Portal Security SSO

Portal Security:

SAP Enterprise portal offers a single point of access to all applications, information, and services needed to accomplish their daily tasks. Links to back-end and legacy applications, self-service applications, company intranet services, and Internet services are all readily available in the user's portal. Because the borders between company intranets and the Internet are blurring, comprehensive security is vital to protect the company's business.
  •  Portal User Administartion and authentication
  •  Authorizations
          Authorizations define which objects users can access and which actions they can perform.
            The portal has an authorization concept that is implemented using permissions, security zones, and the AuthRequirement property.
             In the portal, roles are only indirectly linked to authorization. Portal roles group together the portal content required by users with a certain role in the company. In addition, the role structure defines the navigation structure that a user sees in the portal. Users and groups assigned to a role inherit the permissions of the role. By default this is end user permission.
  •  Network and communication security
  •  Data Storage Security
  •  Operating System security

SSO Mechanism:


Scenario 1: Single Sign-On using SAP logon tickets without user mapping
Users must have the same user IDs in all SAP systems that are accessed via SSO with SAP
logon tickets. If the SAP user IDs are the same as the portal user IDs, user mapping is not
required. You need to perform the following steps:
1. Configure Portal Server for SSO with SAP Logon Tickets
2. Configure SAP Systems to Accept and Verify SAP Logon Tickets

Scenario 2: Single Sign-On using SAP logon tickets with user mapping
If users have different users IDs in the SAP Systems than in the portal, you must define a
SAP reference system and map each user's user ID to their user ID in the reference system.
You must perform the following steps:
1. Define an SAP Reference System for User Data
2. Configure Portal Server for SSO with SAP Logon Tickets
3. Configure SAP Systems to Accept and Verify SAP Logon Tickets
4. Each user must map his or her user ID to his or her user ID in the SAP Reference

Scenario 3: Single Sign-On using user ID and password with user mapping
There are two cases where you would use this method of Single Sign-On:
1. The SAP System has release 3.1I.
2.  Users have a different user ID in the SAP System in question than in the reference

SAP System used for logon tickets.

You must perform the following step:

Configuring SSO with User ID and Password to SAP 
Defining an SAP Reference System for User Data
Use

When you use SAP logon tickets for Single Sign-On to SAP Systems, users must have the
same user IDs in all SAP Systems that are configured to use SAP logon tickets. If the SAP
user IDs are different to the portal user IDs, you must define an SAP reference system. Users
then map their portal user ID to the user ID in the SAP reference system.
The mapped user ID is included in the SAP logon ticket and enables Single Sign-On using
logon tickets to all SAP Systems in which the user has the same user ID.
Prerequisites
Users have the same ID in all SAP component systems that are configured to use logon
tickets for Single Sign-On. Passwords do not have to be identical.
Procedure
Define a system object for the reference system
1. If the system you wish to use as SAP reference system has not yet been defined as a
system in the portal, define it .Portal ? System Administration ? System Landscape ? System Landscape Editor ?
Creating a System Landscape Object.
2. Ensure that a system alias has been defined for the system. If it does not have a
system alias, it will not appear in the user mapping tool.
3. If required, also set the user mapping properties.
4. Save your changes.
Define the reference system in the user management configuration tool
5. In the user management configuration tool, choose Security Settings.
6. In R/3 Reference System, enter the system alias of the above system.
7. Restart the Java application server.
Result
When users start the user mapping function, one of the component systems that they can
select is the SAP reference system. They can map their portal user ID to their user ID in this
reference system. The user mapping function connects to the SAP reference system using
the user ID and password to verify that the password entered by the user is correct.
The next time the user logs on to the portal, the portal generates an SAP logon ticket for the
user that contains both his or her portal user ID and mapped user ID.
Single Sign-On with SAP Logon Tickets
Purpose
SAP logon tickets represent the user credentials. The Portal Server issues a logon ticket to a
user after successful initial authentication. The logon ticket itself is stored as a cookie on the
client and is sent with each request of that client. It can then be used by external applications
such as SAP systems to authenticate the portal user to those external applications without
any further user logons being required.
SAP logon tickets contain information about the authenticated user. They do not contain any
passwords. Specifically, logon tickets contain the following items:
1. Portal user ID and one mapped user ID for external applications
2. Authentication scheme
3. Validity period
4. Information identifying the issuing system
5. Digital signature
Technically, SSO with SAP logon tickets works as follows:
1. The first time the Portal Server is started, it generates a cryptographic key pair. The
private part of this key is used for ticket generation (for the digital signature).
2. Once the user has been successfully authenticated in the portal, the Portal Server
issues a logon ticket to the user. This logon ticket is stored as a non-persistent cookie
in the browser on the client.
3. Each time the user tries to access an external system from the portal, the Portal Server
sends the logon ticket with the request to the external system.
4. The external system checks that the logon ticket is valid by verifying the digital
signature of the Portal Server. It uses the public key contained in the digital certificate
of the Portal Server to verify this.
5. If the logon ticket is valid, the external system extracts the user ID for that system from
the logon ticket.
6. The user is logged on to the external system without having to enter his or her user ID
and password.

The Portal Server issues a SAP logon ticket for the Internet domain or a sub-domain of the
Portal Server only.

 Process Flow

To allow Single Sign-On using SAP logon tickets between the portal and its component
systems you must perform the following steps:
1. Configure the Portal Server to allow Single Sign-On with SAP logon tickets. This step is
optional, as by default the portal is configured for SAP logon tickets.
2. Configure the component systems to accept and verify SAP logon tickets.

Configuring Portal Server for SSO with SAP LogonTickets

Use

In the default mode, the Portal Server creates and digitally signs SAP logon tickets for users,
therefore you do not need to make any settings. However there are some settings that you
need to make in particular cases. These are described below.

Procedure

Configure the lifetime of the SAP logon ticket
You set the lifetime of the SAP logon ticket in the user management configuration tool. Map portal user IDs to user IDs in other systems
If users' portal user IDs are different to their user IDs in the component systems, the
administrator or user must map the portal user ID to the user ID in the other systems. If you have several SAP component systems in your portal landscape, and the SAP users
have not been synchronized with the portal users, you define a reference system for user
data and map the portal users to the users in this system. SAP Systems only: Set logon method to SAP logon tickets in portal system landscape
For each SAP System that you wish to access with SAP logon tickets, do the following:
1. Open the system for property editing as described

 System Administration >System Landscape  >System Landscape
Editor
  >Editing System Properties.

2. Set the value of the property Logon Method to SAPLOGONTICKET.

3. Save your changes.

Configuring Component Systems for SSO with SAP Logon Tickets
When a user calls an external application, his or her logon ticket is passed on to the
appropriate application or information system where it is checked to see if it is valid. In order
to work with SAP logon tickets, the external application has to perform three tasks as follows:
1. The external system has to make sure that a trusted Portal Server has issued the ticket.
2. The digital signature in the ticket of the Portal Server needs to be verified. The first two
steps require the digital certificate of the issuing Portal Server.
3. If the ticket is valid, the appropriate user ID contained in it has to be extracted.
This verification procedure is standard in SAP systems. For information on how to configure
SAP Systems, see Configuring SAP Systems to Accept and Verify SAP Logon Tickets
Configuring SAP Systems to Accept and Verify SAP Logon Tickets
Use
The Portal Server digitally signs SAP logon tickets as it issues them to the portal users. SAP
Systems need to accept the tickets and verify the Portal Server's digital signature. The
following information is important for the SAP System to be able to accept and verify SAP
logon tickets:
1. The SAP System should only accept SAP logon tickets issued from their designated
Portal Server. Therefore, the identity of the Portal Server needs to be entered in the
SAP System's SSO access control list (ACL).
2. The SAP System needs to be able to verify the Portal Server's digital signature. The
Portal Server has a self-signed certificate, therefore the SAP System needs access to
the Portal Server's public-key information, which needs to be entered in the SAP
System's certificate list.
Prerequisites
1. The SAP System has Release 4.0B or higher. SAP logon tickets are not supported in
releases lower than 4.0B.
2. For SAP Systems with Release less than 6.20, the Enterprise Portal Plug-In that
corresponds to the Enterprise Portal release must be installed in the SAP System. SAP
Systems based on SAP Web Application 6.20 or higher do not require the Plug-In.
3. The required kernel patches have been applied to R/3 Systems prior to Release 4.6C.
For more information, see the section on implementing new kernels for the SAP
Application Server in SAP Note 177895. Note that after applying the kernel patches,
you may need to patch the operating system of the R/3 System so that the new kernel
works.
4. Users must have the same user IDs in all SAP Systems that are accessed via Single
Sign-On with SAP logon tickets. If the SAP user IDs are different to the portal user IDs,
you must define a SAP reference system. See Defining an SAP Reference System for
User Data

 You have configured the Portal Server for Single Sign-On with logon tickets. See
Configuring Portal Server for SSO with SAP Logon Tickets
Procedure

In SAP systems with Release 4.6C or higher you can use transaction
STRUSTSSO2 to complete the first 2 steps of the following procedure. This is
described in Using Transaction STRUSTSSO2 in SAP System >= 4.6C
Add Portal Server to ACL of component system
The Portal Server is identified by system ID, client, and the name in the certificate. You must
enter these details in the access control list of the component system as follows.
1. In the component system, maintain table TWPSSO2ACL with transaction SM30.
2. Create a new entry for the Portal Server by choosing New entries.
3. Enter the portal's system ID and client. By default, the portal's system ID is the common
name (CN) of the Distinguished Name entered during installation of the portal. The
default client is 000.
If necessary, you can change these default values by changing the properties
login.ticket_issuer and login.ticket_client respectively in user
management properties.
4. Enter the following values for Subject name, Issuer name, and Serial number.
Field Value
Subject name Distinguished name (DN) of owner of portal server
certificate. This is the DN that was entered during
installation of the portal.
For example: CN=EP6, OU=Portal
Installation, OU=Enterprise Portal,
O=SAP Trust Community, C=DE
Issuer name Distinguished name of issuer of portal server
certificate. If the portal is using a self-signed certificate,
this is the same as the above entry.
Serial number 00
You can look up the subject name, issuer name, and serial number of the portal
server certificate in the Keystore Administration tool.
5. Save your entries.


No comments:

Post a Comment