Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
A Security Overview
Martin Raepple / Area Product Owner Security for SAP HANA Cloud Platform
Public
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
Public
Agenda
Introduction to SAP HANA Cloud Platform
Federated Authentication in SAP HANA Cloud Platform Applications
Demo 1: Federated Authentication with a Corporate Identity Provider and SAP Cloud Identity
Demo 2: Analyzing SAML 2.0 Authentication
Demo 3: Protecting Web APIs with OAuth 2.0 for Secure Mobile Access
Public
Introduction to
SAP HANA Cloud Platform
Cloud basics
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Virtualization
managed
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.
Hosting
Public
Supported scenarios
New Cloud Apps
On-Premise Apps
BUILD
EXTEND
ON-PREMISE
SOLUTION
Data
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.
Cloud Apps
CLOUD
SOLUTION
Data
Public
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.
Public
Mobile
Portal
Analytics
Collaboration
Connectivity
Spatial
Text Mining
DB Services
Transactions
Analytics
Streaming
Infrastructure
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.
Predictive
Services
Public
IT Operations
ISO 27001
CERTIFIED
Quality Management
ISO 9001
CERTIFIED1
High Availability
BS25999
CERTIFIED1
Energy Efficiency
GREEN IT
CERTIFIED1
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.
International Account
Regulations
ISAE3402
TESTIFIED2
SSAE16
TESTIFIED
Certification for Germany-based SAP data center hosting SAP HANA Cloud Platform
Public
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.
Public
10
Federated Authentication in
SAP HANA Cloud Platform
Applications
Access protected
Web Resources
HANA
XS
SAP HANA
Cloud Platform
User
Authenticate /
Single Sign-On
Delegate
Authentication &
Identity Management via
SAML 2.0
Identity Provider (IdP)
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.
Public
12
1.
1 User accesses protected web resource
on SP
2.
2 SAP HANA Cloud Application sends SAML
Authentication Request via HTTP redirect
to trusted IdP
HANA
Web Browser
User
XS
2 SAML Request
4 SAML Response
3.
3 IdP authenticates the user
(if not done already)
4.
4 Upon successful authentication, IdP sends
a HTML form with the SAML Response
message in a hidden field to the Web
Browser, that (auto)submits it using an
embedded (Java)Script
Access protected
1 Web resources
SAP HANA
Cloud Platform
3
Authenticate
SAML 2.0-compliant
Identity Provider (IdP)
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Public
13
SAP ID Service
Internet
SAP HANA
Cloud Platform
Corporate
Network
Public
14
Demo 1
Federated Authentication with a Corporate Identity
Provider (SAP SSO) and SAP Cloud Identity
Public
16
Demo 2
Analyzing SAML 2.0 Authentication
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.
Web Browser
SAML
Web UI
Web APIs
HANA
XS
Public
18
Public
19
CloudBank
Username
Password
Log in
Public
20
Username
Password
Log in
21
SAP HANA
Cloud Platform
Public
22
Demo 3
Protecting Web APIs with
OAuth 2.0 for Secure Mobile
Access
Authorization Management in
SAP HANA Cloud Platform
Applications
Runtime
Authorization Objects
Java EE Roles
(web.xml)
Custom Roles
(Cloud Cockpit)
Privileges
(.xsprivileges)
Roles (.hdbrole)
Permissions
(neo-app.json)
Custom Roles
(Cloud Cockpit)
User-to-Role
Assignment
Static
Dynamic (Federated
Authorizations)
Static
Static
Dynamic (Federated
Authorizations)
Public
25
Identity Provider
Group of Users
sharing one or many
common attribute(s)
Federated
Authorization
Group
Role(s)
SAP HANA
Cloud Platform
Public
26
Demo 4
Federated Authorization with an HTML5 Application
Infects
1
with
malicious
script
Downloads
page with
2
malicious
script
try {
Attacker
Victim
executes script
in the context
of the Victims
session
encodedFirstname =
xssEncoder.encodeHTML(firstName).toString();
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
out.println("<br>Hello, " + encodedFirstname);
Public
29
Vulnerable
Application
HANA
www.webapp.com
JSESSIONID=abc123
1
<img src="http:
//www.webapp.com/
transferMoney?
account=hacker&
amount=1000">
2
http://www.webapp.
com/transferMoney?
account=hacker&
amount=1000
Victims
Web Browser
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
30
Runtime
XSRF Protection Servlet Filter in
Mechanism the SDK
Declarative
configuration in
web.xml
prevent_xsrf
keyword in
.xsaccess file
XSRF Protection
delegated to
backend
system(s)
{"prevent_xsrf":
true}
Public
31
Customer
SAP
Business Suite
Non-SAP
SAP HANA
SAP
Firewall
SAP HANA
Cloud Platform
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
33
Summary
Public
35
Further Information
Public Web
SAP HANA Cloud Platform: http://hcp.sap.com/
SAP HANA Cloud Platform Security Tutorial Series: http://scn.sap.com/docs/DOC-35464
Customer Engagement Initiative: Secure Mobile Cloud Scenarios with SAP HANA
Cloud Platform
https://influence.sap.com/ct/s.bix?c={B9589756-22C1-486E-9FCF-E9E5221C29FD}
Public
36
CJ621
Public
37
http://sapdcodehandson.sap.com
http://sapdcode.com/online
Public
38
Feedback
Please complete your session evaluation for
SEC100.
Public
3939
Appendix
Access protected
Web resources
Local Test
User
Local HANA
Cloud Server
Test User
Attributes
Local Test
Users
Test User
Accounts
Assigned Role(s) to
the Test User in the
local Server
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
41
Security Testing in the Cloud with the Local Test Identity Provider
Developer System
Browser
Access protected
Web resources
SAP HANA
Cloud Platform
Local Test
User
Test User
Accounts
SAML 2.0
Test IdP
Public
42
Public
43