SAML in UI based SOAScenarios

SAP NetWeaver Product Management Security

June 2008

© SAP 2008 Page 2

Agenda

1. Typical Authentication and SSO Scenarios in SOA2. Windows Integration Authentication using Kerberos with

SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile5. Outlook

© SAP 2008 Page 3

ServiceProviderServiceProvider

Service ClientService Client

Secure authentication or SSO of users accessing enterprise resourcesAuthorize user access to enterprise system resources with user‘s own role andpermission assignmentsAudit user access to enterprise system resources

Bob Bob

HTTPSOAPRFCRMI

Bob

User Identity Propagation forService Call

Access Management and the UserAuthentication Lifecycle in SOA

ServiceConsumerPortal

Initial User Authentication orSSO to Portal or Desktop

application

© SAP 2008 Page 4

Single Sign-On

Single Sign-On (SSO)User authenticates once against a security systemUser is then seamlessly authenticated to access other systemsAuthentication against other applications is transparent for the user

Identity Management for SSOSynchronization, provisioning or mapping of user identities for SSOUser identities for SSO must match to avoid unintended “user impersonations”Central user identity management to avoid redundant user information

Mainstream Integrated Authentication and SSO Solutionsin SAP NetWeaver

X.509 Client Certificates and PKIsWindows Integrated Authentication and KerberosSAP Logon Tickets and Trusted SystemsSAML Assertions with Trusted SystemsHeader VariablesCustom – JAAS or GSS-API v2 based integration

© SAP 2008 Page 5

Standardizing End to End SSO Scenarios onSAML

2. SSO with SAML

Browser Artifact

3. Acc

ess t

o Res

ourc

e

with

WSS

SAM

L To

ken

Prof

ile

Initial UserAuthentication

Any Supported Solutione.g. SPNego for Windows

integrated authentication

SSO for Web browserapplications

SAML Browser/ArtifactProfile

SSO for Web ServicesWSS SAML Token Profile

Portal

Web Service ProviderSAP NetWeaver AS ABAP

Web Service ConsumerSAP NetWeaver AS ABAP

1. Integrated User

Authentication

against Portal

Synchronized UserIds for SSO via IdM

or User Mapping

Synchronized UserIds for SSO via IdM

or User Mapping

Synchronize User Identitiesfor SSO with

SAP NetWeaver IdentityManagement or User

Mapping

SAML IdentityProvider

SAP NetWeaver Portal or CE 7.1

1

2

3

© SAP 2008 Page 6

IdM / LDAPDirectory

The Big Picture

Authentication

UME (Web AS Java)SAP NetWeaver Portal

Use as userrepository

HR

Create andmodify users

Use as userrepository

UME(Web AS Java)

J2EE / EE 5Application

WebDynpro IdM

Synchronizeuser data

other SAPSystems

User data

Microsoft basedapplications

IBM/Lotusapplications

SSOSSOSSO SSOSSOSSO

SSO

SAP ISAPI Filter orSSO22KerbMapSAP

DSAPIFilterLTPA

KERB

© SAP 2008 Page 7

Agenda

1. Typical Authentication and SSO Scenarios in SOA2. Windows Integration Authentication using Kerberos with

SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile5. Outlook

© SAP 2008 Page 8

© SAP 2008 / SAP TechEd 08 / SIM203 / Page 7

IdM / LDAPDirectory

The Big Picture

Authentication

UME (Web AS Java)SAP NetWeaver Portal

Use as userrepository

HR

Create andmodify users

Use as userrepository

UME(Web AS Java)

J2EE / EE 5Application

WebDynpro IdM

Synchronizeuser data

other SAPSystems

User data

Microsoft basedapplications

IBM/Lotusapplications

SSOSSOSSO SSOSSOSSO

SSO

SAP ISAPI Filter orSSO22KerbMapSAP

DSAPIFilterLTPA

KERB

In this Section:Focus on Windows Integrated Authentication

MicrosoftActive

Directoryand Windows

Domain

© SAP 2008 Page 9

Kerberos for User Authentication in SAPNetWeaver – SSO Process

Authenticateonce to Domain SSO Access to Information Content

Available from Portal Server iViews

1. Initiallogon inDomain

4. Kerberos Ticket Request5. Kerberos Ticket Response

2. Call Portal URL

Domain Controller (KDC)

7. Ticket verificationand user ID resolution

8. Username

3. Error 401Req. Kerberos Ticket

BI

CRM

Other…

BusinessApps

Intranet

Collaborate6. Forward Kerberos Ticket

9. Resource

© SAP 2008 Page 10

Integrated User Authentication from Browser to SAP NetWeaver AS Java/ Portalby natively leveraging Microsoft Windows credentials (Kerberos) for authentication“

ActiveDirectory /Windows domaincontroller

SAP NetWeaverAS Java / Portal

4.SAP LogonTicket issued

2. BrowserSends windowscredentials

1.WindowsdomainLogon

3. SPNegochecks via JVMcredentialsagainst DC andUME resolvesuser id

Enabling User Authentication with Kerberos on theSAP NetWeaver Portal: SPNegoLoginModule

PrerequisitesMicrosoft Windows domain

Authentication of users is delegated tothe Windows Domain Controller1. User authenticates against Windows domain on

his or her workstation2. On portal access user’s browser sends Kerberos

Session Ticket to SAP NetWeaver AS Java orPortal

3. UME of AS Java/Portal resolves user id fromUser Principal Name in Windows Domain

4. Further user interactions with Portal and backendsystems in iViews with SSO tickets

Typical deployment scenariosIntranet scenarios

© SAP 2008 Page 11

JAAS SPNego LoginModule: AuthenticationFlow on the Wire

© SAP 2008 Page 12

SPNego Use Cases

SPNego can see application for authentication in many scenariosSAP NetWeaver Portal in intranetSAP NetWeaver Portal in intranet + external access with SSO tickets or SAML to Portal applications:

Web Dynpro applicationsABAP applications, e.g. SAP BW web reports, BSP pages,…Integrated ITS (as of 6.40 onwards)

Duet scenario for service-based access and SSO to SAP NetWeaver applications...and others

Security considerationsIn the JVM 1.4.x versions, Kerberos tokens are only 56-bit encryptedGood passwords for the J2EE user account in AD are important for the security of the solutionThe Kerberos Key Table represents the J2EE engine’s identity; Malicious users who obtain the Key Tablecan setup a phishing site by impersonating the J2EE engine

Generate the Key Table with encryption type DES-CBC-MD5; do not use DES-CBC-CRCKeep the Key Table file in a safe place. Allow only <SID>adm and SAPService<SID> to access theKey TableIn a high security environment, change the service user’s password (and the Key Table) periodically

© SAP 2008 Page 13

SPNego Configuration Wizard – 1

SAP Note#994791Availablescenarios:

DB, ADS,multiple ADSas data sourceSUN JDKIBM JDK

Launch the Wizard using: http://<server>:<port>/spnego

© SAP 2008 Page 14

SPNego Configuration Wizard – 2

© SAP 2008 Page 15

SPNego Configuration Wizard – 3

Includes the test facility for the selected user resolution mode

© SAP 2008 Page 16

SPNego Configuration Wizard – 4

Summary of configuration for confirmation

© SAP 2008 Page 17

Configuration on The Browser Clients

Configuration on the browser clients

Windows integrated authentication must be switched onNetWeaver AS host must be explicitly assigned to local intranetAutomatic logon in intranet zone must be allowed

© SAP 2008 Page 18

Summary

SPNego leverages the Kerberos security standard, which is a built-in capability of aMicrosoft Windows user desktop environment, to securely authenticate users toSAP NetWeaver AS Java applications

Prerequisites:SAP NetWeaver J2EE 6.40 SP15 or higherSAP NetWeaver 7.0 J2EE SP6 or higherSAP NetWeaver 7.1 Composition Environment

SPNego enables integrated Windows authentication to the SAP NetWeaver Portaland AS Java

Subsequent single sign-on (SSO) to SAP business applications in Portal, AS Java or ASABAP, displayed in Portal iViews

AS Java Configuration Wizard under application alias /spnego

Useful SAP Notes:968191 – SPNego: Central Note957666 – Diagtool for Troubleshooting Security Configuration

© SAP 2008 Page 19

Agenda

1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with

SAP NetWeaver3. Authentication with SAML

3.1 Overview of SAML3.2 SAML Browser/Artifact Profile3.3 Configuration

4. Single Sign-On using SAML Token Profile5. Outlook

© SAP 2008 Page 20

Benefits of Security Assertions MarkupLanguage (SAML)

Interoperable securitysolution to allow systemsintegration with great ease andminimal resourcesSAML can be used acrossdifferent security domains(e.g. In a B2B scenario)

SAML is a protocol forencoding securityrelated information(assertions) into XML andexchanging this information ina request/response fashionProvides standard basedmechanisms to exchangesecurity information usingSOAP, HTTP(s)SAML is an OASISstandard, which is widelyadopted in the industry andvendor independent

Domain A

Domain BSSO

SSO

© SAP 2008 Page 21

SAML Based Scenarios

1. Authentication

2. A

cces

s to

Res

ourc

e

Web Service based SSOSAML Token ProfileWeb Service Security Standard

Web Browser based SSOSAML Browser/Artifact ProfileSAML Standard

SAMLIdentity Provider

SAMLIdentity Provider

SAMLService Provider

SAMLService Provider

ServiceConsumer

ServiceConsumer

© SAP 2008 Page 22

Security Assertion Markup Language (SAML)Building Blocks

Assertions: statements about a subject.This could be an authentication, attributeinformation, or authorization permissions

Protocols: SAML definesrequest/response protocols for obtainingassertions

Protocol Bindings: defines how SAMLprotocols map to transport and messagingprotocols, e.g. SAML SOAP Binding

Profiles: define how assertions, protocols,and bindings are combined for particularuse cases

Profiles

Bindings

Assertions and Protocol

SAML AssertionSAML Assertion

© SAP 2008 Page 23

SAML Assertion

SAML Issuing Authorities produce “Assertions” inresponse to client requests.

An SAML Assertion can consist of

Authentication Statement: Piece of datathat represents an act of authenticationperformed on a subject (user) by the SAMLIssuing Authority

Other Statements: Attribute Statement,Authorization Decision Statement

SAML AssertionSAML Assertion

AuthenticationStatement

Other StatementsOther Statements

© SAP 2008 Page 24

SAML Request / Response

SAMLIdentity Provider

SAMLIdentity Provider

SAMLIdentity Provider Service ProviderService Provider

SOAP EnvelopeSOAP EnvelopeSOAP Header

SOAP BodySAMLResponseAssertion

SOAP EnvelopeSOAP EnvelopeSOAP Header

SOAP BodySAMLRequest

© SAP 2008 Page 25

SAML Request / Response

<samlp:Request ..RequestID="ID563AD51D8FE16A713C4E38C279492DDEDAB65A5A"xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><samlp:AssertionArtifact>AAH7boOW79mDzbpq7B35WtLF4MP0rzC3J3BM16F+gm0EluFkAAAAAAAA</samlp:AssertionArtifact>

</samlp:Request>

Request Response<samlp:ResponseInResponseTo="ID563AD51D8FE16A713C4E38C279492DDEDAB65A5A" ..ResponseID="ID67AB48DAFA08159A35AE6B4BAB109D8E0AF063E9“..<saml:AssertionAssertionID="ID9BB9590058FBC303414444F2D8D81C52D91D640B" ..Issuer="www.samlssodemo.com" ..

<saml:AuthenticationStatement ..AuthenticationMethod="urn:ietf:rfc:1510">

<saml:Subject><saml:NameIdentifier>SAML_DEST</saml:NameIdentifier>

</saml:Subject></saml:AuthenticationStatement>

</saml:Assertion></samlp:Response>

© SAP 2008 Page 26

Agenda

1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with

SAP NetWeaver3. Authentication with SAML

3.1 Overview of SAML3.2 SAML Browser/Artifact Profile3.3 Configuration

4. Single Sign-On using SAML Token Profile5. Outlook

© SAP 2008 Page 27

SAML – Browser/Artifact Profile for Web SSO

Initiallogon

1. Request for a Resource

Source Web Site

3. SAML Assertion Request

4. SAML Response with Assertion

Destination Web Site

SAMLResponder

SAML Identity Provider SAML Service Provider

Create Artifact and AssertionDetermine SAML Artifact Receiver URL

5. Resource

2. Redirect URL + Artifact

RedirectArtifactReceiver

Authenticate User( User Mapping )

ICF/SAML LoginModule

Resource

Determine IdP basedon SourceID providedwith the ArtifactAnalyze Assertion

SAMLService

SAMLService

SAP NW Portal

ServiceConsumer

SAML Service

© SAP 2008 Page 28

SAP Landscape

Source Web Site Destination Web SiteSAML Identity ProviderSAML Identity Provider SAML Service ProviderSAML Service Provider

SAML Service

SAP NW ABAPICF

Resource

SAP NetWeaver Portal

SAML Login Module

SAP NW Java

SAP NW Java

Artifact ReceiverSAP NW Java

SAMLResponder

SAMLService

Service ConsumerService Consumer

© SAP 2008 Page 29

Agenda

1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with

SAP NetWeaver3. Authentication with SAML

3.1 Overview of SAML3.2 SAML Browser/Artifact Profile3.3 Configuration

4. Single Sign-On using SAML Token Profile5. Outlook

© SAP 2008 Page 30

DestinationNW AS ABAPor NW AS Java

request

Source

response

Configuring NW AS ABAPor NW AS Java asDestination Site

Create a role with the action “SAMLResponder” and assign it to thetechnical user that is used by theDestination Site to get the assertion

get assertion

Maintain configuration data for thedestination sites (SAML outboundpartner definition)

Create a system object for the NW ASABAP and system alias

Maintain Portal Content (e.g. iView)

Configuration of SAML With NW Portal asSource Site

Prerequisites:You have configured SSL

© SAP 2008 Page 31

Maintain Configuration Data for the DestinationSites (SAML Outbound Partner Definition)

NWA: Configuration Management – Infrastructure – Trusted Systems-SAML Browser/Artifact Profile – Outbound Partners

© SAP 2008 Page 32

Create a System Object for the NW AS ABAPand System Alias

Portal: System Administration – System ConfigurationNew Property: SAML PartnernameNew Logon Method value: SAML Browser/Artifact

© SAP 2008 Page 33

DestinationNW AS ABAP

request

Source

response

Establishing a Connection between ASABAP and AS Java (RFC)

Configuring the Portalas a SAML Source Site

Configuring AS Java as a SAML DestinationSite (Partner Inbound)

Activating SAML for Resources in the ASABAP (SAML Login Module)

Mapping SAML Principals to AS ABAP UserID’s (VUSREXTID)

get assertion NW ASJava RFC

HTTPS

HTTPS

12

3 4

5

Configuration of SAML With NW AS ABAP asDestination Site

Prerequisites:You have configured SSL

© SAP 2008 Page 34

Configuring AS Java as a SAML DestinationSite (Partner Inbound)

NWA: Configuration Management – Infrastructure – Trusted Systems-SAML Browser/Artifact Profile – Inbound Partners

© SAP 2008 Page 35

Activating SAML for Resources in the ASABAP (SAML Login Module)

Transaction SICF: Logon Procedure: Alternative Logon Procedure

Logon Procedure: SAML Authentication

Maintain RFCDestination on ASABAP

© SAP 2008 Page 36

Mapping SAML Principals to AS ABAP UserID’s (VUSREXTID)

Transaction SM30: VUSREXTIDNew External ID type: SA for SAML NameIdentifier

© SAP 2008 Page 37

DestinationNW AS Java

request

Source

response

Configuring AS Java as a SAML DestinationSite (Partner Inbound)

Configuring the Portalas a SAML Source Site

Adjust login module stack

get assertion

Prerequisites:You have configured SSL

Configuration of SAML With NW AS Java asDestination Site

© SAP 2008 Page 38

Support of SAML Browser/Artifact Profile

Functionality NW04 NW 7.00 NW>=7.10

SAML Browser/Artifact Profile – SAP NetWeaverPortal

- - X

Support for the “SAML Browser/Artifact Profile” as Destination Site

Functionality NW04 NW 7.00 NW>=7.10

SAML Browser/Artifact Profile – Java X X X

SAML Browser/Artifact Profile - ABAP - - X

Support for the “SAML Browser/Artifact Profile” as Source Site

© SAP 2008 Page 39

Agenda

1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with

SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile

4.1 Overview4.2 Configuration

5. Outlook

© SAP 2008 Page 40

SAML Based Scenarios

1. Authentication

2. A

cces

s to

Res

ourc

e

Web Service based SSOSAML Token ProfileWeb Service Security Standard

Web Browser based SSOSAML Browser/Artifact ProfileSAML Standard

SAMLIdentity Provider

SAMLIdentity Provider

SAMLService Provider

SAMLService Provider

ServiceConsumer

ServiceConsumer

© SAP 2008 Page 41

WS-Security Overview

The OASIS WS-Security Standard extends a SOAP message by one or moreWS-Security Headers (wsse:Security) which contains security informationfor each recipient

This new SOAP Header contains all relevant security metadata to secure aSOAP message, such as

Security Tokens to carry security information (e.g. user authenticationdata, X.509 certificates)A Timestamp to protectagainst Replay AttacksSignatures to protectagainst message tampering*Encrypted Keys and Datato protect confidentialinformation

Single Sign-On is provided by usinge.g. SAML Security Tokens

SOAP EnvelopeSOAP Envelope

SOAP Header

SOAP Body

Data

Security Token

Timestamp

Signature

Encrypted Key+ Data

WS-SecurityHeader

* The act of altering something secretly or improperly

© SAP 2008 Page 42

Profiles

Bindings

Assertions and Protocol

Relationship between WS Security SAMLToken Profile and the SAML Standard

SAML AssertionsAuthentication, Attribute

and Authorization Information

SAML AssertionsAuthentication, Attribute

and Authorization Information

SAML Token Profile

references

SAML ConfirmationMethodsSOAP Message Security

Username Token Profile

...

SAML

WS-Security

© SAP 2008 Page 43

SAML Token ProfileA Short Primer

The SAML Token Profile defines theuse of SAML Assertions as SecurityTokens in the WS-Security Header

The SAML Token is used by the serviceprovider to authenticate the userbased on the identity information in theSAML Assertion in incoming requests fromservice consumers

SOAP EnvelopeSOAP Envelope

SOAP Header

SOAP Body

Data

WS-Security

SAML Token

SAML Assertion

AuthenticationStatement

© SAP 2008 Page 44

Token Issuer(STS)

Token Issuer(STS)

Web Services SSO with SAMLGeneral Message Exchange

1. Web Service (WS) Consumerauthenticates at the Token Issuer(Security Token Service, STS) andrequests a SAML Token

2. Token Issuer authenticates the User andissues a SAML Token to the WSConsumer

3. WS Consumer uses the SAML Tokenfor authentication at the WS Provider

4. WS Provider must trust the assertion inthe SAML Token to authenticate the WSConsumer and sends back the response

1

2

3

4SOAP EnvelopeSOAP Envelope

SOAP Header

SOAP Body

Data

WS-Security

SAML Token

Web ServiceConsumer

Web ServiceConsumer

Web ServiceProvider

Web ServiceProvider

The SAML Token profile addresses two major questions:How can the SAML assertions be bound to the SOAP message so that theservice provider can be sure that they belong together?How can the service provider be sure that the sender of the message is really thesubject in the assertion?

© SAP 2008 Page 45

Sender-Vouches (SV) Subject Confirmation MethodThe WS Consumer cryptographically binds the assertion to the body of theSOAP message by signing both with its private keyThe WS Provider compares the identity information from the message signaturewith the subject information in the assertion

Holder-of-Key (HoK) Subject Confirmation MethodThe assertion holds a key that is used by the WS Consumer to cryptographicallybind (sign) the assertion and the body of the SOAP messageThe WS Provider uses the same key to verify the signature. The subject in theassertion is the party that can demonstrate that it is the holder of the key

Token Issuer(STS)

Token Issuer(STS)

Web ServiceProvider

Web ServiceProvider

Sender-Vouches: Basis of trust is the WS Consumer‘s certificate

Holder-of-Key:Basis of trust is the

Token Issuer‘scertificate

Confirmation of the Subject IdentitySAML Confirmation Methods Overview

Web ServiceConsumer

Web ServiceConsumer

© SAP 2008 Page 46

Benefits of WS-Security

WS ProviderWS ProviderWS ConsumerWS Consumer

Reverse ProxyReverse Proxy

End-to-End security

WS-Security

SSLOnly Point-to-Point security

DMZ

The Reverse Proxyterminates the SSLconnection betweenWS Consumer and WSProvider

© SAP 2008 Page 47

SAML Token Profile: WS-Security Header

<wsse:Security><saml:Assertion AssertionID="SAML_ID" Issuer="www.example.org" ...>

<saml:Conditions NotBefore="..." NotOnOrAfter="..."/><saml:AuthenticationStatement AuthenticationMethod="urn:...:password"

AuthenticationInstant="2005-03-19T...Z"<saml:Subject>

<saml:NameIdentifier>MUELLERTHOM2</saml:NameIdentifier><saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches

</saml:ConfirmationMethod><ds:KeyInfo> ... </ds:KeyInfo>

</saml:SubjectConfirmation></saml:Subject>

</saml:AuthenticationStatement><ds:Signature>

<ds:SignedInfo>...<ds:Reference URI="SAML_ID"> ... </ds:Reference>...

</ds:SignedInfo></ds:Signature>

</saml:Assertion></wsse:Security>

Example of SAML Token Profile Usage

© SAP 2008 Page 48

Agenda

1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with

SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile

4.1 Overview4.2 Configuration

5. Outlook

© SAP 2008 Page 49

Configuring SSO With SAML Token Profiles

Configuring SAML Trust Connectionbetween ABAP systems

In the consumer system, start theTrust ManagerIn the system PSE, find the certificateof the consumer system that issuesSAML assertionsExport this system’s certificateIn the provider system import theconsumer system’s certificate

WS ProviderWS Provider

WS ConsumerWS Consumer

system

export

import

STRUST

© SAP 2008 Page 50

Configuring SSO With SAML Token Profiles

Enabling SSO with SAML TokenProfile

Configure a WS service endpoint forproviding a Web ServiceConfigure a WS port for consuming aWeb Service

Maintain User Mapping

WS port

WS service endpoint

User Mapping

SOAMANAGER

SE38 - RSUSREXTIDWS ProviderWS Provider

WS ConsumerWS Consumer

© SAP 2008 Page 51

Configure a WS Service Endpoint for Providinga Web Service

Transaction: SOAMANAGER – Application and Scenario Communication –Single Service Administration: Service Configuration

© SAP 2008 Page 52

Configure a WS Port for Consuming a WebService

Transaction: SOAMANAGER – Application and Scenario Communication –Single Service Administration: Consumer Proxy Configuration

© SAP 2008 Page 53

Maintain User Mapping

Transaction SE38 : RSUSREXTID

© SAP 2008 Page 54

Support of WS Security with theSAP NetWeaver Platform

Functionality NW04 NW 7.00 NW>=7.10

XML Signature/ XML Encryption – Java - x xXML Signature/ XML Encryption – ABAP - x X

Support for the “SAML-Token Profile” for Web Services

Functionality NW04 NW 7.00 NW>=7.10

WSS SAML Token Profile - Java - - X

WSS SAML Token Profile - ABAP - X X

Support for the “XML Signature/ XML Encryption” for Web Services

© SAP 2008 Page 55

Agenda

1. Overview SOA Scenarios2. Windows Integration Authentication using Kerberos with

SAP NetWeaver3. Authentication with SAML4. Single Sign-On using SAML Token Profile5. Outlook

© SAP 2008 Page 56

SSO in the SAP NetWeaver Roadmap

2007/2008 2010 and beyond2009

Meta-rolesdefinition andassignment

Enhanced supportfor WS-* standards

Central IdentityManagement forheterogeneouslandscapes

Centralized policy-based securityadministration

Identity federationsupport (SAMLv2)

Standards-basedsingle sign-oninfrastructure (SAML)

Standards-basedprincipalpropagation

Harmonization ofsecurityadministration

Role managementsimplification andTCO reduction

Business processintegrated identitymanagement

Business rolemanagement

Harmonizedauthorizationconcepts

Extended SOAscenario support

Model drivensecuritymanagement

Role &Authorization

Mgmt.

IdentityManagement

EnterpriseSOA and

Standards

SecurityManagement

Add. WS-* standards(WS-Sec.Conversation,WS-Trust)

Trust Configurationusing X.509 SystemCertificates

Secure Single Sign Onand Single Log Out forTrusted Systems inHeterogeneousLandscapes

User Mapping, AccountLinking and IdentityFederation fromAuthenticationProtocols

© SAP 2008 Page 57

Copyright 2008 SAP AGAll Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changedwithout prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior writtenpermission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies,developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note thatthis document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant theaccuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express orimplied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitationshall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durchSAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte können Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie diedazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen vonProdukten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zuInformationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Formauch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet. Bei dieser Publikation handelt es sich um eine vorläufige Version, die nicht Ihrem gültigen Lizenzvertragoder anderen Vereinbarungen mit SAP unterliegt. Diese Publikation enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts. SAP entsteht aus dieserPublikation keine Verpflichtung zu einer bestimmten Geschäfts- oder Produktstrategie und/oder bestimmten Entwicklungen. Diese Publikation kann von SAP jederzeit ohne vorherigeAnkündigung geändert werden.

SAP übernimmt keine Haftung für Fehler oder Auslassungen in dieser Publikation. Des Weiteren übernimmt SAP keine Garantie für die Exaktheit oder Vollständigkeit der Informationen, Texte,Grafiken, Links und sonstigen in dieser Publikation enthaltenen Elementen. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a.,aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts.SAP haftet nicht für entstandene Schäden. Dies gilt u. a. und uneingeschränkt für konkrete, besondere und mittelbare Schäden oder Folgeschäden, die aus der Nutzung dieser Materialienentstehen können. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit.

Die gesetzliche Haftung bei Personenschäden oder Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinks zugreifen,unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über InternetseitenDritter ab.

Alle Rechte vorbehalten.