Docstoc

SAP Enterprise Portal 6.0

Document Sample
SAP Enterprise Portal 6.0 Powered By Docstoc
					SAP Enterprise Portal 6.0:
User Management &
Security




Version: March 13, 2003
               Disclaimer

               This document contains an overview of the planned User Management & Security
               features of the SAP Enterprise Portal 6.0 (some of the features are planned to be
               available for Unrestricted Shipment Phase only). It is subject to change. Please
               take care that you are always using the newest version of that presentation!

               SAP AG assumes no responsibility for errors or omissions in these materials.

               These materials are provided “as is” without a warranty of any kind, either
               express or implied, including but not limited to, the implied warranties of
               merchantability, fitness for a particular purpose, or non-infringement.

               SAP AG shall not be liable for damages of any kind including without limitation
               direct, special, indirect, or consequential damages that may result from the use
               of these materials.

               SAP AG does not warrant the accuracy or completeness of the information, text,
               graphics, links or other items contained within these materials. SAP AG has no
               control over the information that you may access through the use of hot links
               contained in these materials and does not endorse your use of third party web
               pages nor provide any warranty whatsoever relating to third party web pages.




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 2
               Topics


                            Overview

                            New Features EP 6.0

                            Authentication

                            Single Sign-On (SSO)

                            Authorization

                            User Management

                            Secure Communication

                            Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 3
               Topics


                            Overview

                            New Features EP 6.0

                            Authentication

                            Single Sign-On (SSO)

                            Authorization

                            User Management

                            Secure Communication

                            Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 4
               Enterprise Portal 6.0 – Security Features



                                                                                                       Authorization
                                                                              Secure
                                                                           Communication


                                               Authentication
                                                                                             Single
                                                                                             Sign-On
                                                                                Portal
                                                                                Server
                                                                                                            Third-Party
                                                                                                            System


                                                                                 User
                                                                              Persistence
                                                                                 Store



                                                                           User Management


 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 5
               Architecture Overview

                                                                                  Web Browser,
                                                                                   PDA, etc.



      SAP Enterprise Portal 6.0                                                      Web Server

                 Java Application Server – SAP J2EE Engine
                 Java Application Server – SAP J2EE Engine
                       Portal Server
                           Portal Runtime (PRT)
                                        Portal Services                                                  Persistence


                                           User Management Service
                                                                                                    Database
                                                   Authentication                 SSO     …                        SAP
                                                                                                                  System
                                                                                   Persistence
                                               User         Group          Role     Manager
                                                                                                           LDAP
                                                                                                          Directory




                                                                                  Backend Systems

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 6
               Topics


                            Overview

                            New Features EP 6.0

                            Authentication

                            Single Sign-On (SSO)

                            Authorization

                            User Management

                            Secure Communication

                            Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 7
               New Features EP 6.0 – Authentication

               Multiple authentication methods in parallel
               Multiple user sources in parallel
               Anonymous users
                    Logon without authentication

               Authorization depending on authentication method
                    iView requires certain logon methods (for example digital
                     certificates)

               Interface for pluggable third-party authentication
                    Java Authentication and Authorization Service (JAAS) standard

               Partner certification program
                    Web access management products
                    Other external authentication services (for example hardware
                     tokens)



 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 8
               New Features EP 6.0 – Single Sign-On (SSO)

               SAP logon ticket expiration recovery
                    Recovery of previous state of the portal if SAP logon ticket expires
                     and user has to logon again

               Ticket Verification Library for UNIX platforms

               Web Server Filter for additional Web server platforms

               Portal Server Certificate
                    Self-signed certificate
                    Issued by SAP Trust Center Service




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 9
               New Features EP 6.0 – Authorization

               Authorization for Portal Content
                    All content under administrative control of the portal
                    Based on Access Control Lists (ACLs)

               Code Authorization
                    Java Security Manager




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 10
               New Features EP 6.0 – User Management

               Web-based user administration

               End user self-registration
                    User can create account in the portal
                    Workflow for approval of registration request by administrator

               Password management & policies
                    Configurable expiration dates
                    Initial passwords and change at first login
                    Limit of failed logon attempts

               Flexible user persistence layer
                    LDAP directory, database or SAP system as user store

               Delegated administration




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 11
               Topics


                           Overview

                           New Features EP 6.0

                           Authentication

                           Single Sign-On (SSO)

                           Authorization

                           User Management

                           Secure Communication

                           Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 12
               Authentication – Initial Logon Procedure

               Verification of the user’s identity

               Initial logon procedure to authenticate user

               Various authentication methods
                    User ID / password
                    X.509 digital certificates
                    Third-party authentication
                                   Windows authentication
                                   SAP authentication
                                   Others through JAAS interface

               Anonymous users
                    Logon without authentication




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 13
               Authentication Schemes

               Define the authentication process
                    Credentials to be supplied
                    User interaction required (e.g. logon screens)
                    Priority of the authentication scheme (how strong it is)

               Attached to the user’s session

               Allow to enforce different authentication mechanisms for different
               content (iViews)

               Re-authentication required in case the iView requires a “stronger”
               authentication scheme




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 14
               Authentication: User ID / Password

               Logons are provided as
                    Form-based logon (iView)
                    Basic authentication (HTTP Status 401)

               Portal Server verifies the provided user ID / password against
               user persistence store

               SAP logon ticket is issued (later used for Single Sign-On)



                                                                                                          User
                                           User ID / PW                               User ID / PW     Persistence
                                                                                      Verification
                                                                                                          Store
                                                                            Portal
                                                                            Server
                                                                                                         Portal
                                                                                     User ID Mapping
                                         SAP Logon Ticket                                               Database
                                                    SSL                                  SSL


 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 15
               Authentication: Digital Certificates

               Authentication of user through SSL protocol
                    User presents his digital certificate to Web server during SSL
                     handshake
                    Web server performs SSL client authentication

               Portal Server checks if user presented the correct certificate
                    Prerequisite: Client certificate has to be mapped to a portal user

               SAP logon ticket is issued (later used for Single Sign-On)

                                                                                                              User
                                               X.509                                      X.509
                                             Certificate                                Certificate        Persistence
                                                                                                              Store
                                                                            Portal   Compare Certificate
                                                                            Server
                                                                                                             Portal
                                                                                      User ID Mapping
                                         SAP Logon Ticket                                                   Database
                                                    SSL                                    SSL


 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 16
               Getting a Digital Certificate

               Digital certificates must be X.509v3 compliant

               Various options possible:
                    Using SAP Trust Center Service
                                   For SAP users only
                                   Free of charge
                                   Portal Server acts as Registration Authority (RA)
                    Setting up internal PKI system
                                   Buy software from CA product vendor
                    Using external PKI system
                                   Contract with Trust Center Service




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 17
               SAP Trust Center Service: Enrollment Process
                                                                                SAP Trust
                                                                                 Center
                                                                                 Service

                                           5
                                          Verifies naming conventions                           4   Send approved certificate
                                          and issues certificate                                    request




                 Web
               Browser
                                                                   Log on using SAP user ID and password and
                                                             1                                                          Portal
                                                                   initiate the SAP Passport request
                                                                                                                        Server
                                                             2     Specify naming convention and trigger key
                                                                   generation



                                                            3 Web browser generates key pair and
                                                                 sends the SAP Passport request


                                                            6 Log on using the SAP Passport

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 18
               Third-Party Authentication

               Authentication using an external authentication service

                Windows authentication

                SAP Web AS or R/3 system authentication

               Other authentication methods through pluggable JAAS Login
               Modules

               Integration of external Web Access Management (WAM) products
               possible




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 19
               Windows Authentication



           Authentication is delegated to Windows operating system*
           Process with HTTP Basic Authentication:
                  User has to enter his or her Windows user ID and password
                   (HTTP Basic Authentication)
                  Windows Domain Controller authenticates the portal user
                  When the Enterprise Portal is accessible from the Extranet

           Process with Windows Integrated Authentication (NTLM):
                  Previous logon to Windows operating system can be reused
                  User is not required to reenter his or her Windows authentication
                   credentials
                  When the Enterprise Portal is a pure Intranet portal and only MS IE
                   is used


           * Requires Microsoft IIS 5.0 as Web server



 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 20
               SAP Web AS or R/3 System Authentication



               SAP users can be synchronized with users in an LDAP
               directory, but passwords are not synchronized*

               Authentication directly against SAP Web Application Server or
               R/3 System

               Process:
                    Portal user enters his or her SAP user ID and password
                    User credentials are authenticated against the SAP Web
                     Application Server or another SAP R/3 System directly
                    If authentication is successful, the Portal Server logs the user on
                     to the portal


               * Only needed for SAP Web Application Server 6.10 and SAP Basis 4.5B or 4.6x




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 21
               Pluggable Authentication

               Plug-in interface for authentication modules

               Interface defined by Java Authentication and Authorization
               Service (JAAS) standard

               Each authentication scheme can define one or more JAAS
               LoginModules

               http://java.sun.com/products/jaas




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 22
               Integration of Web Access Management Products

               External Web Access Management (WAM) product authenticates
               the portal user

               Technical integration using JAAS LoginModule:
                    Reading HTTP header variable
                    Custom implementation (e.g. to verify a provided cookie)

               Portal Server logs the user on to the portal (user must reside in
               portal user persistence store)

               Seamless integration, only configuration required




                              Partner certification program for WAM vendors
                                 or integration on a project-specific basis


 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 23
               Topics


                           Overview

                           New Features EP 6.0

                           Authentication

                           Single Sign-On (SSO)

                           Authorization

                           User Management

                           Secure Communication

                           Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 24
               SSO – SAP Logon Tickets



               SAP logon tickets represent the user credentials

               Portal Server issues an SAP logon ticket to a user after
               successful initial authentication

               SAP logon ticket is stored as per session cookie on the client
               browser

               SAP logon ticket is used to authenticate user to applications
                    User gets access to multiple applications and services
                    After initial logon no further user logons required

               Cross domain support




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 25
               SAP Logon Tickets – SSO Process




                                         Initial Logon

                                                                            SAP System



                                                                                   External
                                                                                   System
                                                                                   Intranet



                                                                                         Any other
                    SAP Logon Ticket                                                     Web page
                                                                                          Internet




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 26
               SAP Logon Ticket – Contents


                  SAP logon tickets contain:
                       User ID(s)
                            Authentication scheme
                            Validity period
                            Issuing system
                            Digital signature
                       SAP logon tickets do NOT contain any passwords!



                  Strong Security:
                       Digitally signed by Portal Server
                       Authenticity and integrity protection through digital signature




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 27
               SAP Logon Tickets & Security



          SAP logon ticket serves as authentication token and
          therefore needs to be protected from unauthorized usage


                 Validity period

                 Authenticity and integrity protection using
                ….digital signature

                 Confidentiality protection through SSL protocol
                ….while in transport

                 Set cookie as “HTTPOnly” in order to prevent
                ….XSS attacks (for Microsoft IE 6.0 SP1)




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 28
               Verifying the SAP Logon Ticket: SAP Systems



                                                                                               Component
                                                                                                System

                                                                                                           Portal Server’s
                                                                                                           public-key
                                                                                                           certificate

                                                                                                SAP
                                                                            SAP Logon Ticket




                     Step 1:
                                 Verification of the digital signature provided with the SAP logon ticket.

                     Step 2:
                                 Logon using the user ID which is stored in the SAP logon ticket.
                                 No additional authentication using password or certificate necessary.



 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 29
               Verifying the SAP Logon Ticket: Non-SAP Systems



                 The non-SAP component must:

                       Make sure the SAP logon ticket has been issued by a trusted
                        Portal Server
                                      Accept the certificate of the Portal Server


                       Verify the Portal Server’s digital signature in the SAP logon
                        ticket
                                      Ticket Verification Library that can be linked to non-SAP systems
                                       or Web Server Filter are provided


                       Extract the user ID from the SAP logon ticket
                                      Ticket Verification Library or Web Server Filter are provided that
                                       extract the user ID from the SAP logon ticket




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 30
               SSO to non-SAP Components Using SAP Logon
               Tickets

        Two alternatives:
        Web Server Filter
                                                                                                       2

                                                                                                   HTTP Header Field:




                                                                                 Filter
                                                                            1
                                                                                                   Application User ID


                                                         SAP Logon Ticket


                                                              Portal Server’s              Web                            Non-SAP
                                                        public-key certificate            Server                         Component
                                                                                                                           System


            Application Programming Interface (API)
                                                                                                                2


                                                                            1
                                                                                                                         Ticket Verification
                                                                                                                              Library

                                                         SAP Logon Ticket                                  3
                                                                                                                                        Portal Server’s
                                                                                                                                        public-key
                                                                                  Non-SAP                       Application             certificate
                                                                                 Component                      User ID
                                                                                   System
 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 31
               SSO – Account Aggregation

               If the external system does not support SAP logon tickets

               Portal components connect to the external system with the user’s
               credentials (user ID and password)

               User mapping and credentials information are stored in the Portal
               Database

               Administrator maps users using administration iView
                    Typically to map groups and roles

               User maps own credentials using portal personalization function

                    Portal User:                                            SAP User:   Siebel UserID/Password:
                    Michael_Schumacher                                      d040011     903845233, {yu323ab}___
                    Anna_Kournikova                                         i052340     230982029, {34u0nap}___
                    Tiger_Woods                                             i043536     324098211, {wq9itxm1}__
                    Cathy Freeman                                           i048347     202377724, {12onxc85}__



 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 32
               Topics


                           Overview

                           New Features EP 6.0

                           Authentication

                           Single Sign-On (SSO)

                           Authorization

                           User Management

                           Secure Communication

                           Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 33
               Authorization Concept for Portal Content

               Objects in the Portal Content Directory (PCD) are controlled by
               Access Control Lists (ACLs)

               ACL defines permissions for principals (user, group or role)
                    For example, ACL specifies the roles that can access the iView

               ACL Service
                    Enforces permissions for portal objects at runtime

               Permissions Editor
                    GUI for administering ACLs for portal objects




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 34
               Access Control Lists (ACLs)

               Portal object creator is automatically the ACL owner
               Only the ACL owner can
                      Add or remove owners for the object’s ACL
                      Grant permissions to a principal

               Inheritance of permissions
                      If no ACL exists for a PCD object, the permissions are inherited
                       from the parent’s ACL

               Administrator permissions                                    Design Time
                                                                                          Full Control
                           None
                                                                                            Write
                           Read
                                                                                             Read
                           Write
                           Full Control (ACL owner)

               End-User permissions                                         Run Time
                      On/Off                                                               On/Off




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 35
               Code Authorization

               Protection mechanism for portal code or sensitive areas in the file
               system

               Uses Java access control mechanisms

               Java Security Manager
                    Controls what application code has access to portal code

               Policy file with permissions




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 36
               Topics


                           Overview

                           New Features EP 6.0

                           Authentication

                           Single Sign-On (SSO)

                           Authorization

                           User Management

                           Secure Communication

                           Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 37
               Architecture Overview – User Management Engine



  Applications                                                                            SAP
  Accessing User                                                                       Enterprise
  Management                                                                             Portal



  User Management                                     User                   User          Group        Role
  Core Layer                                          API                   Account         API         API
                                                                              API

                                                                            Persistence Manager                Replication
                                                                                                                Manager

  Persistence
  Adapters

  User Persistence                                                              LDAP            SAP              External
                                                 Database                      Directory       System            System
  Store




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 38
               Persistence Manager

               Central place for reading and writing user-specific data
                    Users
                    Groups
                    Role assignments

               Uses Persistence Adapters to read/write data

               Supports database, LDAP directory and SAP system as
               repository


               User Management                                                Persistence Manager
                  Core Layer

                    Persistence
                     Adapters

               User Persistence                                                     LDAP             SAP
                                                                       Database    Directory        System
                    Store



 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 39
               Persistence Manager

               User Partitioning
                    Specific user sets can be distributed across different repositories

                               Example:
                                                                        Persistence Manager


                           Self-registered,                                           LDAP          Internal users
                           external users                            Database      Directories



                Attribute Partitioning
                      Specific user attributes can be distributed across different
                       repositories
                               Example:
                                                                        Persistence Manager


                     Role assignments                                                LDAP            General user data
                    (portal-specific data)                            Database      Directory    (application independent)


 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 40
               Persistence – Supported Repositories


                                     Portal Database
                                          Oracle 9.2
                                          Microsoft SQL Server 2000

                                     LDAP Directory
                                          Novell eDirectory
                                          Sun ONE Directory Server
                                          Microsoft ADS
                                          Siemens DirX

                                     SAP System
                                          SAP Web Application Server 6.20 or higher


                                      For details please see the Product Availability Matrix at
                                                   http://service.sap.com/pam60


 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 41
               Portal Database


                                                                            Portal
                                                                            Server




                          User                         • LDAP Directory                                        Store portal-
                       Persistence                     • Portal Database                        Portal         specific data
                                                       • SAP System                            Database
                          Store

                                                                                     UM Instance             PCD Instance

                  Basic user data                                                User/group  role        User Roles
                                                                                 assignment               (Metadata)
                  Basic group data
                                                                                 User mapping (for        Content  role
                  User  group
                                                                                 SSO purposes)            assignment
                  assignment
                                                                                                          User’s
                                                                                                          personalization data




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 42
               Replication Manager

               Replication of user data to external systems

               Provisioning for external systems that cannot use supported user
               repositories

               Notification when users are created or modified

               Data exchange via XML documents

               One-way replication of user data (Portal  External System)


               User Management                                              Replication Manager
                  Core Layer




                                                                                 External
                                                                                 System


 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 43
               Replication – Supported External Systems


                                     External System
                                          SAP Basis 4.6D,
                                           SAP Web Application Server 6.10 or higher




                                 Example:
                                                                            Replication Manager
                                                                                                          Portal User
                                                                                                        Provisioning to
                                                                                                         SAP Systems

                                                                   BW              SRM            CRM




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 44
               User Management with SAP Systems: Directory
               Integration

                        Central User Administration                                        LDAP Directory
                                  (CUA)
                                                                                 LDAP
                                                                            Synchronization*




                                                                                       Mapping on directory
                                                                                        schema
                                                                                       Synchronization procedure




                                            Child Systems
                                                                                                  * Since CUA release 6.10
                                               of CUA

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 45
               User Administration

               Administration GUI completely based on iViews

               User Administration Functions:
                    Create users
                         Copy users
                         Modify users
                         Search for users
                         Assign users and groups to role(s)
                         Set or auto-create password
                         Set date & time for user account activation
                         Lock/unlock users
                         View user account history
                         Approve/deny self-registered users
                         Adapt attributes contained in self-registration
                         E-Mail notifications for specified events



 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 46
               Password Management

        Administration Functions
             Configure password policies
             Set initial password for user
             Let system auto-create password for user
             Reset password
             Customizable “Forgot Password” process

        Password Policies
             Min/max. length
                  Numeric characters allowed/mandatory
                  Password different from UID
                  Mixed case required
                  Special characters required
                  Password expiry time period (days)
                  Password must be changed at next logon
                  Number of failed logon attempts before account is locked

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 47
               User Self-Service

               User can change his or her profile

               User can set a new password
                    During logon (for initial passwords, when expired)
                    By changing user profile

               User can request new password (sent to user by E-Mail)

               Use self-registration
                    User fills out a simple registration form
                    User immediately becomes a guest user
                    User waits for approval by administrator to become a registered user




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 48
               Security Logging & Auditing

               Logging of all security relevant information
                    User login (successful/failed)
                    IP address of user logged in
                    User logoff
                         User created/modified
                         User approval/denial
                         User locked/unlocked
                         Role assignment changed




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 49
               Topics


                           Overview

                           New Features EP 6.0

                           Authentication

                           Single Sign-On (SSO)

                           Authorization

                           User Management

                           Secure Communication

                           Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 50
               Secure Communication – Features


               Secure, encrypted communication between client, Portal Server,
               persistence layer, and backend systems

               Support of industry-standard security protocols
                    Secure Sockets Layer (SSL)
                    Secure Network Communications (SNC)

               Features
                    Confidentiality
                    Authenticity
                    Integrity




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 51
               Secure Communication – Overview

                                                           DMZ                               Intranet
                                                                                                                     User Persistence Store

                                                                                    SAP J2EE Engine
        Web                         HTTP                 Web                HTTP                                         Database
      Browser                                           Server                             Dispatcher         JDBC
                                     SSL                                    SSL
                                                                                                                 SSL
                                                                                                P4
                                                                                                               LDAP        LDAP
                                                                                       Portal Server            SSL       Directory

                                                                                                                 RFC
                                                                                                              SNC
                                                                                    HTTP                RFC                 SAP
                                                                                    SSL                 SNC                System



                                                                                  Web Appl.           SAP
                                                                                    (SAP,            System
                                                                                  non-SAP)
                                                                                      Backend Systems

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 52
               Topics


                           Overview

                           New Features EP 6.0

                           Authentication

                           Single Sign-On (SSO)

                           Authorization

                           User Management

                           Secure Communication

                           Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 53
               Secure Network Architecture – Overview


                                         Network architecture needs to protect your business
                                         needs without allowing unauthorized access

                                         Highly sensitive systems and components need to be
                                         protected (Portal Server, Persistence Layer, Backend
                                         Applications)

                                         Locate them in a separate area that is sealed off from
                                         network attacks from outside and inside

                                         Application servers, database servers, and directory
                                         servers should only be accessible via a demilitarized
                                         zone (DMZ) that is protected by firewalls



 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 54
               Secure Network Architecture – Enterprise Portal 6.0


               Front End                                       DMZ                         Intranet                   Backend

                                                                                                                      Application
                                                                                                                      Servers

                                                                                                                      Retrieval &
                                                                                                                      Classification
                                                                                                                      (TREX)




                                       External                             Internal                       Firewall
                   Client
                                       Firewall                             Firewall

                                                       Web Servers                                                        Database
                                                       (with Plug-In)
                                                                                       Portal Servers                     Servers
                                                                                       (incl. Content
                                                                                       Management)

                                                                                       Persistence Layer              Corporate
                                                                                                                      Directory Server




 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 55
               Topics


                           Overview

                           New Features EP 6.0

                           Authentication

                           Single Sign-On (SSO)

                           Authorization

                           User Management

                           Secure Communication

                           Secure Network Architecture

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 56
               Enterprise Portal 6.0 – A Portal For More Security

                   Authentication using various methods
                           User ID/password, digital certificates, third-party authentication

                   Single Sign-On (SSO)
                           Secure, digitally signed SAP logon tickets
                           Account aggregation via user ID/password mapping

                   Authorization
                           ACL-based authorization for portal content

                   Secure communication
                           Between client, portal, and enterprise application servers (SSL, SNC)

                   User Management
                           Support for LDAP directory servers, databases or SAP systems as user
                            persistence store
                           User self-registration (incl. approval process)
                           Delegated administration

 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 57
                                                   Questions?



 SAP AG 2002, SAP Enterprise Portal 6.0: User Management & Security / 58

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:62
posted:11/11/2011
language:Catalan
pages:58