>net services in portal sdn documents

SAML for Web ServicesInteroperability with .NET

SAP NetWeaver Product Management Security

June 2008

© SAP 2008

Agenda

1. Web Services Security – A short primerInteroperability and StandardsWS-Security Basics

2. Standards-based Single Sign-On for Web ServicesSingle Sign-On Technologies & StandardsWS-Security SAML Token Profile

3. Web Services Single Sign-On with SAP NetWeaverSAML Token Profile support in current SAP NetWeaver releasesRoadmap

4. Interoperability in Practice: Web Services SSO between SAP NetWeaverand Microsoft .NET

Web Services Security in the Microsoft .NET FrameworkImplementation of an interoperable Web Service Consumer in .NETConfiguration of an interoperable Web Service Provider in SAP NetWeaver

© SAP 2008

Definition of Interoperability

The IEEE defines interoperability as:

The ability of two or more systems or components toexchange information and to use the informationthat has been exchanged*

* Institute of Electrical and Electronics Engineers. IEEE Standard Computer Dictionary: A Compilation of IEEEStandard Computer Glossaries. New York, NY: 1990

© SAP 2008

Interoperability – The Value Of Standards

Interoperability is achieved by standards, supports the seamless exchangeand use of business information

ServiceInfrastructureServiceInfrastructure

ServiceInfrastructureServiceInfrastructure

BusinessApplicationBusinessApplication

BusinessApplicationBusinessApplication

Semantic InteroperabilityApplications understand and correctlyuse the information being exchanged

Semantic InteroperabilityApplications understand and correctlyuse the information being exchanged

Technical InteroperabilitySystems are connected and canexchange information

Technical InteroperabilitySystems are connected and canexchange information

© SAP 2008

Platform BPlatform A

Role of Web Service Standards

Web Service (WS) standards define the format of the message in transit toguarantee the interoperable exchange between service consumer and provider ona technical levelWeb Service Standards don’t specify any infrastructure- or application-specificaspects, such as

APIs or programming languages that applications must use to send or delivermessages – these are always platform-specificRuntime architecture and components

Web ServiceConsumer

Web ServiceConsumer

SourceInfrastructure

SourceInfrastructure

DestinationInfrastructureDestination

Infrastructure

Send Deliver

Web ServiceProvider

Web ServiceProvider

Message

Scope of Web ServiceStandards

API API

© SAP 2008

The SOAP protocol on its own does not provideany security mechanisms for

Message Integrity & ConfidentialityAuthenticationNon Repudiation of origin or receiptBut: SOAP can be extended to provideadditional features

Up to the year 2002, best practice was to secureWeb Services using Secure Sockets Layer (SSL)

But SSL provides transport – not application-level securitySOAP Messages secure point-to-point, not end-to-endMessages stored unencrypted in files or databases at intermediariesnot independent of underlying transport protocol

WS-Security submitted to standards body (OASIS) in Sept 2002 andapproved as an OASIS Standard in April 2004

WS-Security – Motivation

SOAP EnvelopeSOAP Envelope

SOAP Header

SOAP Body

Data

SOAP message format

© SAP 2008

WS-Security Overview

The OASIS WS-Security Standard extends a SOAP message by one or moreWS-Security Headers (wsse:Security) which contains security informationfor each recipient

This new SOAP Header contains all relevant security metadata to secure aSOAP message, such as

Security Tokens to carry security information (e.g. user authenticationdata, X.509 certificates)A Timestamp to protectagainst Replay AttacksSignatures to protectagainst message tampering*Encrypted Keys and Datato protect confidential information

Single Sign-On is provided by usinge.g. SAML Security Tokens


SOAP Header

SOAP Body

Data

Security Token

Timestamp

Signature

Encrypted Key+ Data

WS-SecurityHeader

* The act of altering something secretly or improperly

© SAP 2008

Summary

WS-Security is a rich framework to secure SOAP on the messagelayer

WS-Security provides a general-purpose mechanism for associatingsecurity tokens with message content

No specific type of security token is required. The specification isdesigned to be extensible, so as to support multiple security tokenformats

© SAP 2008

Agenda






© SAP 2008

Definition of Single Sign-On (SSO)

Wikipedia defines Single Sign-On as:

Single Sign-On (SSO) is a method of access controlthat enables a user to authenticate once andgain access to the resources of multiplesoftware systems*.

* http://en.wikipedia.org/wiki/Single_sign-on

http://en.wikipedia.org/wiki/Single_sign-on

© SAP 2008

Basic Architectural Pattern for Single Sign-On(SSO)

1

2

3

4

TrustRelationship

Issuing Authority: A systementity that issues security-relatedinformation about individualusers. Usually this includes atleast identity information aboutthe user (e.g. a user name or E-Mail address)

Relying Party: A system entitythat decides to take an actionbased on the security informationprovided by the Issuing Authority.The Relying Party must have atrust relationship with the IssuingAuthority

User: A natural person whomakes use of a system and itsresources

1. User authenticates at Issuing Authority and request thesecurity data that is required to access a protectedresource at the Relying Party

2. Issuing Authority responds with the security informationabout the user

3. User authenticates with the issued data at the RelyingParty to access a protected resource

4. Relying Party authenticates the user based on thesecurity information issued by the Issuing Authority andsends response

IssuingAuthorityIssuing

Authority

UserUser RelyingParty

RelyingParty

© SAP 2008

Important Characteristics of Single Sign-OnTechnologies and Standards

Cross-DomainIs it possible to use the SSO technology onlywithin a security domain (i.e. the corporateIntranet) or can it be used across differentdomains (e.g. in a B2B scenario)?

Cross-PlatformWhich platforms are supported by the SSOtechnology? Is it a widely adopted standard inthe industry or a vendor-specific technology?

User AgentWhich type of user agent (e.g. Web Browser,Web Service Consumer, Mobile Clients) issupported by the SSO technology?

Domain A

Domain BSSO

SSO

SSO

SSO

Non-SAPPlatform

Non-SAPPlatform

SAPNetWeaver

SAPNetWeaver

© SAP 2008

Single Sign-On Technologies and StandardsSupported by SAP

For Web Services, SAML and its associated token profile for WS-Securityis the most widely adopted standard in the industry!

Standard / Technology Cross-Domain

CrossPlatform

UserAgent

SAP Logon Ticket No Yes • Web Browser• Web Service Consumer

OASIS Security AssertionMarkup Language (SAML) Yes Yes • Web Browser

OASIS WS-Security SAMLToken Profile Yes Yes • Web Service Consumer

SPNego / WindowsIntegrated Authentication No No • Web Browser

• Web Service Consumer

X.509/PKI Yes Yes • Web Browser• Web Service Consumer

© SAP 2008

Benefits of the Security Assertions MarkupLanguage (SAML)

Interoperable securitysolution to allow systemsintegration with great ease andminimal resourcesSAML is a protocol for encodingsecurity related information(assertions) into XML andexchanging this information in arequest/response fashionProvides standard basedmechanisms to exchangesecurity information using SOAP,HTTP(s)SAML is an OASIS standard

© SAP 2008

SAML Based Scenarios

1. Authentication

2. A

cces

s to

Res

ourc

e

Web Service based SSOSAML Token ProfileWeb Service Security Standard

Web Browser based SSOSAML Browser/Artifact ProfileSAML Standard

SAMLIdentity Provider

SAMLIdentity Provider

SAMLService Provider

SAMLService Provider

ServiceConsumer

ServiceConsumer

© SAP 2008

Security Assertion Markup Language (SAML)

Building BlocksAssertions: statements about a subject.This could be an authentication, attributeinformation, or authorization permissions

Protocols: SAML definesrequest/response protocols for obtainingassertions

Protocol Bindings: defines how SAMLprotocols map to transport and messagingprotocols, e.g. SAML SOAP Binding

Profiles: define how assertions, protocols,and bindings are combined for particularuse cases

Profiles

Bindings

Assertions and Protocol

SAML AssertionSAML Assertion

© SAP 2008

SAML Assertion

A SAML Assertion can consist of

Authentication Statement:Piece of data that represents an actof authentication performed on asubject (user) by the SAML IssuingAuthority

Other Statements:Attribute Statement, AuthorizationDecision Statement


AuthenticationStatement

Other StatementsOther Statements

© SAP 2008

Profiles

Bindings

Assertions and Protocol

Relationship Between WS Security SAMLToken Profile and the SAML Standard

SAML AssertionsSAML Assertions

SAML Token Profile

references

SAML ConfirmationMethodsSOAP Message Security

Username Token Profile

...

SAML

WS-Security

© SAP 2008

SAML Token ProfileA short primer

The SAML Token Profiledefines the use of SAMLAssertions as SecurityTokens in the WS-SecurityHeader

The SAML Token is used bythe service provider toauthenticate the user basedon the identity information inthe SAML Assertion inincoming requests from serviceconsumers


SOAP Header

SOAP Body

Data

WS-Security

SAML Token

SAML Assertion

AuthenticationStatement

© SAP 2008

The Token Issuer or Security Token Service (STS) is adistinguished Web service that issues, exchanges and validatessecurity tokensThe STS has broad applicability in that it can be used to issuesecurity tokens in a wide range of formats (e.g. Certificates,SAML assertions)Basic operations supported by an STS:

Issue a new tokenRenew tokenValidate a tokenCancel a token

Role of the Token Issuer (aka Security TokenService, STS) in Web Services SSO

Token Issuer(STS)

Token Issuer(STS)

31

Web ServiceConsumer

Security TokenRequest

Security TokenResponse

SecurityToken

AuthenticationData

Authenticate userGeneraterequested Token

2

© SAP 2008

Token Issuer(STS)

Token Issuer(STS)

Web Services SSO with SAML– General Message Exchange

1. Web Service (WS) Consumerauthenticates at the Token Issuer(Security Token Service, STS) andrequests a SAML Token

2. Token Issuer authenticates the User andissues a SAML Token to the WSConsumer

3. WS Consumer uses the SAML Token forauthentication at the WSProvider

4. WS Provider must trust the assertion inthe SAML Token to authenticate the WSConsumer and sends back the response

1

2

3

4SOAP EnvelopeSOAP Envelope

SOAP Header

SOAP Body

Data

WS-Security

SAML Token

Web ServiceConsumer

Web ServiceConsumer

Web ServiceProvider

Web ServiceProvider

The SAML Token profile addresses two major questions:How can the SAML Token be bound to the SOAP message so that the serviceprovider can be sure that they belong together?How can the service provider be sure that the sender of the message is really thesubject in the assertion?

© SAP 2008

Sender-Vouches (SV) Subject Confirmation MethodThe WS Consumer cryptographically binds the assertion to the body of theSOAP message by signing both with its private keyThe WS Provider compares the identity information from the message signaturewith the subject information in the assertion

Holder-of-Key (HoK) Subject Confirmation MethodThe assertion holds a key that is used by the WS Consumer tocryptographically bind (sign) the assertion and the body of the SOAP messageThe WS Provider uses the same key to verify the signature. The subject in theassertion is the party that can demonstrate that it is the holder of the key.

Token Issuer(STS)

Token Issuer(STS)

Web ServiceProvider

Web ServiceProvider

Sender-Vouches: Basis of trust is the WS Consumer‘s certificate

Holder-of-Key:Basis of trust is the

Token Issuer‘scertificate

Confirmation of the Subject IdentitySAML Confirmation Methods Overview

Web ServiceConsumer

Web ServiceConsumer

© SAP 2008

Web ServiceProvider

Web ServiceProvider

1. User authenticates at the Token Issuer (STS)and requests a SAML Token with the WS-Trustprotocol

2. Token Issuer authenticates the User and issues aSAML Token in the response to the WS Consumerwith the WS-Trust protocol

3. WS Consumer uses its private key to create asignature over the SAML Token and the messagebody

4. To confirm the WS Consumeridentity, WS Provider verifiesthe signature and comparesthe identity information inthe SAML Token withthe identity informationof the WSConsumer’sPublic Keycertificate

Web ServiceConsumer

Web ServiceConsumer

Confirmation of the Subject IdentitySender-Vouches Subject Confirmation

WS ConsumerPrivate key

WS ConsumerPublic keyCertificate

TrustRelationship

SAML Token (SV)

21

3 4

Prerequisites:Pre-established trustrelationship betweenWS Provider and WSConsumerWS-Consumer mustpossess a signaturekey pair


SOAP Header

SOAP Body

Data

WS-SecuritySAML Token

Token Issuer(STS)

Token Issuer(STS)

© SAP 2008

Web ServiceProvider

Web ServiceProvider

SAML Token

Confirmation of the Subject IdentityHolder-of-Key (HoK) Subject Confirmation (1/2)

1. User authenticates at the TokenIssuer (STS) and requests a SAMLToken with the WS-Trust protocol.Optionally, the user provides keymaterial to the Issuer for the short-lived key

2. The Token Issuer generates theshort-lived symmetric key, encrypts itwith the WS Provider‘s public key.The key is added to the SAMLAssertion which is then signed bythe Token Issuer with its signaturekey

3. The Token Issuer issues the SAMLAssertion as a SAML Token in theWS-Trust response message to theWS Consumer, along with its keymaterial used to generate thesymmetric short-lived key


EncryptedShort-lived Key(Client + ServerKey Material)

Signature(Token Issuer, STS)

1

WS ConsumerPublic Key Certificate

2

3

SAML Token(HoK)

Token IssuerPublic keyCertificate

Short-lived Key

Token Issuer(STS)

Token Issuer(STS)

Web ServiceConsumer

Web ServiceConsumer

© SAP 2008

Web ServiceConsumer

Web ServiceConsumer

Token Issuer(STS)

Token Issuer(STS)

Confirmation of the Subject IdentityHolder-of-Key (HoK) Subject Confirmation (2/2)

4. The WS Consumer also generates the short-livedsymmetric key based on both parties key material

5. The WS Consumer signs the SAML Token and themessage body with the previously generated short-livedsymmetric key and sends a request to the WS Provider

5

4

Token IssuerPublic keyCertificate

TrustRelationship

SAML Token(HoK)

6

7

Prerequisites:Pre-established trustrelationship betweenWS Provider andToken Issuer

7. The WS Provider verifiesthe WS Consumer‘s (i.e. thekey holder‘s) signature byusing the decrypted short-lived symmetrickey. The Token Issuerconfirmed that the holderof the key is the subject inthe assertion.

6. The WS Provider verifies the Token Issuers signature in the SAML Token anddecrypts the short-lived symmetric key contained in the SAML Token using itsprivate key.

Short-lived KeyShort-lived Key

Web ServiceProvider

Web ServiceProvider

© SAP 2008

The WS-Security header containsthe following authenticationinformation:The user with the identifier

TechEd08\stefaniehas been successfullyauthenticated at

7:35 pm on Sept. 9th, 2008using her

password.The issuer

TechEdAuthorityconfirms

that the subject of the assertion isthe party that signedthe message

Syntax and Semantics of the SecurityInformation: Example of a SAML Token

TechEdAuthority.com


<wsse:Security><saml:AssertionIssuer=" " ...IssueInstant="2008–09–09T19:54:00.000Z">

<saml:AuthenticationStatementAuthenticationMethod="...password"

AuthenticationInstant="2008–09–09T19:53:00.000Z"><saml:Subject><saml:NameIdentifier

Format="...WindowsDomainQualifiedName">TechEd08\stefanie

</saml:NameIdentifier></saml:Subject>

<saml:SubjectConfirmation><saml:ConfirmationMethod>...SenderVouches

</saml:ConfirmationMethod>

</saml:SubjectConfirmation></saml:AuthenticationStatement>

</saml:Assertion>

</wsse:Security>

© SAP 2008

How are the Common SSO Issues Addressedby WS-Security and the SAML Token Profile?

Syntax and Semantics of the security informationHow is the security information serialized on the wire?What is the syntax and semantics of this serialized securityinformation about an end user (identity)?

Confirmation of the user’s identityHow can the Relying Party be sure that the request or messagesent by the user is associated with the identity data in the issuedsecurity information?

Protocol to transfer the security information betweenthe parties

How does a user request the security information from theIssuing Authority?How does a user transfer this security information to the RelyingParty?

Name, User IDRolesGroups...

User RelyingParty ?

UserRelyingParty

SAML AssertionsSAML Assertions

SAML ConfirmationMethods

SAML Token Profile

© SAP 2008

Summary

SAML is a proven and widely adopted standard in the industry forinteroperable, cross-domain SSO

The SAML Token Profile specifies how SAML is used to support SSOfor Web Services

SAML Token Profile defines two subject confirmation methods:Sender-Vouches and Holder-of-Key

Both confirmation methods differ mainly in trust relationship setupand key management

© SAP 2008

Agenda






© SAP 2008

SAML Token Profile Support in SAP NetWeaverSupport in Current Releases 7.0 and 7.1 (1/3)

Support for signed and unsigned Sender-Vouches SAML assertionsOnly for authentication purposes, i.e. no attribute-based authorizationFor WS-Consumer, only a local token issuer is supported (i.e. no external STS)

SAML 1.1 Sender Vouches (WS-Consumer, WS-Provider)SAML Token (SV) Web Service

ProviderWeb Service

ProviderWeb ServiceConsumer

Web ServiceConsumer

Non-SAP PlatformNon-SAP Platform SAP NetWeaverSAP NetWeaver

SAML Token (SV) Web ServiceProvider

Web ServiceProvider

Web ServiceConsumer

Web ServiceConsumer

SAPNetWeaver

SAPNetWeaver

Non-SAP PlatformNon-SAP PlatformTokenIssuer(local)

TokenIssuer(local)

Supported inSAP NetWeaver 7.0 >= SP14 (ABAP)SAP NetWeaver 7.1 (Java, ABAP)

© SAP 2008


Only support for symmetric keys in SAML 1.1 Holder of Key Tokens (i.e.no support for asymmetric keys)

Optional user mapping from external (non-SAP platform) username to SAPusername in ABAP table USREXTID

SAML 1.1 Holder of Key (HOK) (WS-Provider)

SAML Token (HoK) Web ServiceProvider

Web ServiceProvider

Web ServiceConsumer

Web ServiceConsumer

Non-SAP PlatformNon-SAP Platform SAP NetWeaverSAP NetWeaver

Planned for SAP EHP1*, SP2 for SAP NetWeaver 7.1:SAP NetWeaver 7.01 SP2 (ABAP) (Oct 2008)SAP NetWeaver 7.11 SP1 (Java, ABAP) (Dec 2008)

Live-Demoin this

Session!* Enhancement Package

© SAP 2008


SAP NetWeaver Web Service Consumers can request a SAML Holder-of-Key Token from an external Token Issuer (STS)

SAML 1.1 Holder of Key (HOK) (WS-Consumer)

SAML Token (HoK) Web ServiceProvider

Web ServiceProvider

Web ServiceConsumer

Web ServiceConsumer

Planned for SAP EHP2* for SAP NetWeaver 7.1SAP NetWeaver 7.02 (ABAP) (Q3 2009)SAP NetWeaver 7.12 (Java, ABAP) (Q3 2009)

SAP NetWeaverSAP NetWeaver Non-SAPPlatform

Non-SAPPlatform

SAPNetWeaver

SAPNetWeaver

Token Issuer(STS)

Token Issuer(STS) Trust

RelationshipToken Acquisition

/ Issuance

* Enhancement Package

© SAP 2008

Agenda




4. Interoperability in Practice: Web Services SSO between SAPNetWeaver and Microsoft .NET


© SAP 2008

WS-Security Support in Microsoft .NET

.NET 2.0 supports core Web Service standards, such as WSDL 1.1and SOAP 1.1/1.2Web Services Enhancements (WSE) for Microsoft .NET 2.0 is asupported add-on to Microsoft Visual Studio .NET and the Microsoft .NET 2.0Framework providing support for WS-Security and other advanced Web ServiceprotocolsWith .NET 3.0, these advanced Web Service protocols became an integral partof the .NET Framework, which is now called the Windows CommunicationFoundation (WCF, formerly known as ’Indigo’)

.NET 3.0.NET 3.0

.NET Application.NET Application .NET Dev.-Tools.NET Dev.-Tools

Windows(XP, Server 2003/R2, Vista, Longhorn)

Windows(XP, Server 2003/R2, Vista, Longhorn)

WCF(Indigo)

WPF(Avalon)

WCS(Infocard)

WWF(Workflow)

.NET 2.0 CLR, .NET 2.0 Base Class LibrariesASP.NET 2.0, ADO.NET 2.0, WinForms 2.0

© SAP 2008

Host EnvironmentHost Environment

.NET WCF Core Concepts

The WCF programming model unifies the existing communicationtechnologies for distributed computing in .NET 2.0 (e.g. Web Services/WSE,.NET Remoting, Distributed Transactions, Message Queues) into a singleService-oriented programming modelA Service in WCF is composed of three parts

a Service Class (e.g. written in C#) that implements the Servicea Service Host Environment to host the Service (e.g. IIS, Self-Hosting)one or more Endpoints to which Clients can connect

An Endpoint defines the Contract (What ?), the Address (Where ?)and the Binding (How ?) of a Service

Web ServiceConsumer

Web ServiceConsumer

WCF Service

ServiceClass

Endpoint

Endpoint

Endpoint

Contract Address Binding

© SAP 2008

.NET WCF Bindings

Bindings define the Transport (e.g. HTTP), Encoding (e.g. TextMessage) and Protocol (e.g. Web Services) required to communicatewith the Service

WCF is shipped with predefined, System-Provided Bindings. TheseBinding can be configured declaratively

Developers can also create their own Custom Bindings with theWCF API that provide full control over the messaging stack when oneof the system-provided bindings does not meet the requirements of aconsumer or providerconstructed from threeelements

Transport

Encoder

Protocol(s)

HTTP Text Security ...WCF Binding

TransportTCPHTTPMSMQ...

EncodersTextBinary...

ProtocolSecurityReliability.NET...

© SAP 2008

Web Services Security Support in.NET WCF System-Provided Bindings

Support* for Web Services Core- and WS-Security Standards in WCF System-Provided Bindings:

Support for Web Services Core- and WS-Security Standards in SAP NetWeaver

basicHTTPBinding

wsHttpBinding

wsFederationHttpBinding

SOAP

1.1

1.2

1.2

WSDL

1.1

1.1

1.1

Interoperability

Func

tion

alit

y

SecurityToken

Profiles

UsernameX.509

UsernameX.509

UsernameX.509SAML 1.1

WS-Security

1.0

1.1

1.1

SAP NetWeaver• 7.0 SP14• 7.1

SOAP

1.1

WSDL

1.1

SecurityToken

Profiles

UsernameX.509SAML 1.0

WS-Security

1.0

* http://msdn2.microsoft.com/en-us/library/ms730294.aspx

http://msdn2.microsoft.com/en-us/library/ms730294.aspx

© SAP 2008

SAML Token Profile Support in .NET WCF

The system-provided wsFederationHttpBinding in WCF uses the SAMLToken Profile for Web Services SSO scenarios. This binding has the followingconstraints:

SAML 1.1 Assertions with Holder-of-Key subject confirmation method

Web Services Security 1.1 and SOAP 1.2

WCF has no system-provided binding that matches the supported standards in SAPNetWeaver (SAML Token Profile 1.0, WS-Security 1.0, SOAP 1.1)

With the WCF APIs, developers can create SAML 1.1 Assertions with Sender-Vouches Confirmation Method

However, WCF does not support the STR-Transform algorithm which is requiredto sign SAML Tokens with Sender-Vouches confirmation method

System.IdentityModel.Tokens.SamlConstants.SenderVouches

To implement an interoperability scenario between SAP NetWeaver and.NET, a WCF custom binding is required to support the use of SAMLToken Profile 1.0, WS-Security 1.0 and SOAP 1.1 on the WS Consumerside. In addition, Holder-of-Key support in SAP NetWeaver is a prerequisite.

!

© SAP 2008

Microsoft .NET3.0/WCF


Interoperability Scenario between SAPNetWeaver and Microsoft .NET WCF

TrustRelationship

3

4

2

16

5

SAML Token (HoK)

SSO withWindowsIntegrated

Authentication

SAML Token (HoK)

SSO(SAML Token

Profile)

InitialAuthentication

at DomainController

1. The user logs on to the Windowsdomain with his Windows Credentials

2. The WS Consumer authenticates atthe Token Issuer with WindowsIntegrated Authentication andrequests a SAML HoK Token thatcontains the domain identity

3. The Token Issuer issues the SAMLToken

4. The WS Consumer sends the requestusing the Custom Binding (WS-Sec1.0, SOAP 1.1, SAML Token Profile1.0)

5. The WS Provider maps theWindows User identity to the ABAPUser identity

6. WS Provider sends response

Token Issuer(STS)

Token Issuer(STS)

Web ServiceConsumer

Web ServiceConsumer



Web ServiceProvider

Web ServiceProvider

SAP NetWeaverSAP NetWeaver

© SAP 2008

Web Service ProviderWeb Service Provider

Configuration Steps for the InteroperabilityScenario with SAML Token Profile (HoK)

Implement the Custom Binding for.NET/WCFConfigure an endpoint of the WebService Provider to support symmetrickey encryption/signature usingSAML-bases messageauthenticationMaintain mapping of external user id(e.g. Windows Domain Name) tointernal SAP user id

SE38 - RSUSREXTID

SOAMANAGER

Web ServiceConsumer

Web ServiceConsumer

SAP NetWeaverSAP NetWeaver

WS EndpointConfiguration



User Mapping

Custom Binding

.NET/WCF Code

© SAP 2008

Implementation of the Custom Binding in the.NET/WCF Web Service Consumer (1/2)

SymmetricSecurityBindingElement secBinding = newSymmetricSecurityBindingElement();

secBinding.DefaultAlgorithmSuite =SecurityAlgorithmSuite.Basic128Rsa15;

secBinding.SecurityHeaderLayout = SecurityHeaderLayout.Strict;

secBinding.IncludeTimestamp = true;

secBinding.SetKeyDerivation(false);

// set WSS 1.0 and SOAP 1.1

secBinding.MessageSecurityVersion =MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;

// don't encrypt signature

secBinding.MessageProtectionOrder =MessageProtectionOrder.SignBeforeEncrypt;

...

… using WS-Security1.0 …

… based on thisalgorithm suite …

… without encryptingthe signature in the WS-Security header.

Use a symmetric key toprotect the message ...

Web ServiceConsumer

Web ServiceConsumer

Custom Binding

© SAP 2008

Implementation of the Custom Binding in the.NET/WCF Web Service Consumer (1/2)

...

IssuedSecurityTokenParameters itp = newIssuedSecurityTokenParameters();

itp.ReferenceStyle =SecurityTokenReferenceStyle.Internal;

itp.InclusionMode =SecurityTokenInclusionMode.AlwaysToRecipient;

itp.TokenType = "urn:oasis:names:tc:SAML:1.1:assertion";

itp.KeyType = SecurityKeyType.SymmetricKey;

itp.KeySize = 128;

itp.RequireDerivedKeys = false;

itp.IssuerAddress = new EndpointAddress(newUri("http://localhost:8000/samlsts"));

// set sts binding

itp.IssuerBinding = new WSHttpBinding("stsBinding");

secBinding.ProtectionTokenParameters = itp;

Get an issued token toprotect the message …

… using the SAMLToken Profile 1.0 with aSAML 1.1 assertion …

… that holds thesymmetric key toprotect the message …

… from the TokenIssuer (STS) with thisURL.

Web ServiceConsumer

Web ServiceConsumer

Custom Binding

© SAP 2008

Configuring SAML Holder-of-Key Token for theABAP Web Service Provider (1/3)

Invoke TransactionSOAMANAGER

2 Switch to the tabApplication andScenarioConfiguration andselect Single ServiceAdministration

1WS Endpoint

Configuration

© SAP 2008


Search for the service,select it in the searchresults list and click onApply Selection

3

Click on CreateService to create anew service or selectan existing entry andclick on Edit

4


© SAP 2008


For SAML Holder-of-KeyAuthentication, selectSymmetric Message

Signature/Encryption inTransport GuaranteeCommunication Security

Single Sign-On usingSAML in AuthenticationSettingsAuthentication Method

MessageAuthentication

5

Click on Save6


© SAP 2008

Configuring the SAML User Mapping in the ASABAP (1/4)

Start the ABAP Editor withtransaction SE38

1

Enter RSUSREXTID andclick on Execute (F8)

2

User Mapping

© SAP 2008


Enter the SAP user nameand select SA for theExternal ID type.Optionally, enter the prefix(e.g. Token Issuer/STSname + "::" + WindowsDomain Name) and/or suffixthat is present in the externalname. In addition, enter theDN of the Token Issuer‘s(STS) certificate

Save the new mapping withExecute (F8) and review thechanges made in themapping table.

3

4

User Mapping

© SAP 2008


Display the current SAMLuser mappings with the DataBrowser (SE16)

Enter VUSREXTID for theTable Name and press F7

Select SA for the ExternalID type and press Enter

5

6

7

User Mapping

© SAP 2008

<saml:Assertion AssertionID="saml-bac86b5d" Issuer="urn:wcf.SAMLSTS“ ...><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:

nameid-format:WindowsDomainQualifiedName">SAP_ALL\D044724</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">...<KeyInfo><o:SecurityTokenReference><o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier">EZJTP...</o:KeyIdentifier>

</o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>Oe6n+sudejob5AEH...</e:CipherValue>

</e:CipherData></e:EncryptedKey>

</KeyInfo></saml:SubjectConfirmation>

</saml:Subject></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>...<Reference URI="#saml-bac86b5d">

</SignedInfo><SignatureValue>lZ1GzQ3yO887oiwY...</SignatureValue><KeyInfo><o:SecurityTokenReference><o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier">kfXogbsH...</o:KeyIdentifier>

</o:SecurityTokenReference></KeyInfo>

</Signature></saml:Assertion>

SAML Token Issued by the .NET WCF TokenIssuer and Used for Authentication at SAP

Encrypted symmetric key

User Identity Information fromWindows Integrated Authentication

Subject ConfirmationMethod (HoK)

Token Issuersignature

© SAP 2008

Copyright 2008 SAP AGAll Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changedwithout prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior writtenpermission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies,developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note thatthis document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant theaccuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express orimplied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitationshall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durchSAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte können Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie diedazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen vonProdukten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zuInformationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Formauch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet. Bei dieser Publikation handelt es sich um eine vorläufige Version, die nicht Ihrem gültigen Lizenzvertragoder anderen Vereinbarungen mit SAP unterliegt. Diese Publikation enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts. SAP entsteht aus dieserPublikation keine Verpflichtung zu einer bestimmten Geschäfts- oder Produktstrategie und/oder bestimmten Entwicklungen. Diese Publikation kann von SAP jederzeit ohne vorherigeAnkündigung geändert werden.

SAP übernimmt keine Haftung für Fehler oder Auslassungen in dieser Publikation. Des Weiteren übernimmt SAP keine Garantie für die Exaktheit oder Vollständigkeit der Informationen, Texte,Grafiken, Links und sonstigen in dieser Publikation enthaltenen Elementen. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a.,aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts.SAP haftet nicht für entstandene Schäden. Dies gilt u. a. und uneingeschränkt für konkrete, besondere und mittelbare Schäden oder Folgeschäden, die aus der Nutzung dieser Materialienentstehen können. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit.

Die gesetzliche Haftung bei Personenschäden oder Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinks zugreifen,unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über InternetseitenDritter ab.

Alle Rechte vorbehalten.

>net services in portal sdn documents

Documents

widely adopted

web services

web servicessingle

netweb services

web services

external id

web services

windows integrated