sap enterprise portal 6.0: user management & security
TRANSCRIPT
SAP Enterprise Portal 6.0:User Management &Security
Version: November 24, 2003
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 2
Disclaimer
This document contains an overview of the planned User Management & Securityfeatures of the SAP Enterprise Portal 6.0 (some of the features are planned to beavailable for Unrestricted Shipment Phase only). It is subject to change. Pleasetake care that you are always using the newest version of that presentation!
SAP AG assumes no responsibility for errors or omissions in these materials.
These materials are provided “as is” without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties ofmerchantability, fitness for a particular purpose, or non-infringement.
SAP AG shall not be liable for damages of any kind including without limitationdirect, special, indirect, or consequential damages that may result from the useof these materials.
SAP AG does not warrant the accuracy or completeness of the information, text,graphics, links or other items contained within these materials. SAP AG has nocontrol over the information that you may access through the use of hot linkscontained in these materials and does not endorse your use of third party webpages nor provide any warranty whatsoever relating to third party web pages.
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 3
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 4
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 5
Enterprise Portal 6.0 – Security Features
AuthorizationSecure
Communication
User Management
UserPersistence
Store
Authentication
PortalServer
SingleSign-On
Third-PartySystem
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 6
Architecture Overview
Web Server
Java Application Server – SAP J2EE Engine
SAP Enterprise Portal 6.0
Web Browser,PDA, etc.
Backend Systems
Java Application Server – SAP J2EE Engine
Portal ServerPortal Runtime (PRT)
Portal Services
User Management Service
User Group Role PersistenceManager
Database
LDAPDirectory
SAPSystem
Persistence
Authentication SSO …
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 7
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 8
New Features EP 6.0 – Authentication
Multiple authentication methods in parallel
Multiple user sources in parallel
Anonymous usersLogon without authentication
Authorization depending on authentication methodiView requires certain logon methods (e.g. digital certificates)
Interface for pluggable third-party authenticationJava Authentication and Authorization Service (JAAS) standard
Partner certification program (planned)Web access management productsOther external authentication services (e.g. hardware tokens)
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 9
New Features EP 6.0 – Single Sign-On (SSO)
SAP logon ticket expiration recoveryRecovery of previous state of the portal if SAP logon ticket expiresand user has to logon again
Ticket Verification LibraryUNIX platforms (planned)Java language
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 10
New Features EP 6.0 – Authorization
Authorization for Portal ContentAll content under administrative control of the portalBased on Access Control Lists (ACLs)
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 11
New Features EP 6.0 – User Management
Web-based user administration
End user self-registrationUser can create account in the portalWorkflow for approval of registration request by administrator
Password management & policiesConfigurable expiration datesInitial passwords and change at first loginLimit of failed logon attempts
Flexible user persistence layerLDAP directory, database or SAP system as user store
Delegated administration
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 12
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 13
Authentication – Initial Logon Procedure
Verification of the user’s identity
Initial logon procedure to authenticate user
Various authentication methodsUser ID / passwordX.509 digital certificatesThird-party authentication
Windows authenticationWeb Access Management (WAM) productsOthers through JAAS interface
Anonymous usersLogon without authentication
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 14
Authentication Schemes
Define the authentication processCredentials to be suppliedUser interaction required (e.g. logon screens)Priority of the authentication scheme (how strong it is)
Attached to the user’s session
Allow to enforce different authentication mechanisms for differentcontent (iViews)
Re-authentication required in case the iView requires a “stronger”authentication scheme
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 15
Authentication: User ID / Password
Logons are provided asForm-based logon (iView)Basic authentication (HTTP Status 401)
Portal Server verifies the provided user ID / password againstuser persistence store
SAP logon ticket is issued (later used for Single Sign-On)
User ID / PW User ID / PW
Verification
SSL
User ID Mapping
PortalServer
PortalDatabase
UserPersistence
Store
SAP Logon Ticket
SSL
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 16
Authentication: Digital Certificates
Authentication of user through SSL protocolUser presents his digital certificate to Web server during SSLhandshakeWeb server performs SSL client authentication
Portal Server checks if user presented the correct certificatePrerequisite: Client certificate has to be mapped to a portal user
SAP logon ticket is issued (later used for Single Sign-On)
SAP Logon Ticket User ID Mapping
PortalServer
PortalDatabase
UserPersistence
Store
X.509Certificate
Compare Certificate
X.509Certificate
SSLSSL
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 17
Getting a Digital Certificate
Digital certificates must be X.509v3 compliant
Various options possible:Using SAP Trust Center Service
For SAP users onlyFree of chargePortal Server acts as Registration Authority (planned)
Setting up internal PKI systemBuy software from CA product vendor
Using external PKI systemContract with Trust Center Service
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 18
Log on using SAP user ID and password andinitiate the SAP Passport request1
Specify naming convention and trigger keygeneration
2
WebBrowser
PortalServer
SAP Trust Center Service: Enrollment Process
Log on using the SAP Passport6
Web browser generates key pair andsends the SAP Passport request
3
SAP TrustCenterService
Send approved certificaterequest4Verifies naming conventions
and issues certificate
5
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 19
Third-Party Authentication
Authentication using an external authentication service
Windows authentication
Integration of Web Access Management (WAM) products
Other authentication methods through pluggable JAAS LoginModules
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 20
Windows Authentication
Authentication is delegated to Windows operating system*
Process with HTTP Basic Authentication:User has to enter his or her Windows user ID and password(HTTP Basic Authentication)Windows Domain Controller authenticates the portal userWhen the Enterprise Portal is accessible from the Extranet
Process with Windows Integrated Authentication (NTLM):Previous logon to Windows operating system can be reusedUser is not required to reenter his or her Windows authenticationcredentialsWhen the Enterprise Portal is a pure Intranet portal and only MS IEis used
* Requires Microsoft IIS 5.0 as Web server
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 21
Integration of Web Access Management Products
External Web Access Management (WAM) product authenticatesthe portal user
Technical integration using JAAS Login Module:Generic module provided for reading HTTP header variablesCustom implementation (e.g. to verify a provided cookie)
Portal Server logs the user on to the portal (user must reside inportal user persistence store)
Seamless integration, only configuration required
Partner certification program for WAM vendorsor integration on a project-specific basis
Partner certification program for WAM vendorsor integration on a project-specific basis
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 22
Pluggable Authentication
Plug-in interface for authentication modules
Interface defined by Java Authentication and AuthorizationService (JAAS) standard
Each authentication scheme can define one or more JAASLogin Modules
http://java.sun.com/products/jaas
Partner certification programor integration on a project-specific basis
Partner certification programor integration on a project-specific basis
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 23
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 24
SSO – SAP Logon Tickets
SAP logon tickets represent the user credentials
Portal Server issues an SAP logon ticket to a user aftersuccessful initial authentication
SAP logon ticket is stored as per session cookie on the clientbrowser
SAP logon ticket is used to authenticate user to applicationsUser gets access to multiple applications and servicesAfter initial logon no further user logons required
Cross domain support (planned)
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 25
SAP Logon Tickets – SSO Process
Any otherWeb page
InternetSAP Logon Ticket
ExternalSystem
Intranet
SAP System
Initial Logon
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 26
SAP Logon Ticket – Contents
SAP logon tickets contain:User ID(s)Authentication schemeValidity periodIssuing systemDigital signatureSAP logon tickets do NOT contain any passwords!
Strong Security:Digitally signed by Portal ServerAuthenticity and integrity protection through digital signature
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 27
SAP Logon Tickets & Security
SAP logon ticket serves as authentication token andtherefore needs to be protected from unauthorized usage
Validity period
Authenticity and integrity protection using….digital signature
Confidentiality protection through SSL protocol….while in transport
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 28
Verifying the SAP Logon Ticket: SAP Systems
ComponentSystem
Step 2:Logon using the user ID which is stored in the SAP logon ticket.No additional authentication using password or certificate necessary.
Step 1:Verification of the digital signature provided with the SAP logon ticket.
SAP
Portal Server’spublic-keycertificate
SAP Logon Ticket
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 29
Verifying the SAP Logon Ticket: Non-SAP Systems
The non-SAP component must:
Make sure the SAP logon ticket has been issued by a trustedPortal Server
Accept the certificate of the Portal Server
Verify the Portal Server’s digital signature in the SAP logonticket
Ticket Verification Library that can be linked to non-SAP systemsor Web Server Filter are provided
Extract the user ID from the SAP logon ticketTicket Verification Library or Web Server Filter are provided thatextract the user ID from the SAP logon ticket
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 30
Two alternatives:
SSO to non-SAP Components Using SAP LogonTickets
Non-SAPComponent
System
1
Portal Server’spublic-key certificate
2
HTTP Header Field:
Application User ID
Filte
r
Web Server Filter
WebServer
SAP Logon Ticket
Application Programming Interface (API)
Ticket VerificationLibrary
1
Portal Server’spublic-keycertificate
2
3
ApplicationUser ID
Non-SAPComponent
System
SAP Logon Ticket
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 31
SSO – Account Aggregation
If the external system does not support SAP logon tickets
Portal components connect to the external system with the user’scredentials (user ID and password)
User mapping and credentials information are stored in the PortalDatabase
Administrator maps users using administration iViewTypically to map groups and roles
User maps own credentials using portal personalization function
Portal User: SAP User: Siebel UserID/Password:Michael_Schumacher d050011 903845233, {yu323ab}___Anna_Kournikova i052340 230982029, {34u0nap}___Tiger_Woods i043536 324098211, {wq9itxm1}__Cathy Freeman i048347 202377724, {12onxc85}__
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 32
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 33
Authorization – Overview
Authorization Concept for Portal ContentObjects in the Portal Content Directory (PCD) are controlled byAccess Control Lists (ACLs).Permissions Editor
Knowledge ManagementAuthorization for unstructured dataPermissions for users, groups and roles via ACLs
Backend ApplicationsUser receives authorization in business application according toits authorization policy.
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 34
Authorization Concept for Portal Content
Objects in the Portal Content Directory (PCD) are controlled byAccess Control Lists (ACLs)
ACL defines permissions for principals (user, group or role)For example, ACL specifies the roles that can access the iView
ACL ServiceEnforces permissions for portal objects at runtime
Permissions EditorGUI for administering ACLs for portal objects
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 35
Access Control Lists (ACLs)
Portal object creator is automatically the ACL owner
Only the ACL owner canAdd or remove owners for the object’s ACLGrant permissions to a principal
Inheritance of permissionsIf no ACL exists for a PCD object, the permissions are inheritedfrom the parent’s ACL
Administrator permissionsNoneReadRead/WriteFull Control (ACL owner)
End-User permissionsEnabled/Disabled
Read
Full Control
Read/Write
Design Time
Run TimeEnabled/Disabled
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 36
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 37
SAPEnterprise
Portal
ApplicationsAccessing UserManagement
User ManagementCore Layer
Persistence Manager
Database
ReplicationManager
LDAPDirectory
SAPSystem
ExternalSystem
PersistenceAdapters
UserAPI
UserAccount
API
GroupAPI
RoleAPI
Architecture Overview – User Management Engine
User PersistenceStore
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 38
Persistence Manager
Central place for reading and writing user-specific dataUsersGroupsRole assignments
Uses Persistence Adapters to read/write data
Supports database, LDAP directory and SAP system asrepository
User ManagementCore Layer
Persistence Manager
DatabaseLDAP
DirectorySAP
System
PersistenceAdapters
User PersistenceStore
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 39
Persistence Manager
User PartitioningSpecific user sets can be distributed across different repositories
Persistence Manager
DatabaseLDAP
DirectoriesSelf-registered,external users
Internal users
Example:
Persistence Manager
DatabaseLDAP
DirectoryRole assignments
(portal-specific data)General user data
(application independent)
Example:
Attribute PartitioningSpecific user attributes can be distributed across differentrepositories
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 40
Persistence – Supported Repositories
DatabaseOracle 9.2Microsoft SQL Server 2000IBM DB2/UDB
LDAP DirectoryNovell eDirectorySun ONE Directory ServerMicrosoft ADSSiemens DirX
SAP SystemSAP Web Application Server 6.20 or higher
For details please see the Product Availability Matrix athttp://service.sap.com/pam60
For details please see the Product Availability Matrix athttp://service.sap.com/pam60
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 41
Portal Database
Basic user data
Basic group data
User groupassignment
User/group roleassignment
User mapping (forSSO purposes)
User Roles(Metadata)
Content roleassignment
User’spersonalization data
PortalServer
PCD InstanceUM Instance
• LDAP Directory• Database• SAP System
UserPersistence
StorePortal
Database
Store portal-specific data
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 42
Replication Manager
Replication of user data to external systems
Provisioning for external systems that cannot use supported userrepositories
Notification when users are created or modified
Data exchange via XML documents
One-way replication of user data (Portal External System)
Replication Manager
ExternalSystem
User ManagementCore Layer
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 43
Replication – Supported External Systems
External SystemSAP Basis 4.6D,SAP Web Application Server 6.10 or higherBusiness Add-Ins (BAdis) supported
Replication Manager
BW SRM
Portal UserProvisioning toSAP Systems
Example:
CRM
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 44
User Administration
Administration GUI completely based on iViews
User Administration Functions:Create usersCopy usersModify usersSearch for usersCreate groupsAssign users to group(s)Assign users and groups to role(s)Set or auto-create passwordSet date & time for user account activationLock/unlock usersView user account historyApprove/deny self-registered usersAdapt attributes contained in self-registrationE-Mail notifications for specified events
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 45
Password Management
Administration FunctionsConfigure password policiesSet initial password for userLet system auto-create password for userReset passwordCustomizable “Forgot Password” process
Password PoliciesMin/max. lengthNumeric characters allowed/mandatoryPassword different from UIDMixed case requiredSpecial characters requiredPassword expiry time period (days)Password must be changed at next logonNumber of failed logon attempts before account is locked
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 46
User Self-Service
User can change his or her profileUser profilePortal languageUser passwordUser mapping information (SSO)
User can set a new passwordDuring logon (for initial passwords, when expired)By changing user profile
User can request new password (sent to user by E-Mail)
User self-registrationUser fills out a simple registration formUser immediately becomes a guest userUser waits for approval by administrator to become a company user
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 47
Delegated User Administration – Company Concept
Delegated user administration based on company conceptA company is a set of usersUser administration can be done per company, by a companyadministrator for all the users within that company
Role assignmentIf the company concept is enabled, the list of users for roleassignment is limitedCompany administrator can only assign users belonging to hiscompany
User self-registration & approval workflowThe company concept allows for user self-registration with anapproval workflowWhen registering users can specify which company they belong toApproval or rejection is done by the company administrator
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 48
Security Logging & Auditing
Logging of all security relevant informationUser login (successful/failed)IP address of user logged inUser logoffUser created/modifiedUser approval/denialUser locked/unlockedRole assignment changed
Logging information is stored in a log file
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 49
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 50
Secure Communication – Features
Secure, encrypted communication between client, Portal Server,persistence layer, and backend systems
Support of industry-standard security protocolsSecure Sockets Layer (SSL)Secure Network Communications (SNC)
FeaturesConfidentialityAuthenticityIntegrity
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 51
Secure Communication – Overview
WebBrowser
WebBrowser
Security Proxy(Web Server,
Reverse Proxy)
Security Proxy(Web Server,
Reverse Proxy)SSL
Database
LDAPDirectory
SAPSystem
SSL
User Persistence Store
SNC
SSL*
SSL
SAPSystem
SNC
Web Appl.(SAP,
non-SAP)
SSL
Backend Systems
HTTP
HTTP
LDAP
RFC
RFC
DMZ Intranet
HTTPJDBC
Portal ServerPortal Server
DispatcherDispatcher
SAP J2EE Engine
P4
* Depending on JDBC provider
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 52
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 53
Secure Network Architecture – Overview
Network architecture needs to protect your businessneeds without allowing unauthorized access
Highly sensitive systems and components need to beprotected (Portal Server, Persistence Layer, BackendApplications)
Locate them in a separate area that is sealed off fromnetwork attacks from outside and inside
Application servers, database servers, and directoryservers should only be accessible via a demilitarizedzone (DMZ) that is protected by firewalls
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 54
DMZ Intranet / BackendFront End
Client
SecurityProxy(Web Server,ReverseProxy, etc.)
ExternalFirewall
InternalFirewall
DMZ-2
Portal Servers(incl. ContentManagement)
Persistence Layer
Firewall
ApplicationServers
Retrieval &Classification(TREX)
DatabaseServers
CorporateDirectory Server
Secure Network Architecture – Enterprise Portal 6.0
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 55
Overview
New Features EP 6.0
Authentication
Single Sign-On (SSO)
Authorization
User Management
Secure Communication
Secure Network Architecture
Topics
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 56
Enterprise Portal 6.0 – A Portal For More Security
Authentication using various methodsUser ID/password, digital certificates, third-party authentication
Single Sign-On (SSO)Secure, digitally signed SAP logon ticketsAccount aggregation via user ID/password mapping
AuthorizationACL-based authorization for portal content
Secure communicationBetween client, portal, and enterprise application servers (SSL, SNC)
User ManagementSupport for LDAP directory servers, databases or SAP systems as userpersistence storeUser self-registration (incl. approval process)Delegated administration
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 57
Q&A
Questions?
SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 58
No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks ofMicrosoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®,OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informixand Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® andother Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology inventedand implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentionedherein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and inseveral other countries all over the world. All other product and service names mentioned are the trademarks oftheir respective companies. Data contained in this document serves information purposes only. National productspecifications may vary.
Copyright 2003 SAP AG. All Rights Reserved