Sim 208

SIM208
SSO for SAP NetWeaver Leveraging

X.509 Certificate Auto Enrollment
in Microsoft Active Directory
André Fischer, Strategic Alliance Microsoft, SAP AG

Carsten Boennen, Strategic Alliance Microsoft, SAP AG
Disclaimer
This presentation outlines our general product direction and should not be
relied on in making a purchase decision. This presentation is not subject to
your license agreement or any other agreement with SAP. SAP has no
obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This
presentation and SAP's strategy and possible future developments are
subject to change and may be changed by SAP at any time for any reason
without notice. This document is provided without a warranty of any kind,
either express or implied, including but not limited to, the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement. SAP
assumes no responsibility for errors or omissions in this document, except if
such damages were caused by SAP intentionally or grossly negligent.
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 2

Agenda
1. Why using a PKI for SSO?

2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming - Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP
4.1. Lessons learned from SAP’s implementation project

What the User Wants …
Authentication to SRM ERP

local desktop
Workflow CRM
Access
Internet ESS
Authenticate Groupware ...

only once
What is the Reality?
Workflow SRM
ERP
jdo
e1
e
CRM
o
23
jd
jdo
e1 e
23 j do
Group- jane.doe@company,com ESS

doejan
ware
Jane Doe
“I have too many passwords!”

! “I forgot my username”

How Does a PKI Address these Issues?
Microsoft Active Directory

X.509-enabled SAP Systems
with an
Enterprise CA
ESS
SRM
1
Workflow
3
2
ERP
Jane Doe
ESS
1 Jane Doe logs on at her desktop to Microsoft Active Directory
2 After verifying Jane‘s identity, the Microsoft CA issues an X.509 certificate to Jane
3 Jane can use her X.509 certificate as a login for Single Sign-On at any SAP System
supporting X.509 certificates
What the Administrator Wants …
Central user management

Single point of administration
Assign user rights in various applications with one keystroke
Lock or delete users centrally
Central user repository
Avoid redundant user information

Learning Objective
As a result of this lecture session, you will

Understand the benefits of using a PKI infrastructure to achieve SSO for an SAP
System landscape
Learn how to leverage Microsoft Active Directory to roll out X.509 certificates
automatically
Know about the key figures from SAP’s implementation

Central User Management using
SAP NetWeaver Identity Management 7.0
IDM should be triggered Business process relies on
by identity business appropriate user and role
processes and data assignments in systems
e.g. Order2Cash
Identity virtualization and
e.g. on-boarding identity as service through
Data standard interfaces Approval
HR Workflows
HR
Integration
SAP NetWeaver Central Identity store
Definition and rule- Identity
based assignment of Management
meta roles Distribution of users
and role assignments
for SAP and non-SAP
Identity Mgmt.
systems
monitoring & Audit
Microsoft
Legacy
App.
Exchange
SAP FI SAP HR SAP ERP SAP SAP Web Server
ABAP ABAP ABAP Java Portal App.
Java Operating
SAP XI Databases Systems
ABAP UME UME
Java
Microsoft Active Directory
Definition of Single Sign-On (SSO)
Wikipedia defines Single Sign-On as:
Single sign-on (SSO) is a method of access control

that enables a user to authenticate once and
gain access to the resources of multiple
software systems*.
* http://en.wikipedia.org/wiki/Single_sign-on

Basic Architectural Pattern for Single Sign-On
(SSO)
Issuing Authority: A system entity that Issuing

issues security-related information Authority
Trust
about individual users. Usually this Relationship
includes at least identity information
about the user (e.g. a user name or 1
E-Mail address)
2
Relying Party: A system entity that
decides to take an action based on
the security information provided by 3 Relying
User
the Issuing Authority. The Relying 4 Party
Party must have a trust relationship
with the Issuing Authority 1. User authenticates at Issuing Authority and request the
security data that is required to access a protected
User: A natural person who makes resource at the Relying Party
use of a system and its resources
2. Issuing Authority responds with the security information
about the user
3. User authenticates with the issued data at the Relying
Party to access a protected resource
4. Relying Party authenticates the user based on the
security information issued by the Issuing Authority and
sends response
Important Characteristics of Single Sign-On
Technologies and Standards
Domain A
Cross-Domain
Is it possible to use the SSO technology only SSO
within a security domain (i.e. the corporate

Intranet) or can it be used across different Domain B
SS
domains (e.g. in a B2B scenario)? O
Cross-Platform
Which platforms are supported by the SSO
Platform SSO Platform
technology? Is it a widely adopted standard in
the industry or a vendor-specific technology? A B
User Agent
Which type of user agent (e.g. Web Browser,
SSO
Web Service Consumer, Mobile Clients, NW BC,
SAPGUI) is supported by the SSO technology?

NetWeaver Application Server – User Agents
Web Browser, Web Service

NW Business Client Consumer
HTTP(S) SOAP/XML
Internet Communication Manager
Application Server
SAP J2EE
SAP GUI
ABAP DIAG
Engine RFC
External Systems
RFC
Operating System
DB Server
Database System

Single Sign-On Technologies Supported by
SAP as a Service Provider
SAP Logon
SAP stack User Agent X.509 Kerberos SAML 1.1
Tickets
SAP NW SAPGUI/
Yes (1) Yes (2) Yes No
AS ABAP RFC
Web Browser /
Yes No Yes Yes (4,9)
SAP NW BC
.NET Web Service Yes No (3) Yes Yes (5,8)
SAP NW Web Browser /

Yes Yes Yes Yes (4,6)
AS JAVA SAP NW BC
.NET Web Service Yes No (3) Yes Yes (5,7)
(1) 3rd party SNC product needed (5) WS-Security SAML Token Profile (HoK)
(2) SAP NW AS ABAP has to run on Windows (6) as of NW 04 JAVA
(3) Only a workaround available described in a (7) as of NW 7.11 SP1 JAVA
SDN whitepaper (8) as of NW 7.01 SP1 and NW 7.11 SP1 ABAP
(4) SAML Browser/Artifact Profile (9) as of NW 7.1 ABAP
Agenda

3.3. SAPGUI

Active Directory Certificate Services
Part of Windows Server 2003 and Windows Server 2008
Easy deployment of certificates throughout the enterprise

using MS-Active Directory
No per-certificate fees or per-user PKI licenses
Allows centralized user security management
Cross-Platform SSO for example with SAP components

Certificate Server Architecture
CertSrv receives requests

via DCOM
CertSrv Operates in two
modes: Enterprise and
Standalone
In Enterprise mode AD is
used for Certificate
Templates publishing
certificates and CRLs and
clients use the templates to
create specific requests
CertSrv uses CryptoAPI for
cryptographic operations

Active Directory Certificate Services –
Certificate Auto Enrollment
Automatic enrollment of certificates to users and computers that are members of

an Active Directory
Activated and managed by a domain-based Group Policy
Available since Windows Server 2003 ….
…. So why has it not been used so far ?

Problems with Auto Enrollment of X.509
Certificates in the Past
Boundary conditions / Requirements:

X.509 certificates should be available for a user on any machine in a domain
Alternatives available so far:

Smart Cards
Roaming Profiles
Drawbacks of using Smart Cards or Roaming Profiles

High deployment costs
High costs of maintenance
Æ Solution: Credential Roaming

Certificate Enrollment and Credential Roaming
on Multiple Computers
Active Directory replication

Active Directory
User Object
Active Directory
User Object
credential credential
roaming roaming
certificate enrollment User‘s

Credential
User‘s Store „My“
Credential
Store „My“

Credential Roaming Releases
Front-end Comments
operating system
Windows Server
2003 SP1 +
Software Update
Windows XP SP2 +
Software Update
VISTA Credential Roaming allows also secure storage of

stored user names and password
Windows Server Credential Roaming allows also secure storage of

2008 stored user names and password
Source: Microsoft TechNet

Active Directory – Requirements
Domain Controller Windows Server Windows Server

2003 SP1 or later 2008
Schema Update is required if Yes Not required

the current schema version is
lower than 34
Administrative Template Yes Not Required

(ADM) import into Group
Policy is required
Active Directory Security Yes Not required

Descriptor property settings
must be applied manually
Source: Microsoft TechNet

Client Certificate Storage in Microsoft Active
Directory 2003 SP1
Common Current user Other users

Name or domain
administrator
ms- Read/Write Not visible and

PKIDPAPI no access
MasterKeys

PKIAccount no access
Credentials

PKIRoaming no access
TimeStamp

Where can Client Credential Roaming be
Used?
Intranet Scenario
All users have to be domain members
All Client PC’s have to be domain members
SAP acts as service provider
Other scenarios might require different technologies such as SAML

Federation
Impersonation

Benefits of Using Client Credential Roaming
Central secure storage of X.509 certificates in Microsoft Active Directory

High availability because data is stored on each domain controller
High performance because data is retrieved from a local domain controller rather than
from a central server
Only small amount of data (digital certificates and private keys) has to be roamed

Agenda

3.3. SAPGUI

Walkthrough
Walkthrough – Administrator‘s View
Create User in Active Directory

Walkthrough – Administrator‘s View
Checking Auto Enrollment Process

Walkthrough – User's View
Logon to Workstation

Logon Process

Certificates Stored in Users Certificate Store

Certificate Services Client-Credential Roaming
X.509 certificates are stored in the users „Personal“ store on each computer the
user logs on
Here: 172.16.14.136 and 172.16.14.139

Agenda

2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming -
Overview
3.3. SAPGUI

Configuration Steps in Microsoft Active
Directory 2008 - Overview
Add Role Active Directory Certificate Services to a server

Enterprise Root CA
Configure Certificate Template
Configure CA to issue the Auto enrolled User certificate
Establish Group Policy for auto enrollment of domain users

Add Active Directory Certificate Services
Server Role in Windows Server 2008

Microsoft Active Directory: Establishing Auto
Enrollment for User Certificates
Certificate Templates
Define the format and content of a
certificate
Define how incoming certificate
requests are handled
Define the certificates issued by
enterprise CAs
Arestored in the Configuration
Naming container of Active Directory
How to configure
Tool: MMC Snap-In Certificate
Templates
Duplicate User template
Check: Publish in Active Directory

Configure an Enterprise CA to Issue the Auto
Enrolled User Certificate
Tool: MMC Snap-In Certification Authority

Select Certificate Template to Issue

Establishing Policy for Auto Enrollment of
Domain Users and Credential Roaming
Group Policy
Settings

Restrict Private Key Export
PKCS#12-Export of private key

can be restricted
Settings valid for Certificate
Template used

Agenda

3.3. SAPGUI

SSO Scenario Web Browser / NW BC:
X.509 Client Certificates Based Authentication
Authentication occurs using SSL

with mutual authentication
Portal
BSP pages
User possesses a public /
private key pair and
public-key certificate issued by a
Certificate Authority (CA)
Web ITS
SL
S
L Dynpro
SS
Access
ABAP
SSL
Web Other...
Dynpro
X.509 Client Certificate JAVA
Authentication and SSL With X.509
Certificates
Mutualauthentication between Alice and the server

The SSL – Process:
Client sends „Hello“-message to server

Server sends his certificate and asks for client cert.
sends his certificate , encrypted secret key

and list of supported crypto algorithms
Sends back confirmation
Alice
Private Session established Private
Public …using symmetric encryption Public
Secret Secret

Configuring SAP NW AS ABAP 7.0 to Accept
Client Certificate Authentication – Overview
Configure SSL support
Set profile parameter
icm/HTTPS/verify_client
Import the issuing CA’s root

certificate
Maintain user mapping in table

USREXTID
Transaction EXTID_DN
CERTMAP service
/sap/bc/bsp/sap/certmap
More details on:
http://help.sap.com

Configuring the J2EE Engine to Accept Client
Certificate Authentication – Overview
Key Storage Service

Import Certificate Authority’s (CA) root certificate as a certificate entry in the
TrustedCAs view
SSL Provider Service

Request or require client certificates for authentication
Import CA root certificate in Trusted Certification Authorities list
Security Provider Service

Adjust login module stacks to accept client certificates using ClientCertLoginModule
and CertPersisterLoginModule (optional)
Result: Client Certificates can be used to authenticate users

J2EE Engine:
Options for Client Certificate Authentication
Using Stored Certificate Mappings

As of minimum versions:
SAP NetWeaver 6.40 SP16
SAP NetWeaver 7.0 SP7
Using Rules Based on Client Certificates Subject Names
Using Rules Based on Client Certificate V3 Extensions
Using Rules to Filter Client Certificates

Agenda

3.3. SAPGUI

SSO Scenario: Web Services
Benefits of WS-Security
End-to-End security
WS Consumer
via EAI WS Provider
WS-Security
SSL with mutual
authentication
WS Consumer
direct call
X.509 cannot be federated EAI Server
since the private key would
have to be accessible on the SSL Termination
EAI Server
-> SAML or SAP Logon Tickets are a solution

Authentication and SSO for Enterprise
Services
Authentication can occur with mechanisms that are available with:
Ö the transport (HTTP protocol)
Ö the message (SOAP)
Message level mechanisms build on transport level
Ö authentication levels not mutually exclusive
Setup at service provider – inherit at service consumer
Ö WS Security Policy WSDL Extensions
Supported Mechanisms:
Username Token Profiles
Service Consumer
Service
Service Provider
Message Level
X.509 Certificate Token Profiles
Application
Application
SAML Token Profiles*
User ID and Password

Service
X.509 Client Certificates (no rules!)
Transport Level
Logon Tickets
*supported with SAP NetWeaver Java 7.1

SSO and User Identity Propagation for
Services
User Identity propagation with standard platform solutions recommended to:
Secure Authentication of end users accessing enterprise services
Authorize user access to service resources based on user‘s own role and
permission assignments
Audit user access to remote service provider resources
Propagate user WSS SAML Token Profiles 1

Identity SSO tickets
Authenticate WSS X.509 Certificate Token Profile 1

consumer
X.509 client certificate
system
Authenticate WSS Username Token Profile 1

Service User User ID and Password
1supported for WS Protocols only, SAML token profiles (sender vouches subject) supported with NW AS
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 50 Java 7.1 and NW AS ABAP 7.0 SP 14 and higher
Agenda

3.3. SAPGUI

SSO Scenario: SAPGUI
Using SNC and an External Security Product
SAPGUI SAP NW AS ABAP
SNC SNC
SSO and
GSS-API V2 encryption
GSS-API V2
SNC_LIB SNC_LIB
3rd party SNC Library 3rd party SNC Library
Certificate
Key Store
Microsoft certificate
container
Example of X.509 Certificates with SNC
Solutions: SECUDE signon&secure Client
SECUDE signon&secure Client allows to use different security tokens:

Software key files (PSE or PKCS#12/PFX)
Smartcards (PKCS#11)
Microsoft certificate containers (CSP)
Microsoft certificate containers are

Security tokens accessible via the Microsoft Crypto API
Containers may be imported software keys (PFX), provided by Microsoft built-in Cryptographic
Service Providers (CSPs)
Or smartcards with own vendor CSPs (Siemens, A.E.T., SECUDE, …)

SECUDE signon&secure Client:
Automatic Certificate Selection
Get a
ll
user
SNC_LIB PSE
PSE certifi
SNC_LIB c
Service
Service s from ate
MY
store
he
ll t r
Ca filte
Filter
Filter patterns
patterns from
from
SNC_LIB
SNC_LIB Group Policy:
Group Policy:
Exact
Exact match
match

SECUDE signon&secure Client:
Interactive Certificate Selection
t a l l us er
Ge
e r ti fi cates
c Y
f r om M
SNC_LIB PSE
PSE store
SNC_LIB e
Service
Service ll th
a
C ter
fil
Filter
Filter patterns
patterns from
from
Group Policy:
Group Policy:
More
More than
than one
one
SNC_LIB
SNC_LIB

Agenda

3.3. SAPGUI

Certificate Services @ SAP
Current Project:
Migration of SAP’s internal PKI infrastructure to
Microsoft Certificate Services
Key Figures:
Planned Rollout Q4/2008
Migration of an existing RootCA
More than 30.000 user’s

Further Information
Î SAP Public Web:

SAP Developer Network (SDN): www.sdn.sap.com
Business Process Expert (BPX) Community: www.bpx.sap.com
Î Microsoft Public Web:
Microsoft TechNet: technet.microsoft.com
Î Related SAP Education and Certification Opportunities
http://www.sap.com/education/
Î Related Workshops/Lectures at SAP TechEd 2007

SIM265, Configuring J2EE and SAP NetWeaver Portal UME
Authentication , Hands-on (2 hours)
SIM206, Single Sign-On in Heterogeneous System Landscapes and
SAML, Lecture (1 hour)
SIM207, Towards Interoperable SSO for Web Services, Lecture (2
hours)
Building Your Business with
SDN Subscriptions
SDN Subscriptions offers developers and consultants like you,

an annual license to the complete SAP NetWeaver platform
software, related services, and educational content, to keep
you at the top of your profession.
SDN Software Subscriptions: (currently available in U.S. and Germany)

A one year low cost, development, test, and commercialization
license to the complete SAP NetWeaver software platform
Automatic notification for patches and updates
Continuous learning presentations and demos to build
expertise in each of the SAP NetWeaver platform components
A personal SAP namespace
SAP NetWeaver Content Subscription: (available globally)

Starter Kit
An online library of continuous learning content to help build skills.
To learn more or to get your own SDN Subscription, visit us at the

Community Clubhouse or at www.sdn.sap.com/irj/sdn/subscriptions
SDN Subscriptions Program
The SDN Subscriptions Program introduces the SAP NetWeaver,

Development Subscription for individual developers. Available for purchase
in Germany and the United States.
Subscription gives you one year access to …
SAP NetWeaver platform software, patches, and updates
Development license for SAP NetWeaver to evaluate, develop and test
Standard software maintenance
Online sessions from SAP TechEd
Access to SAP Enterprise Services Workplace for testing
Premium presence in forums
Purchase the SAP NetWeaver, Development Subscription today at

the SAP Community Clubhouse, or online at
https://www.sdn.sap.com/irj/sdn/devsub
Visit us at the Community Clubhouse, show us you are a subscriber,
and get a gift!
Thank you!

Feedback
Please complete your session evaluation.
Be courteous — deposit your trash,
and do not take the handouts for the following session.
Thank You !

Sim 208

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Sim 208

Caricato da

Copyright:

Formati disponibili

SIM208

SSO for SAP NetWeaver Leveraging

André Fischer, Strategic Alliance Microsoft, SAP AG

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 2

1. Why using a PKI for SSO?

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 3

Authentication to SRM ERP

Authenticate Groupware ...

Group- jane.doe@company,com ESS

“I have too many passwords!”

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 5

Microsoft Active Directory

1 Jane Doe logs on at her desktop to Microsoft Active Directory

 Central user management

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 7

As a result of this lecture session, you will

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 8

Wikipedia defines Single Sign-On as:

Single sign-on (SSO) is a method of access control

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 10

 Issuing Authority: A system entity that Issuing

within a security domain (i.e. the corporate

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 12

Web Browser, Web Service

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 13

.NET Web Service Yes No (3) Yes Yes (5,8)

SAP NW Web Browser /

.NET Web Service Yes No (3) Yes Yes (5,7)

1. Why using a PKI for SSO?

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 15

 Part of Windows Server 2003 and Windows Server 2008

 Easy deployment of certificates throughout the enterprise

 No per-certificate fees or per-user PKI licenses

 Allows centralized user security management

 Cross-Platform SSO for example with SAP components

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 16

 CertSrv receives requests

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 17

 Automatic enrollment of certificates to users and computers that are members of

 Activated and managed by a domain-based Group Policy

 Available since Windows Server 2003 ….

…. So why has it not been used so far ?

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 18

Boundary conditions / Requirements:

Alternatives available so far:

Drawbacks of using Smart Cards or Roaming Profiles

 High costs of maintenance

Æ Solution: Credential Roaming

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 19

Active Directory replication

certificate enrollment User‘s

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 20

VISTA Credential Roaming allows also secure storage of

Windows Server Credential Roaming allows also secure storage of

Source: Microsoft TechNet

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 21

Domain Controller Windows Server Windows Server

Schema Update is required if  Yes  Not required

Administrative Template  Yes  Not Required

Active Directory Security  Yes  Not required

Source: Microsoft TechNet

Common Current user Other users

ms- Read/Write Not visible and

Central user management

Issuing Authority: A system entity that Issuing

Part of Windows Server 2003 and Windows Server 2008

Easy deployment of certificates throughout the enterprise

No per-certificate fees or per-user PKI licenses

Allows centralized user security management

Cross-Platform SSO for example with SAP components

CertSrv receives requests

Automatic enrollment of certificates to users and computers that are members of

Activated and managed by a domain-based Group Policy

Available since Windows Server 2003 ….

High costs of maintenance

Schema Update is required if Yes Not required

Administrative Template Yes Not Required

Active Directory Security Yes Not required

SAP acts as service provider

Other scenarios might require different technologies such as SAML

Central secure storage of X.509 certificates in Microsoft Active Directory

Here: 172.16.14.136 and 172.16.14.139

Add Role Active Directory Certificate Services to a server

Configure Certificate Template

Configure CA to issue the Auto enrolled User certificate

Establish Group Policy for auto enrollment of domain users

Tool: MMC Snap-In Certification Authority

PKCS#12-Export of private key

Authentication occurs using SSL

Mutualauthentication between Alice and the server

Configure SSL support

Set profile parameter

Import the issuing CA’s root

Maintain user mapping in table

Using Stored Certificate Mappings

Using Rules Based on Client Certificate V3 Extensions

Using Rules to Filter Client Certificates

Audit user access to remote service provider resources