Towards Interoperable SSO For Web Services

SIM207
Towards Interoperable SSO for

Web Services
Stefanie Garca Laule, PM NW Security, SAP AG

Martin Raepple, GEPG Standards Management and Strategy, SAP AG
Disclaimer
This presentation outlines our general product direction and should not be
relied on in making a purchase decision. This presentation is not subject to
your license agreement or any other agreement with SAP. SAP has no
obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This
presentation and SAP's strategy and possible future developments are
subject to change and may be changed by SAP at any time for any reason
without notice. This document is provided without a warranty of any kind,
either express or implied, including but not limited to, the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement. SAP
assumes no responsibility for errors or omissions in this document, except if
such damages were caused by SAP intentionally or grossly negligent.
SAP 2008 / SAP TechEd 08 / SIM207 Page 2

Agenda
1. Web Services Security A short primer

Interoperability and Standards
WS-Security Basics
2. Standards-based Single Sign-On for Web Services
Single Sign-On Technologies & Standards
WS-Security SAML Token Profile
3. Web Services Single Sign-On with SAP NetWeaver
SAML Token Profile support in current SAP NetWeaver releases
Roadmap
4. Interoperability in Practice: Web Services SSO between SAP NetWeaver
and Microsoft .NET
Web Services Security in the Microsoft .NET Framework
Implementation of an interoperable Web Service Consumer in .NET
Configuration of an interoperable Web Service Provider in SAP NetWeaver
Online Demo

Learning Objective
As a result of this lecture session, you will

understand the concepts and technologies related to Web Services Security,
Single Sign-On and SAML
know the details of SAPs roadmap for Web Services Single Sign-On
learn how to implement an SSO scenario in heterogeneous landscapes with
Microsoft .NET

Definition of Interoperability
The IEEE defines interoperability as:
The ability of two or more systems or components to

exchange information and to use the information
that has been exchanged*
* Institute of Electrical and Electronics Engineers. IEEE Standard Computer Dictionary: A Compilation of IEEE Standard
Computer Glossaries. New York, NY: 1990

Interoperability The Value Of Standards
Interoperability is achieved by standards, supports the seamless exchange and

use of business information
Semantic
Semantic Interoperability
Interoperability
Applications
Applications understand
understand and
and correctly
correctly
use
use the
the information
information being
being exchanged
exchanged
Business
Business Business
Business
Application
Application Application
Application
Service
Service Service
Service
Infrastructure
Infrastructure Infrastructure
Infrastructure
Technical
Technical Interoperability
Interoperability
Systems
Systems are
are connected
connected and
and can
can
exchange
exchange information
information

Role of Web Service Standards
Platform A Platform B
Web
Web Service
Service Web
Web Service
Service
Consumer
Consumer Provider
Provider
Send Deliver
Message
API API
Source
Source Destination
Destination
Infrastructure
Infrastructure Infrastructure
Infrastructure
Scope of Web Service
Standards
Web Service (WS) standards define the format of the message in transit to
guarantee the interoperable exchange between service consumer and provider on
a technical level
Web Service Standards dont specify any infrastructure- or application-specific
aspects, such as
APIs or programming languages that applications must use to send or deliver
messages these are always platform-specific
Runtime architecture and components
WS-Security Motivation
The SOAP protocol on its own does not provide

SOAP
SOAP Envelope
Envelope
any security mechanisms for
Message Integrity & Confidentiality SOAP Header
Authentication
SOAP Body
Non Repudiation of origin or receipt
But: SOAP can be extended to provide Data
additional features
Up to the year 2002, best practice was to secure SOAP message format
Web Services using Secure Sockets Layer (SSL)
But SSL provides transport not application-level security

SOAP Messages secure point-to-point, not end-to-end
Messages stored unencrypted in files or databases at intermediaries
not independent of underlying transport protocol
WS-Security submitted to standards body (OASIS) in Sept 2002 and

approved as an OASIS Standard in April 2004
WS-Security Overview
The OASIS WS-Security Standard extends a SOAP message by one or more

WS-Security Headers (wsse:Security) which contains security information
for each recipient
This new SOAP Header contains all relevant security metadata to secure a
SOAP message, such as
Security Tokens to carry security information (e.g. user authentication
data, X.509 certificates)
A Timestamp to protect SOAP
SOAP Envelope
Envelope
against Replay Attacks SOAP Header Security Token
Signatures to protect WS-Security Timestamp
against message tampering* Header
Signature
Encrypted Keys and Data
to protect confidential information SOAP Body Encrypted Key
+ Data
Single Sign-On is provided by using Data

e.g. SAML Security Tokens
* The act of altering something secretly or improperly

What We Have Learned so Far
WS-Security is a rich framework to secure SOAP on the message layer

WS-Security provides a general-purpose mechanism for associating
security tokens with message content
No specific type of security token is required. The specification is
designed to be extensible, so as to support multiple security token
formats

Agenda

WS-Security Basics
Roadmap
and Microsoft .NET
Online Demo

Definition of Single Sign-On (SSO)
Wikipedia defines Single Sign-On as:
Single Sign-On (SSO) is a method of access control

that enables a user to authenticate once and
gain access to the resources of multiple
software systems*.
* http://en.wikipedia.org/wiki/Single_sign-on

Basic Architectural Pattern for Single Sign-On
(SSO)
Issuing Authority: A system Issuing

Issuing
entity that issues security-related Authority
Authority Trust
information about individual Relationship
users. Usually this includes at 1
least identity information about
the user (e.g. a user name or E- 2
Mail address)
Relying Party: A system entity 3 Relying

Relying
User
User
that decides to take an action 4 Party
Party
based on the security information
provided by the Issuing Authority. 1. User authenticates at Issuing Authority and request the
The Relying Party must have a security data that is required to access a protected
resource at the Relying Party
trust relationship with the Issuing
2. Issuing Authority responds with the security information
Authority about the user
3. User authenticates with the issued data at the Relying
User: A natural person who Party to access a protected resource
makes use of a system and its
4. Relying Party authenticates the user based on the
resources security information issued by the Issuing Authority and
sends response
Important Characteristics of Single Sign-On
Technologies and Standards
Domain A
Cross-Domain
Is it possible to use the SSO technology only SSO
within a security domain (i.e. the corporate

Intranet) or can it be used across different Domain B
SS
domains (e.g. in a B2B scenario)? O
Cross-Platform
Which platforms are supported by the SSO
Non-SAP SSO SAP
technology? Is it a widely adopted standard in Non-SAP SAP
Platform
Platform NetWeaver
NetWeaver
the industry or a vendor-specific technology?
User Agent
Which type of user agent (e.g. Web Browser,
SSO
Web Service Consumer, Mobile Clients) is
supported by the SSO technology?

Single Sign-On Technologies and Standards
Supported by SAP
Cross- Cross User

Standard / Technology
Domain Platform Agent
Web Browser
SAP Logon Ticket No Yes
Web Service Consumer
OASIS Security Assertion

Yes Yes Web Browser
Markup Language (SAML)
OASIS WS-Security SAML
Yes Yes Web Service Consumer
Token Profile
SPNego / Windows Web Browser
No No
Integrated Authentication Web Service Consumer
Web Browser
X.509/PKI Yes Yes
Web Service Consumer
! For Web Services, SAML and its associated token profile for WS-Security
is the most widely adopted standard in the industry

Benefits of the Security Assertions Markup
Language (SAML)
Interoperable security solution

to allow systems integration with
great ease and minimal resources
SAML is a protocol for encoding
security related information
(assertions) into XML and
exchanging this information in a
request/response fashion
Provides standard based
mechanisms to exchange
security information using SOAP,
HTTP(s)
SAML is an OASIS standard

SAML Based Scenarios
SAML
SAML SAML
SAML
Identity
Identity Provider
Provider Service
Service Provider
Provider
Web Service based SSO
1.
SAML Token Profile
e
Au
rc
th
ou
Web Service Security Standard
en
es
tic
oR
ati
st
n o
es
Web Browser based SSO
cc
A
SAML Browser/Artifact Profile
2.
SAML Standard
Service
Service
Consumer
Consumer

Security Assertion Markup Language (SAML)
Building Blocks
Assertions: statements about a subject.
This could be an authentication, attribute Profiles
information, or authorization permissions
Bindings
Protocols: SAML defines
request/response protocols for obtaining
Assertions and Protocol
assertions
SAML
SAML Assertion
Assertion
Protocol Bindings: defines how SAML
protocols map to transport and messaging
protocols, e.g. SAML SOAP Binding
Profiles: define how assertions, protocols,

and bindings are combined for particular
use cases
SAML Assertion
A SAML Assertion can consist of
Authentication Statement:
Piece of data that represents an act of SAML
SAML Assertion
Assertion
authentication performed on a subject
(user) by the SAML Issuing Authority Authentication
Statement
Other Statements:
Attribute Statement, Authorization Other Statements
Decision Statement Other Statements

Relationship Between WS Security SAML
Token Profile and the SAML Standard
SAML
Profiles
WS-Security
SAML Confirmation
SOAP Message Security Methods
Username Token Profile

Bindings
...
Assertions and Protocol
SAML Token Profile
SAML
SAML Assertions
Assertions
references
SAML Token Profile
A short primer
The SAML Token Profile defines the

use of SAML Assertions as
Security Tokens in the WS-Security
SOAP
SOAP Envelope
Envelope
Header
SOAP Header
SAML Assertion
WS-Security
Authentication
Statement SAML Token
The SAML Token is used by the

service provider to authenticate the SOAP Body
user based on the identity information Data
in the SAML Assertion in incoming
requests from service consumers

Role of the Token Issuer (aka Security Token
Service, STS) in Web Services SSO
The Token Issuer or Security Token Service (STS) is a distinguished

Web service that issues, exchanges and validates security tokens
The STS has broad applicability in that it can be used to issue security
tokens in a wide range of formats (e.g. Certificates, SAML
assertions)
Basic operations supported by an STS: 2
Issue a new token Authenticate user
Generate
Renew token Token
Token Issuer
Issuer requested Token
(STS)
(STS)
Validate a token
Cancel a token Authentication
Data Security Token
Security Token 3 Response
1
Request Security
Token
Web Service
Consumer
Web Services SSO with SAML
General Message Exchange
1. Web Service (WS) Consumer Token

Token Issuer
Issuer
authenticates at the Token Issuer (STS)
(STS)
(Security Token Service, STS) and
requests a SAML Token 2
2. Token Issuer authenticates the User and 1

issues a SAML Token to the WS
Web
Web Service
Service 3 Web
Web Service
Service
Consumer
Consumer
Consumer Provider
Provider
3. WS Consumer uses the SAML Token for 4
authentication at the WS Provider SOAP
SOAP Envelope
Envelope
SOAP Header
4. WS Provider must trust the assertion in WS-Security

SAML Token
the SAML Token to authenticate the WS
Consumer and sends back the response SOAP Body
Data
The SAML Token profile addresses two major questions:

How can the SAML Token be bound to the SOAP message so that the service
provider can be sure that they belong together?
How can the service provider be sure that the sender of the message is really the
subject in the assertion?
Confirmation of the Subject Identity
SAML Confirmation Methods Overview
Sender-Vouches: Basis of trust is the WS Consumers certificate
Web
Web Service
Service Web
Web Service
Service
Consumer
Consumer Provider
Provider
Token
Token Issuer
Issuer Holder-of-Key:
(STS)
(STS) Basis of trust is the
Token Issuers
certificate
Sender-Vouches (SV) Subject Confirmation Method
The WS Consumer cryptographically binds the assertion to the body of the
SOAP message by signing both with its private key
The WS Provider compares the identity information from the message signature
with the subject information in the assertion
Holder-of-Key (HoK) Subject Confirmation Method
The assertion holds a key that is used by the WS Consumer to
cryptographically bind (sign) the assertion and the body of the SOAP message
The WS Provider uses the same key to verify the signature. The subject in the
assertion is the party that can demonstrate that it is the holder of the key.
Sender-Vouches Subject Confirmation
1. User authenticates at the Token Issuer (STS) and
requests a SAML Token with the WS-Trust protocol
Prerequisites:
2. Token Issuer authenticates the User and issues a Pre-established trust
SAML Token in the response to the WS Consumer relationship between
with the WS-Trust protocol WS Provider and WS
3. WS Consumer uses its private key to create a Consumer
signature over the SAML Token and the message WS-Consumer must
body possess a signature
4. To confirm the WS Consumer key pair
Token
Token Issuer
Issuer
identity, WS Provider verifies (STS)
(STS)
the signature and compares
the identity information in SAML Token (SV) Trust
1 Relationship
2
the SAML Token with
the identity information
9
SOAP
SOAPEnvelope
Envelope
of the WS Web
Web Service
Service
SOAP Header
WS-Security 3 Web
Web Service
Service 4
Consumers Consumer
Consumer SAML Token
Provider
Provider
Public Key SOAP Body
Data WS Consumer
certificate WS Consumer
Public Key
Private Key
Certificate
Holder-of-Key (HoK) Subject Confirmation (1/2)
1. User authenticates at the Token SAML Token

Issuer (STS) and requests a SAML SAML
SAML Assertion
Assertion
Token Issuer
Token with the WS-Trust protocol. Public key Encrypted
Short-lived Key
Optionally, the user provides key Certificate Short-lived Key
2 (Client + Server
material to the Issuer for the short-
Key Material)
lived key
Token
Token Issuer
Issuer Signature
2. The Token Issuer generates the (Token Issuer, STS)
short-lived symmetric key, encrypts it (STS)
(STS)
with the WS Providers public key. SAML Token
The key is added to the SAML (HoK)
Assertion which is then signed by

the Token Issuer with its signature
key 1 3
3. The Token Issuer issues the SAML
Assertion as a SAML Token in the Web
Web Service
Service Web
Web Service
Service
WS-Trust response message to the Consumer
Consumer Provider
Provider
WS Consumer, along with its key
material used to generate the
WS Provider
symmetric short-lived key Public Key Certificate
Holder-of-Key (HoK) Subject Confirmation (2/2)
Prerequisites:
4. The WS Consumer also generates the short-lived
symmetric key based on both parties key material Pre-established trust
relationship between
5. The WS Consumer signs the SAML Token and the
WS Provider and
message body with the previously generated short-lived
Token Issuer
symmetric key and sends a request to the WS Provider
6. The WS Provider verifies the Token Issuers signature in the SAML Token and
decrypts the short-lived symmetric key contained in the SAML Token using its
private key.
7. The WS Provider verifies
Token Issuer
the WS Consumers (i.e. the Public key
key holders) signature by Certificate
Token
Token Issuer
Issuer Trust
using the decrypted short- (STS) Relationship
(STS)
lived symmetric
Short-lived Key
key. The Token Issuer 6 Short-lived Key
SAML Token
confirmed that the holder of 4 (HoK)
the key is the subject in the
assertion. Web
Web Service
Service
Consumer
Consumer
5
Web
Web Service
Service
Provider
Provider
7
9
Syntax and Semantics of the Security
Information: Example of a SAML Token
<wsse:Security>
<saml:Assertion The WS-Security header contains
Issuer="TechEdAuthority.com " ... the following authentication
IssueInstant="20080909T19:54:00.000Z">
<saml:AuthenticationStatement information:
AuthenticationMethod="...password" The user with the identifier
AuthenticationInstant=
"20080909T19:53:00.000Z"> TechEd08\stefanie
<saml:Subject> has been successfully
<saml:NameIdentifier
authenticated at
Format="...WindowsDomainQualifiedName">
TechEd08\stefanie 7:35 pm on Sept. 9th, 2008
</saml:NameIdentifier> using her
</saml:Subject>
<saml:SubjectConfirmation>
password.
<saml:ConfirmationMethod> The issuer
...SenderVouches TechEdAuthority
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
confirms
</saml:AuthenticationStatement> that the subject of the assertion is
</saml:Assertion> the party that signed
</wsse:Security>
the message SAML
SAML Assertion
Assertion
How are the Common SSO Issues Addressed
by WS-Security and the SAML Token Profile?
Syntax and Semantics of the security information
How is the security information serialized on the wire?
What is the syntax and semantics of this serialized security
information about an end user (identity)? Name, User ID
SAML
SAML Assertions
Assertions
Roles
Groups
...
Confirmation of the users identity

How can the Relying Party be sure that the request or message
sent by the user is associated with the identity data in the issued
SAML Confirmation
security information?
Methods
User
Relying
Party ?
Protocol to transfer the security information between the
parties
How does a user request the security information from the
Issuing Authority? SAML Token Profile
How does a user transfer this security information to the Relying
Party? Relying
User
Party
What We Have Learned so Far
SAML is a proven and widely adopted standard in the industry for

interoperable, cross-domain SSO
The SAML Token Profile specifies how SAML is used to support SSO for
Web Services
SAML Token Profile defines two subject confirmation methods:
Sender-Vouches and Holder-of-Key
Both confirmation methods differ mainly in trust relationship setup and
key management

Agenda

WS-Security Basics
Roadmap
and Microsoft .NET
Online Demo

SAML Token Profile Support in SAP NetWeaver
Support in Current Releases 7.0 and 7.1 (1/3)
SAML 1.1 Sender Vouches (WS-Consumer, WS-Provider)

SAML Token (SV) Web
Web
Web Service
Service Web Service
Service
Consumer
Consumer Provider
Provider
Non-SAP
Non-SAP Platform
Platform SAP
SAP NetWeaver
NetWeaver
SAML Token (SV) Web

Web
Web Service
Service Web Service
Service
Consumer
Consumer Provider
Provider
Token
Token SAP
SAP Non-SAP
Non-SAP Platform
Platform
Issuer
Issuer
(local) NetWeaver
NetWeaver
(local)
Support for signed and unsigned Sender-Vouches SAML assertions

Only for authentication purposes, i.e. no attribute-based authorization
For WS-Consumer, only a local token issuer is supported (i.e. no external STS)

Supported in
SAP NetWeaver 7.0 >= SP14 (ABAP)
SAP NetWeaver 7.1 (Java, ABAP)
SAML 1.1 Holder of Key (HOK) (WS-Provider)
SAML Token (HoK) Web

Web
Web Service
Service Web Service
Service
Consumer
Consumer Provider
Provider
Non-SAP
Non-SAP Platform
Platform SAP
SAP NetWeaver
NetWeaver
Only support for symmetric keys in SAML 1.1 Holder of Key Tokens (i.e. no
support for asymmetric keys)
Optional user mapping from external (non-SAP platform) username to SAP

username in ABAP table USREXTID

Planned for SAP EHP1*, SP2 for SAP NetWeaver 7.1: Live-Demo
SAP NetWeaver 7.01 SP2 (ABAP) (Oct 2008) in this
SAP NetWeaver 7.11 SP1 (Java, ABAP) (Dec 2008) Session!
* Enhancement Package

SAML 1.1 Holder of Key (HOK) (WS-Consumer)
Token
Token Issuer
Issuer
Token Acquisition (STS)
(STS) Trust
/ Issuance Relationship
SAML Token (HoK) Web

Web
Web Service
Service Web Service
Service
Consumer
Consumer Provider
Provider
Non-SAP
Non-SAP SAP
SAP
SAP
SAP NetWeaver
NetWeaver Platform
Platform NetWeaver
NetWeaver
SAP NetWeaver Web Service Consumers can request a SAML Holder-of-

Key Token from an external Token Issuer (STS)

Planned for SAP EHP2* for SAP NetWeaver 7.1
SAP NetWeaver 7.02 (ABAP) (Q3 2009)
SAP NetWeaver 7.12 (Java, ABAP) (Q3 2009)
* Enhancement Package

Agenda

WS-Security Basics
Roadmap
4. Interoperability in Practice: Web Services SSO between SAP
NetWeaver and Microsoft .NET
Online Demo

WS-Security Support in Microsoft .NET
.NET 2.0 supports core Web Service standards, such as WSDL 1.1
and SOAP 1.1/1.2
Web Services Enhancements (WSE) for Microsoft .NET 2.0 is a supported
add-on to Microsoft Visual Studio .NET and the Microsoft .NET 2.0 Framework
providing support for WS-Security and other advanced Web Service protocols
With .NET 3.0, these advanced Web Service protocols became an integral part
of the .NET Framework, which is now called the Windows Communication
Foundation (WCF, formerly known as Indigo)
.NETApplication
.NETApplication .NETDev.Tools
.NETDev.Tools
.NET3.0
.NET3.0
WCF WPF WCS WWF
(Indigo) (Avalon) (Infocard) (Workflow)
.NET2.0CLR,.NET2.0BaseClassLibraries
ASP.NET2.0,ADO.NET2.0,WinForms2.0
Windows
Windows
(XP,Server2003/R2,Vista,Longhorn)
(XP,Server2003/R2,Vista,Longhorn)

.NET WCF Core Concepts
The WCF programming model unifies the existing communication

technologies for distributed computing in .NET 2.0 (e.g. Web Services/WSE,
.NET Remoting, Distributed Transactions, Message Queues) into a single
Service-oriented programming model
A Service in WCF is composed of three parts
a Service Class (e.g. written in C#) that implements the Service
a Service Host Environment to host the Service (e.g. IIS, Self-Hosting)
one or more Endpoints to which Clients can connect
An Endpoint defines the Contract (What ?), the Address (Where ?)
and the Binding (How ?) of a Service
HostEnvironment
HostEnvironment
WCFService
Endpoint
Web
Web Service
Service Endpoint Service
Consumer
Consumer Endpoint Class
Contract Address Binding

.NET WCF Bindings
Bindings define the Transport (e.g. HTTP), Encoding (e.g. Text

Message) and Protocol (e.g. Web Services) required to communicate
with the Service
WCF is shipped with predefined, System-Provided Bindings. These
Binding can be configured declaratively
Developers can also create their own Custom Bindings with the
WCF API that provide full control over the messaging stack when one
of the system-provided bindings does not meet the requirements of a
consumer or provider
WCFBinding
constructed from three
elements HTTP Text Security ...
Transport
Encoder
Transport Encoders Protocol
Protocol(s) TCP Text Security
HTTP Binary Reliability
MSMQ ... .NET
... ...

Web Services Security Support in
.NET WCF System-Provided Bindings
Support* for Web Services Core- and WS-Security Standards in WCF System-
Provided Bindings:
Security
SOAP WSDL WS-Security Token
Profiles
Username
Interoperability
basicHTTPBinding 1.1 1.1 1.0

X.509
Username
wsHttpBinding 1.2 1.1 1.1
Functionality
X.509
Username
wsFederationHttp X.509
Binding 1.2 1.1 1.1
SAML 1.1
8
Support for Web Services Core- and WS-Security Standards in SAP NetWeaver
Security
SOAP WSDL WS-Security Token
Profiles
SAP NetWeaver Username

7.0 SP14 1.1 1.1 1.0 X.509
7.1 SAML 1.0
* http://msdn2.microsoft.com/en-us/library/ms730294.aspx
SAML Token Profile Support in .NET WCF
The system-provided wsFederationHttpBinding in WCF uses the SAML Token

Profile for Web Services SSO scenarios. This binding has the following constraints:
SAML 1.1 Assertions with Holder-of-Key subject confirmation method
Web Services Security 1.1 and SOAP 1.2
WCF has no system-provided binding that matches the supported standards in SAP
NetWeaver (SAML Token Profile 1.0, WS-Security 1.0, SOAP 1.1)
With the WCF APIs, developers can create SAML 1.1 Assertions with Sender-Vouches
Confirmation Method
System.IdentityModel.Tokens.SamlConstants.SenderVouches
However, WCF does not support the STR-Transform algorithm which is required to
sign SAML Tokens with Sender-Vouches confirmation method
!
To implement an interoperability scenario between SAP NetWeaver and
.NET, a WCF custom binding is required to support the use of SAML
Token Profile 1.0, WS-Security 1.0 and SOAP 1.1 on the WS Consumer
side. In addition, Holder-of-Key support in SAP NetWeaver is a prerequisite.

Interoperability Scenario between SAP
NetWeaver and Microsoft .NET WCF
SSO with 1. The user logs on to the Windows
Windows domain with his Windows Credentials
Integrated
Authentication 2. The WS Consumer authenticates at
the Token Issuer with Windows
Token
Token Issuer
Issuer Integrated Authentication and
(STS) requests a SAML HoK Token that
2 (STS)
contains the domain identity
SAML Token (HoK)
Microsoft
Microsoft .NET
.NET 3. The Token Issuer issues the SAML
3.0/WCF
3.0/WCF Token
3 4. The WS Consumer sends the request
Trust using the Custom Binding (WS-Sec
Initial
Authentication
Relationship 1.0, SOAP 1.1, SAML Token Profile
at Domain 1.0)
Controller
5. The WS Provider maps the
SSO Windows User identity to the ABAP
(SAML Token User identity
Profile)
6. WS Provider sends response
SAML Token (HoK)
Web
Web Service
Service 4 Web
Web Service
Service 5
1 Consumer Provider
Consumer 6 Provider
Microsoft
Microsoft .NET
.NET
SAP
SAP NetWeaver
NetWeaver
3.0/WCF
3.0/WCF
Configuration Steps for the Interoperability
Scenario with SAML Token Profile (HoK)
Implement the Custom Binding for Web

Web Service
Service
.NET/WCF Consumer
Consumer
Custom Binding
Configure an endpoint of the Web
Service Provider to support symmetric Microsoft
Microsoft .NET
.NET
key encryption/signature using 3.0/WCF
3.0/WCF
SAML-bases message
authentication
Maintain mapping of external user id
User Mapping
(e.g. Windows Domain Name) to
internal SAP user id
.NET/WCF Code WS Endpoint

Configuration
SE38 - RSUSREXTID Web

Web Service
Service Provider
Provider
SOAMANAGER SAP
SAP NetWeaver
NetWeaver

Implementation of the Custom Binding in the
.NET/WCF Web Service Consumer (1/2)
Web
Web Service
Service
Consumer
Consumer
Custom Binding Use a symmetric key to
protect the message ...
SymmetricSecurityBindingElement secBinding = new
SymmetricSecurityBindingElement();
secBinding.DefaultAlgorithmSuite = based on this
SecurityAlgorithmSuite.Basic128Rsa15; algorithm suite
secBinding.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
secBinding.IncludeTimestamp = true;
secBinding.SetKeyDerivation(false);
using WS-Security
// set WSS 1.0 and SOAP 1.1 1.0
secBinding.MessageSecurityVersion =
MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecure
ConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
// don't encrypt signature
secBinding.MessageProtectionOrder = without encrypting
MessageProtectionOrder.SignBeforeEncrypt; the signature in the WS-
Security header.
...

Implementation of the Custom Binding in the
.NET/WCF Web Service Consumer (1/2)
Web
Web Service
Service
Consumer
Consumer
Custom Binding
Get an issued token to
... protect the message
IssuedSecurityTokenParameters itp = new
IssuedSecurityTokenParameters();
itp.ReferenceStyle =
SecurityTokenReferenceStyle.Internal; using the SAML
Token Profile 1.0 with a
itp.InclusionMode =
SAML 1.1 assertion
SecurityTokenInclusionMode.AlwaysToRecipient;
itp.TokenType = "urn:oasis:names:tc:SAML:1.1:assertion";
itp.KeyType = SecurityKeyType.SymmetricKey;
that holds the
itp.KeySize = 128; symmetric key to
protect the message
itp.RequireDerivedKeys = false;
itp.IssuerAddress = new EndpointAddress(new
Uri("http://localhost:8000/samlsts")); from the Token
Issuer (STS) with this
// set sts binding URL.
itp.IssuerBinding = new WSHttpBinding("stsBinding");
secBinding.ProtectionTokenParameters = itp;
Configuring SAML Holder-of-Key Token for the
ABAP Web Service Provider (1/3)
WS Endpoint
1 Invoke Transaction Configuration
SOAMANAGER
2 Switch to the tab

Application and
Scenario
Configuration and
select Single Service
Administration

WS Endpoint
3 Search for the service, Configuration
select it in the search
results list and click on
Apply Selection
4 Click on Create
Service to create a
new service or select
an existing entry and
click on Edit

5 For SAML Holder-of-Key WS Endpoint
Authentication, select Configuration
Symmetric Message
Signature/Encryption in
Transport Guarantee
Communication
Security
Single Sign-On using

SAML in Authentication
Settings
Authentication Method
Message
Authentication
6 Click on Save

Configuring the SAML User Mapping in the AS
ABAP (1/4)
User Mapping
1 Start the ABAP Editor with
transaction SE38
2 Enter RSUSREXTID and

click on Execute (F8)

ABAP (2/4)
User Mapping
3 Enter the SAP user name
and select SA for the
External ID type.
Optionally, enter the prefix
(e.g. Token Issuer/STS
name + "::" + Windows
Domain Name) and/or suffix
that is present in the external
name. In addition, enter the
DN of the Token Issuers
(STS) certificate
4 Save the new mapping with

Execute (F8) and review the
changes made in the
mapping table.

ABAP (3/4)
User Mapping
5 Display the current SAML
user mappings with the Data
Browser (SE16)
6 Enter VUSREXTID for the

Table Name and press F7
7 Select SA for the External

ID type and press Enter

ABAP (4/4)
User Mapping
8 Display the external
SAML Mapping

SAML Token Issued by the .NET WCF Token
Issuer and Used for Authentication at SAP
<saml:Assertion AssertionID="saml-bac86b5d" Issuer="urn:wcf.SAMLSTS ...>
<saml:AttributeStatement>
<saml:Subject> User Identity Information from
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1: Windows Integrated Authentication
nameid-format:WindowsDomainQualifiedName">SAP_ALL\D044724
</saml:NameIdentifier> Subject Confirmation
<saml:SubjectConfirmation> Method (HoK)
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
...
<KeyInfo>
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier">EZJTP...</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Oe6n+sudejob5AEH...</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject> Encrypted symmetric key
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
...
<Reference URI="#saml-bac86b5d">
</SignedInfo>
<SignatureValue>lZ1GzQ3yO887oiwY...</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier">kfXogbsH...</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature> Token Issuer
</saml:Assertion> signature
DEMO
Building Your Business with
SDN Subscriptions
SDN Subscriptions offers developers and consultants like you,

an annual license to the complete SAP NetWeaver platform
software, related services, and educational content, to keep
you at the top of your profession.
SDN Software Subscriptions: (currently available in U.S. and Germany)

A one year low cost, development, test, and commercialization
license to the complete SAP NetWeaver software platform
Automatic notification for patches and updates
Continuous learning presentations and demos to build
expertise in each of the SAP NetWeaver platform components
A personal SAP namespace
SAP NetWeaver Content Subscription: (available globally)

Starter Kit
An online library of continuous learning content to help build skills.
To learn more or to get your own SDN Subscription, visit us at the

Community Clubhouse or at www.sdn.sap.com/irj/sdn/subscriptions
Further Information
SAP Public Web:

SAP Developer Network (SDN): www.sdn.sap.com/irj/sdn/security
Business Process Expert (BPX) Community: www.bpx.sap.com
Related SAP Education and Certification Opportunities
http://www.sap.com/education/
Related Workshops/Lectures at SAP TechEd 2008

SIM203, Securing SOA Scenarios with SAML, Lecture
SIM205, Security for SOA in Enterprises, Lecture
SIM264, SOA Security Scenarios Using Web Service Security in
SAP NetWeaver CE 7.1, Hands-On

Further Information
SAP PRESS
The Developers Guide to SAP NetWeaver Security *
~ 600 pages + CD-ROM, ISBN 978-1-59229-180-9,
http://www.sappress.com/product.cfm?account=&product=H2919
Authenticationand Authorization: J2EE

Security, UME, JAAS Framework
Single Sign-on: Logon Tickets, SAML,
Portal, Web Dynpro
Identity Management: Administration,
SPML
Enterprise SOA and Web Services Security:
AS ABAP/Java, Interoperability (e.g.
Microsoft .NET)
Many Hands-on tutorials & code samples
* German Edition: Programmierhandbuch SAP NetWeaver Sicherheit,

http://www.sap-press.de/1444
Thank you!

Feedback
Please complete your session evaluation.
Be courteous deposit your trash,
and do not take the handouts for the following session.
Thank You !

Towards Interoperable SSO For Web Services

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Towards Interoperable SSO For Web Services

Caricato da

Copyright:

Formati disponibili

SIM207

Towards Interoperable SSO for

Stefanie Garca Laule, PM NW Security, SAP AG

SAP 2008 / SAP TechEd 08 / SIM207 Page 2

1. Web Services Security A short primer

SAP 2008 / SAP TechEd 08 / SIM207 Page 3

As a result of this lecture session, you will

SAP 2008 / SAP TechEd 08 / SIM207 Page 4

The IEEE defines interoperability as:

The ability of two or more systems or components to

SAP 2008 / SAP TechEd 08 / SIM207 Page 5

Interoperability is achieved by standards, supports the seamless exchange and

SAP 2008 / SAP TechEd 08 / SIM207 Page 6

The SOAP protocol on its own does not provide

Web Services using Secure Sockets Layer (SSL)

But SSL provides transport not application-level security

WS-Security submitted to standards body (OASIS) in Sept 2002 and

The OASIS WS-Security Standard extends a SOAP message by one or more

Single Sign-On is provided by using Data

* The act of altering something secretly or improperly

WS-Security is a rich framework to secure SOAP on the message layer

SAP 2008 / SAP TechEd 08 / SIM207 Page 10

1. Web Services Security A short primer

SAP 2008 / SAP TechEd 08 / SIM207 Page 11

Wikipedia defines Single Sign-On as:

Single Sign-On (SSO) is a method of access control

SAP 2008 / SAP TechEd 08 / SIM207 Page 12

Issuing Authority: A system Issuing

Relying Party: A system entity 3 Relying

within a security domain (i.e. the corporate

SAP 2008 / SAP TechEd 08 / SIM207 Page 14

Cross- Cross User

OASIS Security Assertion

SAP 2008 / SAP TechEd 08 / SIM207 Page 15

Interoperable security solution

SAP 2008 / SAP TechEd 08 / SIM207 Page 16

Web Service based SSO

SAP 2008 / SAP TechEd 08 / SIM207 Page 17

Profiles: define how assertions, protocols,

A SAML Assertion can consist of

SAP 2008 / SAP TechEd 08 / SIM207 Page 19

Username Token Profile

The SAML Token Profile defines the

The SAML Token is used by the

SAP 2008 / SAP TechEd 08 / SIM207 Page 21

The Token Issuer or Security Token Service (STS) is a distinguished

1. Web Service (WS) Consumer Token

2. Token Issuer authenticates the User and 1

4. WS Provider must trust the assertion in WS-Security

The SAML Token profile addresses two major questions:

1. User authenticates at the Token SAML Token

Assertion which is then signed by

Confirmation of the users identity

SAML is a proven and widely adopted standard in the industry for

SAP 2008 / SAP TechEd 08 / SIM207 Page 30

1. Web Services Security A short primer

SAP 2008 / SAP TechEd 08 / SIM207 Page 31

SAML 1.1 Sender Vouches (WS-Consumer, WS-Provider)

SAML Token (SV) Web

Support for signed and unsigned Sender-Vouches SAML assertions

SAML 1.1 Holder of Key (HOK) (WS-Provider)

SAML Token (HoK) Web

Optional user mapping from external (non-SAP platform) username to SAP