sap netweaver cloud security tutorial -...

SAP NetWeaver Cloud Security Tutorial Single Sign-On and Identity Federation with SAP NetWeaver Single Sign-On

SAP NetWeaver Cloud Security Tutorial

2

TABLE OF CONTENTS

OVERVIEW ....................................................................................................................................................... 3

PREREQUISITES AND REQUIREMENTS....................................................................................................... 4

GETTING STARTED ......................................................................................................................................... 4

STEP 1: ESTABLISH TRUST TO SAP NETWEAVER CLOUD IN ITELO’S CORPORATE IDP ................... 6

STEP 2: CREATE TEST USERS AND GROUPS IN THE CORPORATE USER DIRECTORY ...................... 9

STEP 3: ESTABLISH TRUST TO ITELO’S CORPORATE IDP IN SAP NETWEAVER CLOUD ................. 13

STEP 4: CONFIGURE IDENTITY FEDERATION IN ITELO’S CORPORATE IDP ........................................ 15

STEP 5: CONFIGURE IDENTITY FEDERATION IN SAP NETWEAVER CLOUD ....................................... 19

STEP 6: TEST THE END-TO-END SCENARIO ............................................................................................. 22

TROUBLESHOOTING TIPPS ......................................................................................................................... 24 IdP Debug Logs ............................................................................................................................................. 24 SP Debug Logs .............................................................................................................................................. 24 User Agent SAML Message Trace ............................................................................................................... 25

REFERENCES ................................................................................................................................................ 26


3

This tutorial is part of a series on how to setup Single Sign-On (SSO) and Identity Federation

between the SAP NetWeaver Cloud platform and existing identity and access management (IAM)

systems. In this document, a complete end-to-end scenario for integrating SAP NetWeaver Cloud

with SAP NetWeaver Single Sign-On will be implemented based on the Security Assertion Markup

Language (SAML) 2.0 protocol.

OVERVIEW

Based on the enterprise scenario in the SAP NetWeaver Cloud SSO and Identity Federation whitepaper [‎1],

the sample application for leave request management (xLeave) running on the SAP NetWeaver Cloud platform acts as the SAML Service Provider (SP) that requires user authentication to obtain access to

protected resources. As specified by the SAML protocol [‎2], the system responsible to verify the identity of

authorized users is the Identity Provider (IdP). In this tutorial, the IdP is an existing system running on-premise in the corporate network. The IdP is connected to the corporate directory server which manages the accounts for all users that are allowed to access the SP in the Cloud. In this role, the IdP can verify the username and password entered by the user to login to the SAP NetWeaver Cloud application against the credentials stored in the corporate directory. Upon successful login, the IdP confirms the user’s identities to the trusted SP in the Cloud, and the user is logged on without being asked again for the username and password.

Figure 1 Federation Scenario Overview

Figure 1 illustrates the setup based on the enterprise scenario in [‎1] of the fictitious company ITelO. In this

tutorial, ITelO runs SAP NetWeaver Single Sign-On 1.0 [‎3]. For Identity Federation with SAML, SAP

NetWeaver Single Sign-On offers a SAML 2.0 compliant Identity Provider, which uses the underlying User Management Engine (UME) as the user store. UME can be configured to either use its own persistency, or

connect to an LDAP Directory as Data Source [‎4]. In the scenario setup, ITelO employees have an account

in UME’s local database which runs on SAP Sybase Adaptive Server Enterprise, and are assigned to UME roles. Using the SAML 2.0 protocol in the scenario, ITelO employees will be able to (single) sign-on to the xLeave leave request application in the SAP NetWeaver Cloud using their corporate credentials. With Kerberos/SPNEGO in place for SSO in the ITelO corporate network, the user is actually only required to enter the domain username and password once in the morning when she logs on to ITelO’s Kerberos

Domain. Any subsequent logons including authentication at ADFS during a SAML-based sign-on to the SAP

NetWeaver Cloud will happen completely transparently from the user’s perspective. As SAP NetWeaver Cloud has no permanent user storage, SAP NetWeaver Single Sign-On must issue additional user profile data required by the xLeave application in the Cloud. Along with the user name used to login at the IdP, attributes such as the employee’s first name, last name and company employee id are


4

also added to the authentication statement (SAML Assertion) in the SAML Response sent back to the SP running on SAP NetWeaver Cloud. This also includes the employee’s internal role assignments in UME which are required to authorize certain actions of the logged in user in the Cloud. To avoid complex and error-prone data synchronization and double maintenance of group or role assignments in the on-premise IAM system and the xLeave application, permissions in the Cloud are calculated dynamically using the information obtained from the SAML Assertion that the IdP issues for each authenticated user. The NetWeaver Cloud account administrator can define a set of rules for mapping each authenticated user to roles used by the applications running on SAP NetWeaver Cloud. Such a rule, translated in human-readable form, could be something like this: "If a user authenticated by the trusted corporate IdP idp.itelo.corp has a SAML 2.0 assertion with the attribute role which contains the value Manager, assign this user to the group Managers on SAP NetWeaver Cloud", or "Any user authenticated by the trusted corporate IdP idp.itelo.corp will be assigned to the group iteloEmployees" (assuming that IdP idp.itelo.corp only manages accounts from company ITelO).

As described in [‎1], the xLeave application defines two web roles in its web.xml file following standard Java

EE conventions: Employee and Manager (see Figure 2).

Figure 2 xLeave web role definitions in web.xml

Those roles will be mapped based on a role attribute in the SAML response which contains the current group assignment in UME of the logged-in employee. PREREQUISITES AND REQUIREMENTS

To deploy the xLeave application on the Cloud, you need a trial [‎7] or productive account on the SAP

NetWeaver Cloud platform. For more information, see [‎8].You can download the complete source code from

[‎6], import it as a project in Eclipse, and deploy from there using the SAP NetWeaver Cloud Eclipse tools.

For more information about installing and configuring these tools, see [‎9].

Alternatively, the download also contains a WAR file of the application, which can be deployed with the SAP NetWeaver Cloud Console Client neo and the deploy command, e.g. neo deploy -s c:\xleave.war -a <your account name> -h netweaver.ondemand.com -u

<your SCN user ID> -b xleave

In addition, an instance of the SAP SAML 2.0 Identity Provider is required, which is part of SAP NetWeaver Single Sign-On 1.0 or higher. To successfully implement the scenario in this tutorial, the underlying SAP NetWeaver AS Java has to be on one of the following release levels:

7.2 SP8 or later

7.3 SP7 with SAP Note 1704179

7.3 SP8 or later versions. The DNS name of the IdP instance is idp.itelo.corp running on port 50001 (HTTPS). The operating system is SUSE Linux Enterprise Server 11 SP1.


5

GETTING STARTED

Setting up the federation scenario comprises in total of six steps, which are explained in more detail in the following sections: 1. Establish trust to SAP NetWeaver Cloud in ITelO’s corporate IdP 2. Create test users and groups in the corporate user directory 3. Establish trust to ITelO’s corporate IdP in SAP NetWeaver Cloud 4. Configure identity federation in ITelO’s corporate IdP 5. Configure identity federation in SAP NetWeaver Cloud 6. Test the end-to-end scenario


6

STEP 1: ESTABLISH TRUST TO SAP NETWEAVER CLOUD IN ITELO’S CORPORATE IDP

The first step in this tutorial is about adding a new Trusted Provider in SAP NetWeaver Single Sign-On for the xLeave application on SAP NetWeaver Cloud. Before you can create the new Trusted (Service) Provider, the SAP NetWeaver Cloud account administrator must maintain the SP configuration for his account. After completing this step, SAP NetWeaver Single Sign-On will accept SAML Authentication Requests from the SAP NetWeaver Cloud platform.

What to do What you will see

Before establishing the trust relationship in SAP NetWeaver Single Sign-On to the xLeave application, the Service Provider (SP) of your account in SAP NetWeaver Cloud must be configured. Open the Account Page at https://account.netweaver.ondemand.com (or https://account.nwtrial.ondemand.com if you have a trial account) and log in as an administrator for your SAP NetWeaver Cloud account. Go to Trust Local Service Provider, click on the Edit button, and

make the following changes:

Configuration Type: Custom

Local Provider Name:

https://netweaver.ondemand.com/demo

Click on the Generate Key Pair button to create a new Signing Key and Certificate pair for your SP in the Cloud.

Click on Save to store your new settings.

To simplify the creation of the new Trusted Provider in SAP NetWeaver Single Sign-On, export the SP SAML metadata in SAP NetWeaver Cloud by clicking on the Get Metadata link and

store the SAML 2.0 metadata file on the local file system.

Open the SAP NetWeaver Administrator (NWA) in a Web Browser with URL https://idp.itelo.corp/nwa. Login with user Administrator and switch to the tab Configuration.

On the Security page, select the link Authentication and Single Sign-On.

https://account.netweaver.ondemand.com/


https://account.nwtrial.ondemand.com/


7

Select the tab SAML 2.0 and click on Trusted Providers to add a new

trusted SP for SAP NetWeaver Cloud.

From the menu of the Add button, select Upload Metadata File.

In the first step of the New Trusted Service Provider wizard, click Browse… and select the SAML2

metadata file you have just downloaded from SAP NetWeaver Cloud and stored locally.

Confirm the new Trusted Service Provider name from the metadata import and click on Next.


8

Again, the SAP NetWeaver Cloud Service Provider signing certificate is already configured as it is also included in the imported SAML 2.0 Metadata file. Keep the preconfigured settings and click on Next.

Also the SAML 2.0 Assertion Consumer Endpoint to where ITelO’s Corporate IdP will send the SAML response to, is included in the SAML 2.0 Metadata. Thus, keep the preconfigured settings and click Next.

Again, keep the preconfigured settings for the Single Log-Out Endpoints, and click Next

As there are no Artifact Endpoints defined in the SAML 2.0 Metadata file of the SAP NetWeaver Cloud Service Provider, just continue with Next.

To complete the wizard, click on Finish. Trust is now established to ITelO’s Service Provider in the SAP NetWeaver Cloud.


9

STEP 2: CREATE TEST USERS AND GROUPS IN THE CORPORATE USER DIRECTORY

Now it is time to create the users and groups for the scenario. Two users and two groups will be created in UME:

- John Doe, who is a member of the group Employees - Jane Smith, who is a member of the group Managers


Click on the Home link and go to Configuration Security Identity Management Overview.

First, a new user profile attribute for the employee id is added to the UME configuration. Click on Configuration and select the User Admin UI tab. In the field Administrator-Managed Custom Attributes, enter “EmployeeID”.

Click on Save All Changes to apply the

new attribute.

Select Role from the Search Criteria

dropdown box.

Click on the Create Role button.

In the Details section, enter “Employee” in Unique Name and click on Save to add the new role.

Repeat the two previous steps and enter “Manager” as the Unique Name.


10

Switch back the Search Criteria to User.

Click on Create User.

In the Details section of the new user, enter the following data:

Logon ID: jdoe

Define/Confirm Password: init1234

Last Name: Doe

First Name: John

E-Mail Address: [email protected]

Next, select the Additional Information tab.

Enter “Sales” in the Department field and select the Customized Information tab.

Enter “12345” in the EmployeeID field and select the Assigned Roles tab.

Enter “Employee” in the Search Criteria and click on Go.

mailto:[email protected]


11

In the search result list, select the Employee role and click on the Add

button to assign the role to the user.

Click on Save to create the new user.

Click on Create User again to create

the second user Jane Smith.

In the Details section of the new user, enter the following data:

Logon ID: jsmith

Define/Confirm Password: init1234

Last Name: Smith

First Name: Jane

E-Mail Address: [email protected]

Next, select the Additional Information tab.

Enter “Sales” in the Department field and select the Customized Information tab.

Enter “98765” in the EmployeeID field and select the Assigned Roles tab.

Enter “Manager” in the Search Criteria and click on Go.

mailto:[email protected]


12

In the search result list, select the Manager role and click on the Add

button to assign the role to the user.

Click on Save to create the new user.


13

STEP 3: ESTABLISH TRUST TO ITELO’S CORPORATE IDP IN SAP NETWEAVER CLOUD

Now the trust relationship must also be established into the opposite direction, i.e. the Cloud must also trust the corporate IdP in order to complete the end-to-end message flow defined by the SAML protocol. As a result of creating a trusted IdP in the SAP NetWeaver Cloud account, the SAML Response sent by ADFS will be accepted by the xLeave application and can be used to login the user.


Go back to the SAP NetWeaver Cloud Account Page at https://account.netweaver.ondemand.com (or https://account.nwtrial.ondemand.com if you have a trial account), or login again as an administrator for your SAP NetWeaver Cloud account. Select Trust Trusted Identity Provider and select the Add Trusted Identity Provider link.

Enter the following data in the General

tab for the new trusted IdP:

Name: idp.itelo.corp

Description: ITelO Corp. NetWeaver

IDP

Assertion Consumer Service:

Assertion Consumer Service

Single Sign-on URL:

https://idp.itelo.corp:50001/saml2/idp/sso

Single Sign-on Binding: HTTP-

Redirect

Single Logout URL:

https://idp.itelo.corp:50001/saml2/idp/slo

Note: The above URLs for Single

Sign-on and Single Logout are based on the assumption that the SAP NetWeaver Single Sign-On server runs on a host with the DNS idp.itelo.corp and SSL port 50001. If

your IP/DNS setup is different, the URLs need to change as well.

Single Logout Binding: HTTP-

Redirect

Signature Algorithm: SHA-1

Signing Certificate: <please refer to

the next step>

User ID Source: subject





14

In SAP NetWeaver Administrator, go to tab Configuration and click on the link Certificates and Keys. In the list of Key Storage Views, select the one with name SAML2. Scroll down to the section Details of view “SAML2”. Select the entry with name SAML2Signing-cert and click on the Export Entry button. In the dialog box, select Base64 X.509 from the Select export format dropdown box, and click on the Download link to save the certificate.

Click on Save & Close to create a new

trusted IdP in your SAP NetWeaver Cloud account.

With this step the basic trust configuration is complete, and the trust relationship is now established on both sides. Next, the federation settings to share and map user profile attributes will be configured.


15

STEP 4: CONFIGURE IDENTITY FEDERATION IN ITELO’S CORPORATE IDP

Based on the established trust relationship, SAP NetWeaver Single Sign-On must now be configured to issue the employee’s user profile attributes required by xLeave. These include the following data:

First name

Last name

Employee ID

Organization Unit (i.e. department name)

Role (i.e. “Employee” or “Manager”)


Go back to the SAP NetWeaver Administrator, and select Configuration Security Authentication and Single Sign-On.

To issue the new employee id custom profile attribute, you first have to add it to the list of attributes the IdP can issue in an assertion. On the SAML 2.0 tab, select the Local Provider link and switch to the User Attributes tab. Click on Edit, then on Add.

Enter the following data:

Alias: Employee ID

Name: EmployeeID Click on OK to add the new user

attribute to the list of IdP profile attributes. Click on Save to save the IdP changes.

Click on the Trusted Providers links

and select the new Trusted Service Provider with name “https://netweaver.ondemand.com/demo” from the list. Click on Edit.

On the Identity Federation tab, click on the Add button to define the format of the user’s ID in the SAML Response.


16

In the Name ID Format dialog, select Format Name Unspecified and Source Name Logon ID. Click on OK.

Scroll down to the section Details of Name ID Format “Unspecified” and switch to the tab Profile Attributes. Click on the Add button to expose a new user profile attribute with the SAML Assertion.

Enter fname for the SAML2 Attribute and select First Name from the User Attribute list. Click on OK to add the new User Profile Attribute.

Repeat the two last steps for the following profile attributes (SAML2 Attribute User Attribute):

lname Last Name

orgid Department

empid Employee ID Then switch to the Authorization Attributes tab to add the “role” profile attribute.

Click on the Add button.

In the new row, click with mouse pointer in the SAML2 Attribute input field and enter the name role. For the Type, select Role from the list.


17

Click on the Modify button to edit the Filter of the new authorization-based attribute.

In the search field, enter “Employee” and click on Go. In the result list, select the Employee role and click on Add to add it to the list of Selected Roles of the filter.

Enter “Manager” in the search filed and click on Go. In the result list, select the Manager role and click on Add to add it to the list of Selected Roles of the filter.

Click on OK to close the dialog.

Click on Save to save the changes in the Service Provider’s federation settings.


18

Click on Enable to activate the new Service Provider for the SAP NetWeaver Cloud account.


19

STEP 5: CONFIGURE IDENTITY FEDERATION IN SAP NETWEAVER CLOUD

The previous step configured the issuance of the required user profile attributes by the ADFS IdP. Now those attributes have to be mapped to the attributes used by the xLeave application. Special attention will be given to the “role” attribute, which is used to map the logged in user to a role defined by the xLeave application.

More information about federated authorizations and attribute mapping can be found in [‎1].


Go to the SAP NetWeaver Cloud Account Page at https://account.netweaver.ondemand.com (or https://account.nwtrial.ondemand.com if you have a trial account) and log in as an administrator for your SAP NetWeaver Cloud account. Click on Authorizations in the top-level

navigation bar and switch to the Groups tab.

In the field Group, enter “Employees” and click on Show Roles.

Now a new role can be added to the new group Employees by clicking on the Assign button.

In the new dialog box, select Application “xleave” and Role “Employee”. Click on Save to assign it

to the group.

Repeat the two steps by entering “Managers” in the Group field and press Show Roles again.





20

Now select the “Manager” role from “xleave” application and add it to the new group Managers by clicking on Save.

With the new groups “Employees” and “Managers” being mapped to the according web roles in the xLeave application, the federation settings can be configured. In Trust, select the Trusted Identity Provider tab and select the entry

“http://idp.itelo.corp/adfs/services/trust” of the ADFS IdP to edit its settings.

Switch to the Groups tab and click on the Add Assertion-Based Group link. Enter “Employees” in the Group field and define one Mapping Rule as

follows:

Assertion Attribute: role

Rule Operation: equals

Rule Value: Employee Every user with a role attribute

containing the specified value will now be assigned to the group Employees in the Cloud, which contains the web role Employee from the xLeave application.

Repeat the previous step for the Managers group. Click on the Add Assertion-Based Group and enter “Managers” in the Group field. The mapping rule should be defined as follows:

Assertion Attribute: role

Rule Operation: equals

Rule Value: Manager


21

Switch to the Attributes tab to define

the mappings of the incoming SAML Assertion attributes to the user principal attributes used by the xLeave application. Click on the Add Assertion-Based Attribute link. In the new empty row, enter “fname” for the Assertion Attribute, and map it to the Principal Attribute with name “firstname” (as

referred to in the xLeave application code). Repeat the step to add the remaining mappings (Assertion Attribute Principal Attribute):

lname lastname

orgid orgId

empid userId Note: Mappings are CASE-SENSITIVE!

To save your new federation settings, click on the Save & Close button.


22

STEP 6: TEST THE END-TO-END SCENARIO

Now it’s time to test the complete end-to-end scenario with the two test users John Doe and Jane Smith. John will create a new leave request which will be approved by his manager Jane.


Start a new web browser on a computer with connectivity to the corporate IdP. You can also use the SAP NetWeaver Single Sign-On host itself. In the address bar, enter the URL of the xLeave application in the Cloud following the URL schema https://xleave<account name>.netweaver.ondemand.com/xleave

You will be redirected by the Cloud to the corporate IdP. Sign on to the IdP with John Doe’s domain credentials User Name “jdoe”, Password “init1234” on the SAP

NetWeaver logon screen. Note that Intranet SSO (e.g. with SPNEGO) has been deactivated on the SAP NetWeaver AS for this test.

Since this is user jdoe’s first login, you have to change the initial password. Enter the old password again

(“init1234”) and enter “abcd1234” for the new password.

Click on Change to continue.

Upon successful authentication at the IdP, you are logged in as user jdoe in the Cloud. All attributes from the corporate directory have been passed with the SAML Response to the xLeave application (e.g. OrgUnit “Sales” or the first and last name). As user John Doe has been dynamically assigned to the web role Employee based on the content of his “role” attribute, he can create a new leave request by clicking on the New request button.


23

Enter some data for the new leave request and click on Send to save it.

Click on the Logout button on the top

right corner to logout.

You have now globally logged out from the IdP and SP. Click on the here link

to login again. This time, log in at the IdP with user name “jsmith” and password

“init1234”. Again, you have to enter a new password. Use “abcd1234” and click on Change to continue.

Upon successful authentication at the IdP, Jane Smith is single signed-on to the xLeave application and assigned to the Cloud role “Manager”. Since she

also belongs to the same OrgUnit as John (“Sales”), Jane can approve or reject John’s leave request. Click on Approve and logout from the

xLeave application. Congratulations! With the completion

of this step the scenario has been tested successfully.


24

TROUBLESHOOTING TIPPS

In complex security setups like this, just a single wrong configuration setting can break the interoperability between the IdP on-premise and the SP in the Cloud. Thus, it is important to know how to identify the root cause for the issue and where to start with a detailed error analysis. For SAML scenario, the potential places to look at are

IdP debug logs

SP debug logs

SAML message flow trace at the User Agent (Web Browser) This section proposes different troubleshooting strategies according to those places. IdP Debug Logs The Security Troubleshooting Wizard in SAP NetWeaver AS Java is the ideal diagnostic tool for SAML-related troubleshooting. It can be turned on in the SAP NetWeaver Administrator web console following the navigation path Problem Management (or Troubleshooting, depending on your release level) Logs and Traces.

Figure 3 Security Troubleshooting Wizard

As shown in Figure 3, detailed diagnosis for SAML on the IdP can be configured by selecting the item SAML 2.0 (Debug) from the list of incidents. After that, click on the button Start Diagnostics to collect the debug traces, and execute the logon process. After completing the process, click on Stop Diagnostics. The HTML file containing the trace log can be downloaded as a ZIP archive or viewed in the browser. More information

can also be found in SAP Note 1332726 [‎10] on Troubleshooting SAML 2.0 in AS Java.

SP Debug Logs Increasing the debug log level for the xLeave application in the Cloud can be done either with the SAP

NetWeaver Cloud Command Client (“neo deploy” with the log parameter severity <log_level>), or

using the Account Page administration page. The command client will apply the same log level to all loggers, whereas in the Account Page also specific loggers can be configured. Clicking on the Logs link of the xLeave entry in the table of the Applications tab opens the dialog shown in Figure 4.


25

Figure 4 Debug level configuration for SAML2 in SAP NetWeave r Cloud

Enter “saml2” as a filter string to and search for the logger with name com.sap.core.jpaas.security.saml2.sp in the results. This is a good place to start if for example everything seems to work fine on the IdP side, but the SAML Response is not processed correctly in the Cloud (e.g. xLeave application throws HTTP 500 error). User Agent SAML Message Trace Having a closer look at the actual messages sent back and forth between the SP and IdP might also help to resolve interoperability issues in certain situations. Since the SAML protocol completely relies on the user’s web browser to forward all messages between the Cloud and on-premise, a tool like SAML Tracer available as an Add-on for Mozilla Firefox can capture the complete communication flow and make it available for further analysis.

Figure 5 SAML Tracer Add-on for Firefox in action


26

Figure 5 shows the tool in action with a sample trace taken during testing of the scenario. The SAML-related HTTP requests are marked with a SAML label in the message trace, and can be examined in more detail in the specific viewer (SAML tab). REFERENCES

1. Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud Whitepaper: http://scn.sap.com/docs/DOC-32675

2. SAML 2.0 Specifications: http://saml.xml.org/saml-specifications 3. SAP NetWeaver Single Sign-On on SCN: http://scn.sap.com/community/netweaver-sso 4. SAP Documentation: Configuring the UME to Use an LDAP Directory as Data Source:

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/12/7678123c96814bada2c8632d825443/frameset.htm

5. SAP NetWeaver Cloud Platform Documentation User Authentication: https://help.netweaver.ondemand.com/default.htm?enabling_id.html#concept_93EA4D93901D4E63B7F6F447F14AD5D2_106

6. xLeave Sample Application Download: http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/20d0cbce-3d48-3010-5c9b-8361771c9e6b

7. Get your free developer license for SAP NetWeaver Cloud in 5 minutes: http://scn.sap.com/docs/DOC-28197

8. SAP NetWeaver Cloud Account Types: https://help.netweaver.ondemand.com/default.htm?account_types.html

9. Setting up the Tools and SDK: https://help.netweaver.ondemand.com/default.htm?setting_up_tools.html#concept_9E86CB16F6494799B5CF516B38B7503F_17

10. SAP Note Troubleshooting Wizard: https://service.sap.com/sap/support/notes/1332726

http://scn.sap.com/docs/DOC-32675

http://saml.xml.org/saml-specifications



https://help.netweaver.ondemand.com/default.htm?enabling_id.html#concept_93EA4D93901D4E63B7F6F447F14AD5D2_106

https://help.netweaver.ondemand.com/default.htm?enabling_id.html#concept_93EA4D93901D4E63B7F6F447F14AD5D2_106

http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/20d0cbce-3d48-3010-5c9b-8361771c9e6b



https://help.netweaver.ondemand.com/default.htm?account_types.html

https://help.netweaver.ondemand.com/default.htm?setting_up_tools.html#concept_9E86CB16F6494799B5CF516B38B7503F_17

https://help.netweaver.ondemand.com/default.htm?setting_up_tools.html#concept_9E86CB16F6494799B5CF516B38B7503F_17

https://service.sap.com/sap/support/notes/1332726

© 2013 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP

products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany

and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks

of Business Objects Software Ltd. Business Objects is an SAP

company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL

Anywhere, and other Sybase products and services mentioned herein

as well as their respective logos are trademarks or registered

trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are

registered trademarks of Crossgate AG in Germany and other

countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if

any. Nothing herein should be construed as constituting an additional

warranty.

www.sap.com

sap netweaver cloud security tutorial -...

Documents