Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Server at SAP
Title / Subtitle Here
SAP
About SAP
Focus on business applications
20k+ developers in R&D
Helping customers with digitization
IoT, Industrie 4.0
cloud offerings, e.g.:
2011: SuccessFactors
2012: Ariba
2012: SAP HANA Cloud Platform
2013: Hybris
2014: Concur
2015: SAP S/4 HANA
(HCM)
(business network)
(PaaS)
(E-Commerce)
(travel)
(business suite)
SAPs journey
1972 SAP R/1
packaged software to process data when needed
Agenda
UAA: Authentication
Name
Authentication
Authorization
Management
Remarks
Password
grouping of users
(hierarchical)
SCIM
1,2
LDAP
Password
(LDAP)
2,3,5
SAML2
Delegated to
SAML2 Identity
Provider
(Depends on
SAML2 IdP)
4,5
Open ID Connect
Delegated to Open
ID Connect Identity
Provider
(Depends on
Open ID
Connect
Provider)
Remarks:
1.
2.
3.
4.
5.
Adressing:
https://login.<domain>: default identityzone
https://<zone>.login.<domain>: custom identityzone
Application Integration
Application Integration
Pass information about authenticated
subject and authorization to a business
application
Supported protocols:
OAuth2 using JWT
SAML2
Authorization Server
Authenticates the user
Grants the access token for the resource server
May support multiple grant types
Resource Server
Stores the data of the resource owner
Application
Server (UAA)
RESOURCE
OWNER
Node.js/Java
Evaluate authorization
code
Features
Cross-domain SSO as well as Single Logout
(SLO)
Powerful user mapping
Mainly for UI / HTTP-based scenarios
Additional IdP system required
Application as SAML SP
Simplify Integration
Boundary Conditions
Developers have no admin access
to UAA
Usage of OAuth2 for microservices
Simple application integration
Declarative approach for security
artifacts
Service Broker
Applications define their artifacts:
Scopes for functional authorization
Attributes for instance based
authorizations
EVENTS APP
Scopes (functional
authorizations)
can be checked
declaratively
at the application router
can be checked
declaratively
in the Java container
can be checked
programmatically
in the Java and Node.js
containers
Application Router
Application Router:
GET AUTHORIZATION CODE
GET ACCESS TOKEN
UAA
Application
Router
Enforce
authentication
CSRF protection
Reverse proxy
RESOURCE
OWNER
Resource Server
Resource Server
OAuth
Authorizazion
Application
Server (UAA)
Node.js/Java
RESOURCE
OWNER
TECHNICAL USER USING
CLIENT CREDENTIALS
Node.js/Java
Node.js/Java
Contributions
Completed
Attribute API
Vulnerable library versions
Planned
OAuth2 SAML Bearer flow
Performance improvements
Enforced password change
Summary
Summary
UAA can also be used for
authentication and authorization of
business applications
Authentication, authorization: All
included in UAA
Service broker needed to simplify
integration
Thank You