reside inportal user persistence store)

Seamless integration, only configuration required

Partner certification program for WAM vendorsor integration on a project-specific basis

Partner certification program for WAM vendorsor integration on a project-specific basis


Pluggable Authentication

Plug-in interface for authentication modules

Interface defined by Java Authentication and AuthorizationService (JAAS) standard

Each authentication scheme can define one or more JAASLogin Modules

http://java.sun.com/products/jaas

Partner certification programor integration on a project-specific basis

Partner certification programor integration on a project-specific basis

http://java.sun.com/products/jaas


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


SSO – SAP Logon Tickets

SAP logon tickets represent the user credentials

Portal Server issues an SAP logon ticket to a user aftersuccessful initial authentication

SAP logon ticket is stored as per session cookie on the clientbrowser

SAP logon ticket is used to authenticate user to applicationsUser gets access to multiple applications and servicesAfter initial logon no further user logons required

Cross domain support (planned)


SAP Logon Tickets – SSO Process

Any otherWeb page

InternetSAP Logon Ticket

ExternalSystem

Intranet

SAP System

Initial Logon


SAP Logon Ticket – Contents

SAP logon tickets contain:User ID(s)Authentication schemeValidity periodIssuing systemDigital signatureSAP logon tickets do NOT contain any passwords!

Strong Security:Digitally signed by Portal ServerAuthenticity and integrity protection through digital signature


SAP Logon Tickets & Security

SAP logon ticket serves as authentication token andtherefore needs to be protected from unauthorized usage

Validity period

Authenticity and integrity protection using….digital signature

Confidentiality protection through SSL protocol….while in transport


Verifying the SAP Logon Ticket: SAP Systems

ComponentSystem

Step 2:Logon using the user ID which is stored in the SAP logon ticket.No additional authentication using password or certificate necessary.

Step 1:Verification of the digital signature provided with the SAP logon ticket.

SAP

Portal Server’spublic-keycertificate

SAP Logon Ticket


Verifying the SAP Logon Ticket: Non-SAP Systems

The non-SAP component must:

Make sure the SAP logon ticket has been issued by a trustedPortal Server

Accept the certificate of the Portal Server

Verify the Portal Server’s digital signature in the SAP logonticket

Ticket Verification Library that can be linked to non-SAP systemsor Web Server Filter are provided

Extract the user ID from the SAP logon ticketTicket Verification Library or Web Server Filter are provided thatextract the user ID from the SAP logon ticket


Two alternatives:

SSO to non-SAP Components Using SAP LogonTickets

Non-SAPComponent

System

1

Portal Server’spublic-key certificate

2

HTTP Header Field:

Application User ID

Filte

r

Web Server Filter

WebServer

SAP Logon Ticket

Application Programming Interface (API)

Ticket VerificationLibrary

1

Portal Server’spublic-keycertificate

2

3

ApplicationUser ID

Non-SAPComponent

System

SAP Logon Ticket


SSO – Account Aggregation

If the external system does not support SAP logon tickets

Portal components connect to the external system with the user’scredentials (user ID and password)

User mapping and credentials information are stored in the PortalDatabase

Administrator maps users using administration iViewTypically to map groups and roles

User maps own credentials using portal personalization function

Portal User: SAP User: Siebel UserID/Password:Michael_Schumacher d050011 903845233, {yu323ab}___Anna_Kournikova i052340 230982029, {34u0nap}___Tiger_Woods i043536 324098211, {wq9itxm1}__Cathy Freeman i048347 202377724, {12onxc85}__


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


Authorization – Overview

Authorization Concept for Portal ContentObjects in the Portal Content Directory (PCD) are controlled byAccess Control Lists (ACLs).Permissions Editor

Knowledge ManagementAuthorization for unstructured dataPermissions for users, groups and roles via ACLs

Backend ApplicationsUser receives authorization in business application according toits authorization policy.


Authorization Concept for Portal Content

Objects in the Portal Content Directory (PCD) are controlled byAccess Control Lists (ACLs)

ACL defines permissions for principals (user, group or role)For example, ACL specifies the roles that can access the iView

ACL ServiceEnforces permissions for portal objects at runtime

Permissions EditorGUI for administering ACLs for portal objects


Access Control Lists (ACLs)

Portal object creator is automatically the ACL owner

Only the ACL owner canAdd or remove owners for the object’s ACLGrant permissions to a principal

Inheritance of permissionsIf no ACL exists for a PCD object, the permissions are inheritedfrom the parent’s ACL

Administrator permissionsNoneReadRead/WriteFull Control (ACL owner)

End-User permissionsEnabled/Disabled

Read

Full Control

Read/Write

Design Time

Run TimeEnabled/Disabled


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


SAPEnterprise

Portal

ApplicationsAccessing UserManagement

User ManagementCore Layer

Persistence Manager

Database

ReplicationManager

LDAPDirectory

SAPSystem

ExternalSystem

PersistenceAdapters

UserAPI

UserAccount

API

GroupAPI

RoleAPI

Architecture Overview – User Management Engine

User PersistenceStore


Persistence Manager

Central place for reading and writing user-specific dataUsersGroupsRole assignments

Uses Persistence Adapters to read/write data

Supports database, LDAP directory and SAP system asrepository


Persistence Manager

DatabaseLDAP

DirectorySAP

System

PersistenceAdapters

User PersistenceStore


Persistence Manager

User PartitioningSpecific user sets can be distributed across different repositories

Persistence Manager

DatabaseLDAP

DirectoriesSelf-registered,external users

Internal users

Example:

Persistence Manager

DatabaseLDAP

DirectoryRole assignments

(portal-specific data)General user data

(application independent)

Example:

Attribute PartitioningSpecific user attributes can be distributed across differentrepositories


Persistence – Supported Repositories

DatabaseOracle 9.2Microsoft SQL Server 2000IBM DB2/UDB

LDAP DirectoryNovell eDirectorySun ONE Directory ServerMicrosoft ADSSiemens DirX

SAP SystemSAP Web Application Server 6.20 or higher

For details please see the Product Availability Matrix athttp://service.sap.com/pam60

For details please see the Product Availability Matrix athttp://service.sap.com/pam60

http://service.sap.com/pam60

http://service.sap.com/pam60


Portal Database

Basic user data

Basic group data

User groupassignment

User/group roleassignment

User mapping (forSSO purposes)

User Roles(Metadata)

Content roleassignment

User’spersonalization data

PortalServer

PCD InstanceUM Instance

• LDAP Directory• Database• SAP System

UserPersistence

StorePortal

Database

Store portal-specific data


Replication Manager

Replication of user data to external systems

Provisioning for external systems that cannot use supported userrepositories

Notification when users are created or modified

Data exchange via XML documents

One-way replication of user data (Portal External System)

Replication Manager

ExternalSystem



Replication – Supported External Systems

External SystemSAP Basis 4.6D,SAP Web Application Server 6.10 or higherBusiness Add-Ins (BAdis) supported

Replication Manager

BW SRM

Portal UserProvisioning toSAP Systems

Example:

CRM


User Administration

Administration GUI completely based on iViews

User Administration Functions:Create usersCopy usersModify usersSearch for usersCreate groupsAssign users to group(s)Assign users and groups to role(s)Set or auto-create passwordSet date & time for user account activationLock/unlock usersView user account historyApprove/deny self-registered usersAdapt attributes contained in self-registrationE-Mail notifications for specified events


Password Management

Administration FunctionsConfigure password policiesSet initial password for userLet system auto-create password for userReset passwordCustomizable “Forgot Password” process

Password PoliciesMin/max. lengthNumeric characters allowed/mandatoryPassword different from UIDMixed case requiredSpecial characters requiredPassword expiry time period (days)Password must be changed at next logonNumber of failed logon attempts before account is locked


User Self-Service

User can change his or her profileUser profilePortal languageUser passwordUser mapping information (SSO)

User can set a new passwordDuring logon (for initial passwords, when expired)By changing user profile

User can request new password (sent to user by E-Mail)

User self-registrationUser fills out a simple registration formUser immediately becomes a guest userUser waits for approval by administrator to become a company user


Delegated User Administration – Company Concept

Delegated user administration based on company conceptA company is a set of usersUser administration can be done per company, by a companyadministrator for all the users within that company

Role assignmentIf the company concept is enabled, the list of users for roleassignment is limitedCompany administrator can only assign users belonging to hiscompany

User self-registration & approval workflowThe company concept allows for user self-registration with anapproval workflowWhen registering users can specify which company they belong toApproval or rejection is done by the company administrator


Security Logging & Auditing

Logging of all security relevant informationUser login (successful/failed)IP address of user logged inUser logoffUser created/modifiedUser approval/denialUser locked/unlockedRole assignment changed

Logging information is stored in a log file


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


Secure Communication – Features

Secure, encrypted communication between client, Portal Server,persistence layer, and backend systems

Support of industry-standard security protocolsSecure Sockets Layer (SSL)Secure Network Communications (SNC)

FeaturesConfidentialityAuthenticityIntegrity


Secure Communication – Overview

WebBrowser

WebBrowser

Security Proxy(Web Server,

Reverse Proxy)

Security Proxy(Web Server,

Reverse Proxy)SSL

Database

LDAPDirectory

SAPSystem

SSL

User Persistence Store

SNC

SSL*

SSL

SAPSystem

SNC

Web Appl.(SAP,

non-SAP)

SSL

Backend Systems

HTTP

HTTP

LDAP

RFC

RFC

DMZ Intranet

HTTPJDBC

Portal ServerPortal Server

DispatcherDispatcher

SAP J2EE Engine

P4

* Depending on JDBC provider


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


Secure Network Architecture – Overview

Network architecture needs to protect your businessneeds without allowing unauthorized access

Highly sensitive systems and components need to beprotected (Portal Server, Persistence Layer, BackendApplications)

Locate them in a separate area that is sealed off fromnetwork attacks from outside and inside

Application servers, database servers, and directoryservers should only be accessible via a demilitarizedzone (DMZ) that is protected by firewalls


DMZ Intranet / BackendFront End

Client

SecurityProxy(Web Server,ReverseProxy, etc.)

ExternalFirewall

InternalFirewall

DMZ-2

Portal Servers(incl. ContentManagement)

Persistence Layer

Firewall

ApplicationServers

Retrieval &Classification(TREX)

DatabaseServers

CorporateDirectory Server

Secure Network Architecture – Enterprise Portal 6.0


Overview

New Features EP 6.0

Authentication


Authorization

User Management



Topics


Enterprise Portal 6.0 – A Portal For More Security

Authentication using various methodsUser ID/password, digital certificates, third-party authentication

Single Sign-On (SSO)Secure, digitally signed SAP logon ticketsAccount aggregation via user ID/password mapping

AuthorizationACL-based authorization for portal content

Secure communicationBetween client, portal, and enterprise application servers (SSL, SNC)

User ManagementSupport for LDAP directory servers, databases or SAP systems as userpersistence storeUser self-registration (incl. approval process)Delegated administration


Q&A

Questions?


No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks ofMicrosoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®,OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informixand Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.

ORACLE® is a registered trademark of ORACLE Corporation.

UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.

Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® andother Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.

JAVA® is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology inventedand implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentionedherein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and inseveral other countries all over the world. All other product and service names mentioned are the trademarks oftheir respective companies. Data contained in this document serves information purposes only. National productspecifications may vary.

Copyright 2003 SAP AG. All Rights Reserved

sap enterprise portal 6.0: user management & security

Documents