Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This presentation outlines our general product direction and should not be
relied on in making a purchase decision. This presentation is not subject to
your license agreement or any other agreement with SAP. SAP has no
obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This
presentation and SAP's strategy and possible future developments are
subject to change and may be changed by SAP at any time for any reason
without notice. This document is provided without a warranty of any kind,
either express or implied, including but not limited to, the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement. SAP
assumes no responsibility for errors or omissions in this document, except if
such damages were caused by SAP intentionally or grossly negligent.
* Institute of Electrical and Electronics Engineers. IEEE Standard Computer Dictionary: A Compilation of IEEE Standard
Computer Glossaries. New York, NY: 1990
Semantic
Semantic Interoperability
Interoperability
Applications
Applications understand
understand and
and correctly
correctly
use
use the
the information
information being
being exchanged
exchanged
Business
Business Business
Business
Application
Application Application
Application
Service
Service Service
Service
Infrastructure
Infrastructure Infrastructure
Infrastructure
Technical
Technical Interoperability
Interoperability
Systems
Systems are
are connected
connected and
and can
can
exchange
exchange information
information
Platform A Platform B
Web
Web Service
Service Web
Web Service
Service
Consumer
Consumer Provider
Provider
Send Deliver
Message
API API
Source
Source Destination
Destination
Infrastructure
Infrastructure Infrastructure
Infrastructure
Scope of Web Service
Standards
Web Service (WS) standards define the format of the message in transit to
guarantee the interoperable exchange between service consumer and provider on
a technical level
Web Service Standards dont specify any infrastructure- or application-specific
aspects, such as
APIs or programming languages that applications must use to send or deliver
messages these are always platform-specific
Runtime architecture and components
SAP 2008 / SAP TechEd 08 / SIM207 Page 7
WS-Security Motivation
Authentication
SOAP Body
Non Repudiation of origin or receipt
But: SOAP can be extended to provide Data
additional features
Up to the year 2002, best practice was to secure SOAP message format
This new SOAP Header contains all relevant security metadata to secure a
SOAP message, such as
Security Tokens to carry security information (e.g. user authentication
data, X.509 certificates)
A Timestamp to protect SOAP
SOAP Envelope
Envelope
against Replay Attacks SOAP Header Security Token
Signatures to protect WS-Security Timestamp
against message tampering* Header
Signature
Encrypted Keys and Data
to protect confidential information SOAP Body Encrypted Key
+ Data
* http://en.wikipedia.org/wiki/Single_sign-on
Cross-Platform
Which platforms are supported by the SSO
Non-SAP SSO SAP
technology? Is it a widely adopted standard in Non-SAP SAP
Platform
Platform NetWeaver
NetWeaver
the industry or a vendor-specific technology?
User Agent
Which type of user agent (e.g. Web Browser,
SSO
Web Service Consumer, Mobile Clients) is
supported by the SSO technology?
Web Browser
SAP Logon Ticket No Yes
Web Service Consumer
Web Browser
X.509/PKI Yes Yes
Web Service Consumer
! For Web Services, SAML and its associated token profile for WS-Security
is the most widely adopted standard in the industry
SAML
SAML SAML
SAML
Identity
Identity Provider
Provider Service
Service Provider
Provider
1.
SAML Token Profile
e
Au
rc
th
ou
Web Service Security Standard
en
es
tic
oR
ati
st
n o
es
Web Browser based SSO
cc
A
SAML Browser/Artifact Profile
2.
SAML Standard
Service
Service
Consumer
Consumer
Building Blocks
Assertions: statements about a subject.
This could be an authentication, attribute Profiles
information, or authorization permissions
Bindings
Protocols: SAML defines
request/response protocols for obtaining
Assertions and Protocol
assertions
SAML
SAML Assertion
Assertion
Protocol Bindings: defines how SAML
protocols map to transport and messaging
protocols, e.g. SAML SOAP Binding
Authentication Statement:
Piece of data that represents an act of SAML
SAML Assertion
Assertion
authentication performed on a subject
(user) by the SAML Issuing Authority Authentication
Statement
Other Statements:
Attribute Statement, Authorization Other Statements
Decision Statement Other Statements
SAML
Profiles
WS-Security
SAML Confirmation
SOAP Message Security Methods
SAML
SAML Assertions
Assertions
references
SAP 2008 / SAP TechEd 08 / SIM207 Page 20
SAML Token Profile
A short primer
Web Service
Consumer
SAP 2008 / SAP TechEd 08 / SIM207 Page 22
Web Services SSO with SAML
General Message Exchange
Data
Web
Web Service
Service Web
Web Service
Service
Consumer
Consumer Provider
Provider
Token
Token Issuer
Issuer Holder-of-Key:
(STS)
(STS) Basis of trust is the
Token Issuers
certificate
Sender-Vouches (SV) Subject Confirmation Method
The WS Consumer cryptographically binds the assertion to the body of the
SOAP message by signing both with its private key
The WS Provider compares the identity information from the message signature
with the subject information in the assertion
Holder-of-Key (HoK) Subject Confirmation Method
The assertion holds a key that is used by the WS Consumer to
cryptographically bind (sign) the assertion and the body of the SOAP message
The WS Provider uses the same key to verify the signature. The subject in the
assertion is the party that can demonstrate that it is the holder of the key.
SAP 2008 / SAP TechEd 08 / SIM207 Page 24
Confirmation of the Subject Identity
Sender-Vouches Subject Confirmation
1. User authenticates at the Token Issuer (STS) and
requests a SAML Token with the WS-Trust protocol
Prerequisites:
2. Token Issuer authenticates the User and issues a Pre-established trust
SAML Token in the response to the WS Consumer relationship between
with the WS-Trust protocol WS Provider and WS
3. WS Consumer uses its private key to create a Consumer
signature over the SAML Token and the message WS-Consumer must
body possess a signature
4. To confirm the WS Consumer key pair
Token
Token Issuer
Issuer
identity, WS Provider verifies (STS)
(STS)
the signature and compares
the identity information in SAML Token (SV) Trust
1 Relationship
2
the SAML Token with
the identity information
9
SOAP
SOAPEnvelope
Envelope
of the WS Web
Web Service
Service
SOAP Header
WS-Security 3 Web
Web Service
Service 4
Consumers Consumer
Consumer SAML Token
Provider
Provider
Public Key SOAP Body
Data WS Consumer
certificate WS Consumer
Public Key
Private Key
Certificate
SAP 2008 / SAP TechEd 08 / SIM207 Page 25
Confirmation of the Subject Identity
Holder-of-Key (HoK) Subject Confirmation (1/2)
Prerequisites:
4. The WS Consumer also generates the short-lived
symmetric key based on both parties key material Pre-established trust
relationship between
5. The WS Consumer signs the SAML Token and the
WS Provider and
message body with the previously generated short-lived
Token Issuer
symmetric key and sends a request to the WS Provider
6. The WS Provider verifies the Token Issuers signature in the SAML Token and
decrypts the short-lived symmetric key contained in the SAML Token using its
private key.
7. The WS Provider verifies
Token Issuer
the WS Consumers (i.e. the Public key
key holders) signature by Certificate
Token
Token Issuer
Issuer Trust
using the decrypted short- (STS) Relationship
(STS)
lived symmetric
Short-lived Key
key. The Token Issuer 6 Short-lived Key
SAML Token
confirmed that the holder of 4 (HoK)
the key is the subject in the
assertion. Web
Web Service
Service
Consumer
Consumer
5
Web
Web Service
Service
Provider
Provider
7
9
SAP 2008 / SAP TechEd 08 / SIM207 Page 27
Syntax and Semantics of the Security
Information: Example of a SAML Token
<wsse:Security>
<saml:Assertion The WS-Security header contains
Issuer="TechEdAuthority.com " ... the following authentication
IssueInstant="20080909T19:54:00.000Z">
<saml:AuthenticationStatement information:
AuthenticationMethod="...password" The user with the identifier
AuthenticationInstant=
"20080909T19:53:00.000Z"> TechEd08\stefanie
<saml:Subject> has been successfully
<saml:NameIdentifier
authenticated at
Format="...WindowsDomainQualifiedName">
TechEd08\stefanie 7:35 pm on Sept. 9th, 2008
</saml:NameIdentifier> using her
</saml:Subject>
<saml:SubjectConfirmation>
password.
<saml:ConfirmationMethod> The issuer
...SenderVouches TechEdAuthority
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
confirms
</saml:AuthenticationStatement> that the subject of the assertion is
</saml:Assertion> the party that signed
</wsse:Security>
the message SAML
SAML Assertion
Assertion
SAP 2008 / SAP TechEd 08 / SIM207 Page 28
How are the Common SSO Issues Addressed
by WS-Security and the SAML Token Profile?
Syntax and Semantics of the security information
How is the security information serialized on the wire?
What is the syntax and semantics of this serialized security
information about an end user (identity)? Name, User ID
SAML
SAML Assertions
Assertions
Roles
Groups
...
Supported in
SAP NetWeaver 7.0 >= SP14 (ABAP)
SAP NetWeaver 7.1 (Java, ABAP)
SAP 2008 / SAP TechEd 08 / SIM207 Page 32
SAML Token Profile Support in SAP NetWeaver
Support in Current Releases 7.0 and 7.1 (2/3)
Non-SAP
Non-SAP Platform
Platform SAP
SAP NetWeaver
NetWeaver
Only support for symmetric keys in SAML 1.1 Holder of Key Tokens (i.e. no
support for asymmetric keys)
Planned for SAP EHP1*, SP2 for SAP NetWeaver 7.1: Live-Demo
SAP NetWeaver 7.01 SP2 (ABAP) (Oct 2008) in this
SAP NetWeaver 7.11 SP1 (Java, ABAP) (Dec 2008) Session!
* Enhancement Package
Token
Token Issuer
Issuer
Token Acquisition (STS)
(STS) Trust
/ Issuance Relationship
Planned for SAP EHP2* for SAP NetWeaver 7.1
SAP NetWeaver 7.02 (ABAP) (Q3 2009)
SAP NetWeaver 7.12 (Java, ABAP) (Q3 2009)
* Enhancement Package
.NET 2.0 supports core Web Service standards, such as WSDL 1.1
and SOAP 1.1/1.2
Web Services Enhancements (WSE) for Microsoft .NET 2.0 is a supported
add-on to Microsoft Visual Studio .NET and the Microsoft .NET 2.0 Framework
providing support for WS-Security and other advanced Web Service protocols
With .NET 3.0, these advanced Web Service protocols became an integral part
of the .NET Framework, which is now called the Windows Communication
Foundation (WCF, formerly known as Indigo)
.NETApplication
.NETApplication .NETDev.Tools
.NETDev.Tools
.NET3.0
.NET3.0
WCF WPF WCS WWF
(Indigo) (Avalon) (Infocard) (Workflow)
.NET2.0CLR,.NET2.0BaseClassLibraries
ASP.NET2.0,ADO.NET2.0,WinForms2.0
Windows
Windows
(XP,Server2003/R2,Vista,Longhorn)
(XP,Server2003/R2,Vista,Longhorn)
Transport
Encoder
Transport Encoders Protocol
Protocol(s) TCP Text Security
HTTP Binary Reliability
MSMQ ... .NET
... ...
Support* for Web Services Core- and WS-Security Standards in WCF System-
Provided Bindings:
Security
SOAP WSDL WS-Security Token
Profiles
Username
Interoperability
Username
wsHttpBinding 1.2 1.1 1.1
Functionality
X.509
Username
wsFederationHttp X.509
Binding 1.2 1.1 1.1
SAML 1.1
8
Support for Web Services Core- and WS-Security Standards in SAP NetWeaver
Security
SOAP WSDL WS-Security Token
Profiles
* http://msdn2.microsoft.com/en-us/library/ms730294.aspx
SAP 2008 / SAP TechEd 08 / SIM207 Page 39
SAML Token Profile Support in .NET WCF
However, WCF does not support the STR-Transform algorithm which is required to
sign SAML Tokens with Sender-Vouches confirmation method
!
To implement an interoperability scenario between SAP NetWeaver and
.NET, a WCF custom binding is required to support the use of SAML
Token Profile 1.0, WS-Security 1.0 and SOAP 1.1 on the WS Consumer
side. In addition, Holder-of-Key support in SAP NetWeaver is a prerequisite.
Web
Web Service
Service 4 Web
Web Service
Service 5
1 Consumer Provider
Consumer 6 Provider
Microsoft
Microsoft .NET
.NET
SAP
SAP NetWeaver
NetWeaver
3.0/WCF
3.0/WCF
SAP 2008 / SAP TechEd 08 / SIM207 Page 41
Configuration Steps for the Interoperability
Scenario with SAML Token Profile (HoK)
SAML-bases message
authentication
Maintain mapping of external user id
User Mapping
(e.g. Windows Domain Name) to
internal SAP user id
SOAMANAGER SAP
SAP NetWeaver
NetWeaver
WS Endpoint
1 Invoke Transaction Configuration
SOAMANAGER
WS Endpoint
3 Search for the service, Configuration
select it in the search
results list and click on
Apply Selection
4 Click on Create
Service to create a
new service or select
an existing entry and
click on Edit
6 Click on Save
User Mapping
1 Start the ABAP Editor with
transaction SE38
User Mapping
3 Enter the SAP user name
and select SA for the
External ID type.
Optionally, enter the prefix
(e.g. Token Issuer/STS
name + "::" + Windows
Domain Name) and/or suffix
that is present in the external
name. In addition, enter the
DN of the Token Issuers
(STS) certificate
User Mapping
5 Display the current SAML
user mappings with the Data
Browser (SE16)
User Mapping
8 Display the external
SAML Mapping
SAP PRESS
The Developers Guide to SAP NetWeaver Security *
~ 600 pages + CD-ROM, ISBN 978-1-59229-180-9,
http://www.sappress.com/product.cfm?account=&product=H2919
Thank You !
SAP 2008 / SAP TechEd 08 / SIM207 Page 58