SAP AD Integration SSO User Management

SAP Active Directory
Integration – SSO and

Usermanagement
André Fischer (andre.fischer@sap.com)
Project Manager CTSC
Michael Sambeth (michael.sambeth@sap.com)

NetWeaver Practice Unit Enterprise Portal
Agenda
Introduction
User Management
Single Sign On
Conclusion
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 2

Agenda
Introduction
User Management
Single Sign-on
Conclusion

What the user wants …
ERP CRM ESS Groupware
Intranet Workflow Internet

...
Access
Portal
Logon

What the administrator wants …
Central user management

Single point of administration
Assign user rights in various applications with one keystroke
Lock or Delete users centrally
Central user repository

Avoid redundant user information

What are the prerequisites ?
Integrated Cross-Application User Management

Central storage of user information
Group assignement
Basic user data
Application specific user data
Standard Access protocol
Interoperability, Multi vendor and platform support
Solution: LDAP
LDAP Directories serve as central repository for user master data.
Access to this data is provided using the standardized Lightweight
Directory Access Protocol (LDAP).
Applications from multiple vendors and platforms can work as LDAP clients
-> Interoperatibility
Authentication

What are the prerequisites ?
Single Sign-On (SSO)

User authenticates once against a security system
User is afterwards automatically authenticated to access other systems
Authentication against external applications is transparent for the user
Logon-Procedure for initial authentication must be secure
Solution
SAP Logon Tickets
E.g. with SAP Enterprise Portal, SAP WebAS,...

… and how can it be realized in a Microsoft Environment !
SAP
Enterprise Portal / Web AS can use LDAP Directories as User Repository
(User Persistence Store)
Enterprise Portal provides SSO to SAP and MS backend systems using SAP
Logon Tickets
SAP provides a Directory Interface for User Management via LDAP
mySAP HR can create / update users in LDAP Directories
SAP user data can be synchronized with user data in LDAP Directories
Microsoft Active Directory

Supports LDAP
Active Directory is SAP certified (BC-USR-LDAP)
Windows authentication can be used as external authentication for mySAP
Enterprise Portal (SSO to EP)

The big picture
mySAP
3rd party Microsoft based mySAP Systems
Applications applications HR WebDynpro CUA
Java
Application
UME
SAP (Web AS Java)
ISAPI Filter
User data
SSO SSO SSO SSO SSO SSO
SAP Enterprise Portal

UME (Web AS Java)
Create and Use as user Synchronize Use as user

modify users repository user data repository
Active
Directory
SSO Authentication

Agenda
Interduction
User Management
Single Sign-on
Conclusion

User Management (step 1)
mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data
SAP EP & SAP J2EE

Use Directory as UME (Web AS Java)
user repository for
EP and JAVA users modify users repository user data repository
Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
mySAP HR LDAP interface
Goal
Create / modify users in the directory server automatically from employee
data stored in mySAP HR
Reason
mySAP HR is master system for (basic) employee data
First name
Last name
Employee number
Manager
….
Optimize Administration of users
Reduction in operational costs
Correctness of data
Speed of the process
Restriction
Only export of data

User information in Active Directory
Attributes that can be provided by mySAP HR
distinguishedName: CN=Andre Fischer, CN=Users, DC=MSCTSC, DC=SAP,DC=CORP;

sn: Fischer
givenName: Andre
employeeNumber: 0123456
sAMAccountName M0123456
userPrincipalName andre.fischer@mstsc.sap.corp
… …
Attributes that are provided by Active Directory

and Exchange Administration
mail: andre.fischer@sap.com
memberOf: CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;
CN=Domain Admins,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;
… CN=SAP Users,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;

Data export from mySAP HR using LDAP interface
SAP HR WebAS
>= 6.10
<=4.6C RFC LDAP

Active
Directory
LDAP
>=4.7
Extraction Mapping Create / update users
SAP data field ->

Employee data: User attributes
Personel number LDAP attribute Cn
First Name Sn
Last Name givenName
... ...

Results of export using mySAP HR LDAP interface
=> New users are created as deactived accounts in Active Directory
=> Existing user accounts will be updated

mySAP HR mySAP
Java
UME
password User data
SAP EP & SAP J2EE

user repository for
Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
Active Directory - Useradministration
Activate account
Assign groups
Set / Reset password
Perform additional
administrative tasks …

mySAP HR mySAP
Java
UME
password User data
SAP EP & SAP J2EE

user repository for
Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
Architecture: User Management Engine
Portal
Server
User Persistence Store Store portal-

LDAP or Portal specific data
Portal Database or Database
SAP System
UM Instance PCD Instance
Basic user data User/group role User Roles

assignment (Metadata)
Basic group data
User mapping (for Content role
User group
SSO purposes) assignment
assignment
User’s
personalization data

UME: Active Directory as User Persistence Store
Portal Users are stored in the Directory
Active Directory groups can be assigned to Portal Roles
Portal specific information is stored in portal database

group <-> role assignment
User <-> role assignement
Portal User Id = sAMAccountName (default)
Multiple domains are supported if an attribute is used as portal

user id that is unique in the complete forest (the
sAMAccountName is only unique in a domain)
LDAP access of the portal to the directory should be secured by

SSL

UME result
User can log on

to SAP EP
immediately
User is
assigned to
roles that are
assigned to the
user or the
groups the user
has been
assigned to

mySAP HR mySAP
Java
UME
password User data
SAP EP & SAP J2EE

user repository for
Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
Overview SAP LDAP user synchronisation
4.7 and Mandatory for 4.5 & 4.6
higher optional for 4.7 and higher
LDAP ALE
LDAP
CUA on
WebAS
SAP ABAP user management data can be synchronized with a LDAP

directory with systems based on WebAS 6.10 or higher
SAP Systems with Release 4.5 and higher can be integrated into LDAP
using CUA
LDAP directory interface provides mapping capabilities LDAP attributes
and SAP data fields
SAP User synchronisation and distribution can be performed by
background jobs

LDAP Connector
SAP Application Server Domain Controller:

Active Directory
Work Process LDAP
Connector
Call Function
‘LDAP_XXX‘
Connection with
LDAP Server LDAP
Function
‘LDAP_XXX‘ RFC
Executable LDAP_RFC shipped since Release 4.6A

Loads LDAP Library of operating system at runtime

LDAP Connector as Service on Windows
SAP Application Server Domain Controller: Active Directory
Work Process LDAP

Connector
Call Function
‘LDAP_XXX‘
Connection with
LDAP Server LDAP
Function
‘LDAP_XXX‘ RFC
If operating system of SAP Application Server

does not provide a LDAP Library
LDAP connector runs as Service on Windows
Result of SAP user LDAP synchronisation
User is created / updated

with basic user data
from LDAP directory
First Name
Last Name
eMail
Roles (optional)
…
Users are created

without password
Passwords are not
needed if SSO using
SAP Logon Tickets is
used
No security risk since
users cannot log on
eithout using SSO via
Enterprise portal using
an initial password

Q&A: Usermanagement with Microsoft Active Directory

Agenda
Introduction
User Management
Single Sign-on
Conclusion

What is Single Sign-on (SSO)?
Single Sign-on
User authenticates once against a security
system
User is afterwards automatically authenticated to
other systems
Authentication
Initial check of user credentials (for example
username/password)

Why using Single Sign-on ?
Typical situation
In a complex system landscape an employee has many user IDs with different
passwords
Different procedures for each system to roll-out, reset and change
new/existing passwords
Users find continuous password changing for many systems annoying
Problems
High administration cost and effort
Security risk: Users write passwords down and store them where they can easily
be found
Solution: Single Sign-on

Users only have to remember one password to gain access to every system
Administration costs and effort are drastically reduced

Authentication Methods – Initial Logon Procedure
Enterprise Portal 6.0 supports various authentication methods

User ID / password
LDAP Directory (for example Active Directory)
Portal Database
SAP System
X.509 digital certificates
Third-party authentication
Integrated windows authentication
SAP authentication (SAP Web AS or R/3)
Others through JAAS interface (pluggable JAAS login modules, e.g. RSA)
SAP integrates into existing Active Directory landscapes

Initial logon procedure to authenticate user can be delegated to Active
Directory
No additional costs since no 3rd party software is required
Authentication methods can also be used if portal runs on UNIX
SAP provides necessary interfaces and tools
UME: LDAP Adapter for Active Directory
ISAPI Filter for IIS (IISProxy.dll)

Integrated Windows authentication –
SSO Microsoft Windows Logon to Enterprise Portal
Prerequisites SAP Enterprise Portal

Separate Webserver: IIS with
IISProxy.DLL filter 4.
Browser: Microsoft Internet Explorer ISAPI Filter redirects HTTP request
EP checks HTTP Header variable 5.
REMOTE_USER**
Authentication of users is delegated to SAP
Logon
the operating system SAP ISAPI Filter
Ticket
Previous logon to Windows operating issued
system can be reused IIS
3.
User is not required to reenter his or her Check
Windows authentication credentials credentials
Limitations 2.
Login
Multiple domains are now supported*.
In this case an attribute that is unique in
all domains has to be used as portal 1.
logon id (for example userPrincipalName) Auth.
Can only be used in Intranet scenarios Active
Directory
*Solution is available for EP 6.0 SP2 on project basis

** EP <=EP6.0 SP2 Patch4: NTLM header is used

Authentication Methods – User Id / Password (LDAP)
Active
Directory
Prerequisites
User Persistence Store: Active
2. LDAP bind
Directory Check
credentials
Authentication of users is delegated
to the operating system
User must enter his or her Windows 3.
authentication credentials SAP Logon
Ticket issued
1.
Typical scenarios Login
Extranet scenarios
Intranet scenarios where a second
login using the same username /
password should be use

Overview – SSO from EP to backend systems
SAP EP provides SSO to 3rd party

backend systems using Applications
SAP Logon Tickets
Account Aggregation New
SAP Logon Tickets can be SSO22KerbMap SAP Web

Module Server
used for SSO to: Filter or
SSO SSO SSO Shared
SAP Applications Library
SAP Logon Ticket SAP Logon Ticket
Web based applications
with the SAP Web Server SAP Enterprise Portal
filter
JAVA and C applications
using SAP‘s shared Initial Logon or
library SSO
Microsoft Applications
using SSO2KerbMap
Module *
* Active Directory 2003 required

SSO – Account Aggregation
Features:
Account aggregation can be used if the external system does not
support SAP logon tickets
System is maintained in portal system landscape
Portal components connect to the external system with the user’s
credentials (user ID and password), e.g. with SAP AppIntegrator
Credentials submitted via HTTP GET Query String or HTTP POST body
User mapping and credentials information are securely stored in the
Portal Database
Drawbacks and Limitations:

Redundant administration of credentials
Stored credentials have to be changed if password changes in a
backend syste
Administrative overhead
Security update of MS IE http://user:pwd@server.com
Username and password must not be sent in a URL via the network
Conclusion:
Seamless SSO technique such as SAP Logon Tickets is preferred
SSO – SAP Logon Tickets
Portal Server issues an SAP logon ticket to a user after

successful initial authentication
SAP logon ticket is stored as per session cookie on the client

browser
SAP logon ticket is used to authenticate user to applications

User gets access to multiple applications and services
After initial logon no further user logons required
SAP logon tickets contains user name(s)
SAP Logon Ticket is signed using digital signatures

Verifying the SAP Logon Ticket
Backend
System
Portal
Server’s
public-key
certificate
SAP Logon Ticket
Step 1:
Verification of the digital signature provided with the SAP logon ticket.
=> Application needs access to issuing server’s public-key certificate
Step 2:
Retrieval of the user ID which is stored in the SAP logon ticket.
=> No additional authentication necessary.

SSO to SAP Backend Systems using SAP Logon Tickets
SAP User ID‘s must be equal in all SAP backend system
Portal UserID = SAP UserID in backend systems

Logon Ticket issued by the portal server contains the portal userID
only
Initial portal authentication is sufficient
Portal UserID ≠ SAP UserID in backend systems

The user has to logon once initially to the SAP Reference system
Logon Ticket issued by the portal server contains both, the portal
userID and SAP userID in backend systems
If SAP User ID‘s of a portal user are not equal in all SAP backend
system SSO via account aggregation has to be used

SAP Reference System
Contains the SAP User ID‘s
Used for mapping between SAP Users and Portal Users in EP
SAP Users can be created / modified using LDAP directory

interface
Users have only to logon once to the SAP reference system
SAP CUA system can be used as SAP Reference system

SSO to SAP components using SAP Logon Tickets
Portal SSO
Web SAP
WebDynpro SAP Dynpro
Logon
Ticket
WebAS
BSP-Pages SAP
Logon
Initial Ticket
Logon
SAPGUI for HTML
ITS SAP
SAP
Logon
Ticket Web
Windows
SAP
SAPGUI for Windows Logon SAP
Ticket

Web Server Filter, Shared Library and Java classes
Web Server Filter

available for several Web Servers (IIS, Apache, iPlanet)
verifies SAP Logon Ticket and extracts portal user id
Adds portal user id to http header
Example: Use by ASP applications
Shared Library
Dynamic Link Library for verifying SSO Tickets in third party
Software
Native support of SSO using SAP Logon Tickets for applications
written in C, Visual Basic
SAP provides C samples
Java Classes
Java Classes provided by SAP
Operating System independent
Javadoc on SDN contains JAVA samples

SSO to MS based backend systems innovation
Goal:
Use of Kerberos for authentication on MS backend servers
Windows authentication (Kerberos) is the preferred authentication

method in Microsoft environments
Problem:
Kerberos does not work well across the Internet (firewall config)
Windows integrated authentication can only be used in intranet
scenarios (firewall config, trusted domains)
To perform Kerberos on a client’s behalf the server needs to have
the client’s primary credentials (RFC 1510)
Client’s password OR
Client’s ticket granting ticket (TGT) and the corresponding session key
But, Windows Server must NOT know the client’s password which
would be a severe breach of trust

Solution: SSO22KerbMap Module
Applicable where
Kerberos would not
Work natively, e.g.
Managability / over the Internet
Constraints
Kerberos Constrained Delegation with Protocol Transition
Authentication On behalf
of a end user

Kerberos constrained delegation using protocol transition
Microsoft has enhanced its implementation of the Kerberos

protocol
Constrained delegation: Service may request a (constrained)
Kerberos ticket on behalf of a user for specified services only
Protocol transition: Client may be authenticated using other
methods than Kerberos
IIS Active Directory
ISAPI
FIlter
(SSO22 Kerberos
Clients
Kerb IIS Back-end Server
SAP Logon Tickets
Map Constrained
Module) IIS Back-end Server
Delegation
SAP has developed the SSO22KerbMap Module (ISAPI Filter)

Protocol transition: Filter allows authentication using SAP Logon
Tickets
Constrained delegation: Filter can aquire Kerberos Tickets on behalf
of user that is authenticated by a SAP Logon Ticket

SSO22KerbMap Module - Flowchart
7
Identification + 3+5
ADS 2003
Constrained
delegation
Kerberos
Windows
Client HTTP (S) Backend
IIS 6 Application
(IE)
2
1 SAP Logon
Ticket
4 Impersonation
1. Client with (valid) SAP Logon Ticket

2. Authentication to IIS. ISAPI Filter DLL checks validity of SAP Logon Ticket
3. Identification: ISAPI Filter searches for a user in Active Directory with the user
id contained in SAP Logon Ticket.
4. Impersonation as user (LogonAsUser)
5. Constrained Delegation managed by ADS
6. Kerberos Authentication when connecting to backend service as fully
qualified Windows Domain User
7. Windows backend application/service accepts contrained kerberos ticket
Configuration of delegation in Active Directory
Sample configuration
in ADS for
Outlook Web Accesss

Microsoft Exchange Front-End and Back-End Server
Architecture
Global catalog
server
Firewall
Client – Exchange
Extranet back-end servers
Client - Intranet

Outlook Web Access using SSO22KerbMap Module
Exchange Exchange
Frontend Server Backend Server(s)
passthrough Impersonation
3
authentication Kerberos ticket
Check SAP Logon
Ticket
SSO22KerbMap
SSO22KerbMap
Module
1
Module
2
Active Check if server is trusted

Directory for delegation

Outlook WebAccess for Exchange 2003

Portalized Outlook WebAccess
* German localization
Summary
SAP Logon Tickets

for Authentication
ADS 2003 on IIS web server
Kerberos Constrained Delegation with Protocol Transition
Authentication Microsoft
to backend S4U2-
Kerberos
Extensions

Agenda
Introduction
User Management
Single Sign-on
Conclusion

Conclusion
SAP Enterprise portal supports open standard LDAP

integrates into exisiting LDAP Directories
Existing groups can be used for role assignment
SAP Enterprise portal provides SSO using SAP Logon Tickets to

SAP systems
MS based applications
SAP provides DLL to use integrated windows authentication as

SSO to EP
SAP Enterprise Portal serves as an

end-to-end SSO solution

Q&A: Single sign-on to Microsoft Systems

References
SSO2KerbMap Module Download & Dokumentation:

SAP Software Distribution Center: http://service.sap.com/swdc -> Search
and search for the string „sso22kerbmap“
SAP Note 735639 “SSO2 To Kerberos Mapping Filter: Known issues”
http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVEN
T=DISPL_TXT&_NNUM=735639&_NLANG=E
SAP Application Integrator HowTo:

http://service.sap.com/EP60howtoguides
Customizing MS Outlook Web Access:

http://www.microsoft.com/technet/prodtechnol/exchange/2000/library/CUSTO
WA.mspx
http://www.msexchange.org/articles/Exchange_2003_Outlook_Web_Access_
Themes.html
Microsoft 2003 Kerberos Constrained Delegation:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/constdel.mspx
http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/

Copyright 2004 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of
Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®,
OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix
and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented
and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and service names mentioned are the trademarks of
their respective companies.

SAP AD Integration SSO User Management

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP AD Integration SSO User Management

Uploaded by

Copyright:

Available Formats

SAP Active Directory

Integration – SSO and

Michael Sambeth (michael.sambeth@sap.com)

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 2

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 3

ERP CRM ESS Groupware

Intranet Workflow Internet

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 4

Central user management

Central user repository

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 5

Integrated Cross-Application User Management

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 6

Single Sign-On (SSO)

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 7

Microsoft Active Directory

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 8

SAP Enterprise Portal

Create and Use as user Synchronize Use as user

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 9

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 10

SAP EP & SAP J2EE

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 12

Attributes that can be provided by mySAP HR

distinguishedName: CN=Andre Fischer, CN=Users, DC=MSCTSC, DC=SAP,DC=CORP;

Attributes that are provided by Active Directory

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 13

<=4.6C RFC LDAP

Extraction Mapping Create / update users

SAP data field ->

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 14

=> New users are created as deactived accounts in Active Directory

=> Existing user accounts will be updated

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 15

SAP EP & SAP J2EE

Set / Reset password

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 17

SAP EP & SAP J2EE

User Persistence Store Store portal-

Basic user data User/group role User Roles

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 19

Portal Users are stored in the Directory

Active Directory groups can be assigned to Portal Roles

Portal specific information is stored in portal database

Portal User Id = sAMAccountName (default)

Multiple domains are supported if an attribute is used as portal

LDAP access of the portal to the directory should be secured by

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 20

User can log on

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 21

SAP EP & SAP J2EE

SAP ABAP user management data can be synchronized with a LDAP

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 23

SAP Application Server Domain Controller:

Executable LDAP_RFC shipped since Release 4.6A

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 24

SAP Application Server Domain Controller: Active Directory

Work Process LDAP

If operating system of SAP Application Server

User is created / updated

Users are created

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 26

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 27