Download - SCI160_Excercises-SAML 2.0
EXPLORING SAML 2.0
SCI160 Exercises / Solutions Angel Dichev / SAP Labs, LLC Peter McNulty / SAP Labs, LLC Dimitar Mihaylov / SAP Labs Bulgaria Dong Pan / SAP Australia Joseph Zeinoun / SAP Mentor Stephan Zlatarev / SAP Labs Bulgaria
2
Boilit‘s supplier for technical measurement equipment is Measurit. Measurit has setup a supplier portal on
the Internet to provide an easy access to lookup products and their technical data, as well as shipment,
availability and pricing information. They have jointly configured a customized product catalague which
contains all measurement devices that are regularly use in our production processes, as well as information
on new upcoming technology. The new Measurit supplier portal provides a simplified access for users to
search for the required products and to place and complete orders under the terms and prices that have
negotiated with our supplier.
For accessing the new Measurit supplier portal we have setup Federated Single Sign-On, so you can simply
use your existing Boilit account.
Please be sure to use the fully qualified domain names (not localhost) in the urls when completing the exercises as it used in the metadata generation. URLs with localhost will not work
3
Boilit Configuration (IDP)
1 Create Boilit Users Groups and Custom Attribute
1.1 Create Groups Engineers and Purchasers
Launch the SAP NetWeaver Application Server Java
http://<host>:<port>/
Important - Use the fully qualified domain name
Choose User Management
Login as user demo and password welcome.
4
Select Group from the Search Criteria dropdown list
Click Create Group to create a new group
Input Engineers for the Unique Name.
Click Save.
Repeat the steps above to create a group with the Unique Name Purchasers
Add Custom Attribute Cost Center to the User Profile
Choose Configuration
Choose the User Admin UI tab.
5
Click Modify Configuration.
Enter costcenter for the
Administrator-Managed Custom Attributes field
Click Save All Changes
Logoff and Login as user demo and password welcome
6
1.2 Create user Angie Neer
1. Select User from the Search
Criteria dropdown list
2. Click Create User to create a
new user
In the Details view, on the General Information tab, enter the following data:
Logon ID angie
Password ********
Last Name Neer
First Name Angie
E-Mail Address [email protected]
7
Add Angie to group Engineers
Choose the Assigned Groups tab.
Under Available Groups, search for
Engineers
Select from the available Engineers
group and Click the Add pushbutton
Assign Angie’s Cost Center
Choose the Customized Information
tab
Enter 1234567890 for the costcenter
field
Click Save
1.3 Create User Per Chaser
Repeat the instructions to create
user per
8
Logon ID per
Password ********
Last Name Chaser
First Name Per
E-Mail Address [email protected]
Groups Purchasers
costcenter 9786543210
Add Per to group Purchasers
Choose the Assigned Groups tab.
Under Available Groups, search for
Engineers
Select from the available
Purchasers group and Click the
Add pushbutton
Assign Per’s Cost Center
Choose the Customized Information
tab
Enter 9786543210 for the costcenter field
Click Save
9
1.4 Create User Bo
Repeat the instructions to
create user bo
Note: You do not need to assign Bo to any groups or assign a Cost Center
Logon ID bo
Password ********
Last Name Loit
First Name Bo
E-Mail Address [email protected]
10
2 Initial SAML 2.0 setup
Choose
SAP NetWeaver Administrator from the Start Page
Choose Configuration tab
Choose Authentication and
Single Sign-On
Alternative Navigation
Start SAP NetWeaver
Administrator with the quick link
/nwa/auth
Choose the SAML 2.0 tab Click the “Enable SAML 2.0 Support” This will launch a wizard which will help you to configure the local provider
11
Enter boilit for the provider name. Choose Identity Provider as operational mode from the dropdown list
Click on Next
Configure the settings for signature and encryption. Click Browse pushbutton
adjacent to the Signing Keypair field
Click Create.
The New Entry dialog appears.
12
In the Entry Name field, specify boilit for the certificate Click Next.
13
In Step 2 specify the following properties for the certificate:
countryName – specify the country two-letter code. (Example - DE, IN, or US) commonName – specify boilit as the common name Click the Finish pushbutton
Click the OK pushbutton .
14
Uncheck Sign Metadata Click on Next
Click the Finish pushbutton
3 Export metadata
The metadata XML file includes the following:
Address and name of the identity provider
List of endpoint configurations the identity provider supports
Public-key certificates for decryption and checking of the identity provider’s digital signature
Click the Download Metadata pushbutton
15
Click the Download Metadata link
Click the Save pushbutton
Save as file name as ##Boilit.xml Where ## represents your group number Click the Save pushbutton
Please verify that a file was transferred! Click the Close pushbutton (not pictured)
16
4 Protect Boilit portal application
4.1 Set SAML2LoginModule, flag: SUFFICIENT to performs user authentication using the SAML assertions
Choose the Authentication tab
Choose type Web from the dropdown list to filter your selection
Enter boilit as the Policy Configuration Name and hit Enter to search Choose the table row entry sap.com/saml2_demo_apps*boilitportal
Click the Edit Select the 1st entry which is empty from the Used Template drop down list
17
Click the Remove Click the Add Select SAML2LoginModule from the Login Module drop down list. Verify the flag is set to SUFFICIENT
Click the Save
4.2 Configure Boilit portal application custom logon screen
Configure custom logon screen Select Properties from the the Authentication tab
Click the Modify Set the Alias of the application for customizing the login pages to /boilit_logon_ui_resources Click the Save pushbutton and confirm your changes
18
Choose Logoff located in the upper right hand corner of portal page
You now have a customized logon page for the Boilit portal. Login as user demo with password welcome
5 Import Measurit metadata
Please work with your corresponding Service Provider group to get the required metadata file
before continuing the exercise
Start SAP NetWeaver Administrator with the quick link /nwa/auth
or
You can use the search auth and Click the go pushbutton
19
Choose the SAML 2.0 tab
Select Trusted Providers
Click the Add Pushbutton with the option Uploading Metadata File
20
Step 1 - Select the ##measurit.xml as the Metadata File where ## is your corresponding group number. Provide the path to the metadata XML file of the service provider - Measurit Click the Next Pushbutton
You should see a message that the “Metadata has been successfully verified”. Click Next
Step 5 - Enter the required data for digital signatures and encryption Accept Defaults Click the Next Pushbutton
21
Step 6 Configure the Assertion Consumer Endpoints Accept Defaults Click the Next Pushbutton
Step 7 Configure Single Log-Out Endpoints Accept Defaults Click the Next Pushbutton
Configure Artifact Endpoints to use HTTP Artifact and SOAP bindings as required Accept Defaults Click the Finish Pushbutton
22
6 Identity federation
Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier
6.1 Configure Web Browser SSO with transient NameID format mapping profile attributes: first name and last name
Click the Edit
Click the Add from the Identity Federation tab
Select “Format Name” as Transient
23
Note: For Transient Name ID Formats the name ID is a temporary opaque string generated by the identity provider for a service provider for the lifetime of a security session Click OK
Next, we’ll create a mapping between the SAML 2 attributes and UME attributes to send with the SAML assertion to the service provider.
Choose Profile Attributes tab Click Add
Enter fname for the SAML2 Attribute Choose First Name as the User Attribute from the drop down list Click OK
Create a 2nd
SAML2 attribute Enter lname for the SAML2 Attribute Choose Last Name as the User Attribute from the drop down list Click OK
24
Click Save Click Enable Result Measurit is now Active
You can proceed to work with your corresponding service provider to Test Case 1
6.2 Provision user roles for Automatic account creation
Measurit the service provider is configured to support automatic account creation. It will use SAML 2 attributes and values sent by the identity provider to create user accounts. To support this option, you must negotiate with the administrator of the Measurit to determine what data the service provider requires and how to name the SAML 2 attributes carrying the data. We will allow members of Engineers and Purchasers to automatically be able to create accounts on the Measurit portal.
25
Choose
SAP NetWeaver Administrator from the Start Page
Choose Configuration tab
Choose Authentication and
Single Sign-On Alternative Navigation Start SAP NetWeaver Administrator with the quick link /nwa/auth.
Choose SAML 2.0 ->Trusted Providers Click Edit
Choose Identity Federation tab
Choose the Authorization Attributes tab Click Add
Enter “memberof“ for the SAML 2 Attribute Click Modify (located in the table row of the Modify Column on the far right-hand side).
26
Search for and Select Engineers and Click Add Repeat the process to add Purchasers Click OK
Result
As a result of this configuration, if a user belongs to group Engineers or Purchasers, the memberof attribute in the SAML2 assertion will contain the corresponding group that the user belongs to. If the user is a member of both groups, the memberof SAML2 attribute will contain both groups. If a user does not belong to either of the two groups, the memberof attribute in the SAML2 assertion will be empty.
6.3 Configuring Identity Federation with Persistent Pseudonyms
Use this procedure to enable identity federation when no previous linking between the accounts exists. Once authenticated by the identity provider, the service provider can enable users to link their account interactively themselves or the service provider can create a federated account automatically with SAML 2 attributes supplied
by the identity provider. If the accounts are already linked, logon occurs with the persistent name ID.
Choose Identity Federation tab Click Add
27
Select “Format Name” as Persistent Note- The name ID is a permanent opaque string generated by the identity provider for a service provider or an affiliation of service providers Click OK
Enter opaqueid_measurit for the User
Attribute Choose Profile Attributes tab Click Add After successful identity federation, the user attribute opaqueid_measurit will store the user’s opaque ID for this specific SAML 2 Service Provider, i.e. measurit. Likewise, on the corresponding SAML 2 Service Provider (measurit), another user attribute will be storing the same opaque ID for this user; thus linking the user account on the Identity Provider and the Service Provider. This user attribute does not need to be manually created in UME.
Enter fname for the Profile Attribute Choose First Name as the User Attribute from the drop down list Click OK
Create a 2nd
Profile attribute Enter lname for the SAML2 Attribute Choose Last Name as the User Attribute from the drop down list Click OK
28
Create a 3rd Profile attribute Enter email for the SAML2 Attribute Choose E-Mail as the User Attribute from the drop down list Click OK
Result – You should have 3 profile attributes create (see picture) Choose the Authorization Attributes tab
Click Add
Enter “memberof“ for the SAML 2 Attribute Click Modify (located in the table row of the Modify Column on the far right-hand side). Search for and Select Engineers and Click Add Repeat the process to add Purchasers Click OK
SAML 2 Attribute
Type Value
memberof Group Engineers, Purchasers
29
Click Save Click Enable Result Measurit is now Active
To map user attributes other than the attributes that are part of user profile by default to SAML attributes in a SAML 2.0 authentication response, you must add them to the system In this exercise we will create a new custom attribute – Cost Center which will be used as part of the persistent federation
Choose Local Provider
Click Edit
Choose User Attributes tab
Click Add
30
Enter Cost Center for the User Attribute Alias Enter costcenter as the User Attribute Name
Click OK
Click Save
Choose Trusted Providers
Click Edit
Choose Profile Attributes tab Click Add
31
Enter ccenter for the SAML2 Attribute Choose Cost Center as the User Attribute from the drop down list Click OK
Result - You should have 4 Profile attribute for the Persistent federation
Click Save
Congratulations – Boilit Configuration is Completed!
You can proceed to work with your corresponding service provider to finish the remaining Test Cases
32
Measurit Configuration (SP)
1 Create Measurit custom attribute, user, group, and
roles
1.1 Add Custom Attribute CostCenter to the User Profile
Launch the SAP NetWeaver Application Server Java
http://<host>:<port>/
Important - Use the fully qualified domain name
Choose User Management
Login as user demo and password welcome.
Choose Configuration
33
Choose the User Admin UI tab.
Click Modify Configuration.
Enter costcenter for the
Administrator-Managed Custom Attributes field
Click Save All Changes
1.2 Create group (Boilit Users)
34
Select Group from the Search Criteria dropdown list Click Create Group to create a new group Input Boilit Users for the Unique Name. Click Save
1.3 Create user boilit0789
Choose Create User to create a new user
35
In the Details view, on the General Information tab, enter the following data:
Logon ID boilit0789
Password ********
Last Name boilit0789
Logoff
36
login as user boilit0789 You will be prompted to change the password
Logoff and Login as user demo and password welcome
1.4 Create UME Roles and map to UME actions
Select Role from the Search Criteria dropdown list
37
Click Create Role to create a new role
Input PermanentAccountRequester for the Unique Name and optionally for the description field Choose the Assigned Actions tab
Enter Request* as the available action to Get and Click Go Select the table row with the Service/Application saml2_demo_apps and the action RequestPermanentAccount Click Go Click Save
Result - the Role is created
Repeat the steps above to create 2 additional roles with the following actions
Role Assigned Action
OrderCreator CreateOrder
OrderApprover ApproveOrder
Result – You should have 3 roles created
38
2 Initial SAML 2.0 setup
Provider name – “measurit”
Provider type – “Service Provider”
Generate signing/encryption keypair
Unselect “Sign metadata”
Selection mode: Automatic
Define default application path: “/measuritportal/index.jsp”
Start SAP NetWeaver Administrator with the quick link /nwa/auth Alternative Navigation Choose SAP NetWeaver Administrator from the Start Page Choose Configuration tab Choose Authentication and Single Sign-On (pictured)
Choose the SAML 2.0 tab
39
If you have never configured your system for SAML 2.0, the system displays the following message: System not configured to support SAML 2.0. Click the Enable SAML 2.0 Support
Enter measurit for the provider name. Choose Service Provider as operational mode for the provider from the dropdown list Click Next
Configure the settings for signature and encryption. Click Browse pushbutton adjacent to the Signing Keypair field
40
Click Create. The New Entry dialog appears
In the Entry Name field, specify measurit for the certificate Click Next.
In Step 2 specify the following properties for the certificate: countryName – specify the country two-letter code. (Example - DE, IN, or US) commonName – specify measurit as the common name Click the Finish pushbutton
41
Click OK in the lower right hand side of the screen (not pictured).
Uncheck Sign Metadata Click Next
Select Automatic for the Identity Provider Discovery Selection Mode from the drop down list Click Finish
42
Select the Service Provider Setting tab
Click Edit Define default application path as /measuritportal/index.jsp Click Save
3 Export metadata The metadata XML file includes the following:
Address and name of the identity provider
List of endpoint configurations the identity provider supports
Public-key certificates for decryption and checking of the identity provider’s digital signature
Click the Download Metadata pushbutton
Click the Download Metadata link
43
Save as file name as ## Measurit.xml Where ## represents your group number Click the Save pushbutton
4 Protect Measurit portal application
4.1 Configure custom logon screen
Configure custom logon screen Select Properties from the the Authentication tab
44
Click the Modify Set the Alias of the application for customizing the login pages to /measurit_logon_ui_resources Click the Save pushbutton and confirm your changes
4.2 Add SAML2LoginModule
Choose the Authentication tab Choose Components
Choose type Web from the dropdown list to filter your selection
Enter measurit as the Policy Configuration Name and hit the Enter key to search Choose the entry sap.com/saml2_demo_apps*measuritportal By selecting the row
45
Click Edit Select the 1st entry which is empty from the Used Template drop down list
Change the flag for the BasicPasswordLoginModule from SUFFICIENT to REQUISITE Click Add SAML2LoginModule from the Login Module drop down list. Verify the flag is set to SUFFICIENT Click Move Up to move the SAML2LoginModule before the BasicPasswordLoginModule Click Save The Login Modules order should be 1. SAML2LoginModule
SUFFICIENT 2. BasicPasswordLoginModule
REQUISITE (see picture)
46
5 Import Boilit metadata
Please work with your corresponding Identity Provider group to get the required metadata file
before continuing the exercise
Choose the SAML 2.0 tab Select Trusted Providers
Click Add with the option Uploading Metadata File
47
Step 1 - Select the ##boilit .xml as the Metadata File where ## is your corresponding group number Provide the path to the metadata XML file of the service provider - boilit Click Next
You should see a message that the “Metadata has been successfully verified”. Click Next
Step 5 - Enter the required data for digital signatures and encryption Accept Defaults Click Next
48
Step 6 Configure the Assertion Consumer Endpoints Accept Defaults Click Next
Step 7 Configure Single Log-Out Endpoints Accept Defaults Click Next
Configure Artifact Endpoints to use HTTP Artifact and SOAP bindings as required Accept Defaults Click Next
49
Authentication Requirements Accept Defaults Click Finish
6 Identity federation Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier
6.1 Configure Web Browser SSO with transient NameID format mapping profile attributes: first name and last name
Click Edit
Click Add from the Identity federation tab
50
Select “Format Name” as Transient
Note: For Transient Name ID Formats the name ID is a temporary opaque string generated by the identity provider for a service provider for the lifetime of a security session Click OK
Next, we’ll create a mapping between the SAML 2 attributes and UME attributes received in the SAML assertion from the identity provider.
Choose Profile Attributes tab Click Add
Enter fname for the SAML2 Attribute Choose First Name as the User Attribute from the drop down list Check Is Mandatory Click OK
51
Create a 2nd
SAML2 attribute Enter lname for the SAML2 Attribute Choose Last Name as the User Attribute from the drop down list Check Is Mandatory Click OK Result (pictured)
Click Save Click Enable Bolitit is now Active
You can proceed to work with your corresponding identity provider to Test Case 1
52
6.2 Provision user roles for Automatic account creation
Measurit will use SAML 2 attributes and values sent by the identity provider to create user accounts. To support this option, you must negotiate with the administrator of the Boilit to determine what data the identity provider will send and how SAML 2 attributes carrying the data are named. We will allow Boilit users that are members of Engineers and Purchasers to automatically be able to create accounts on the Measurit portal.
Choose SAML 2.0 ->Trusted Providers Click Edit
Choose Identity Federation tab
Choose the Calculated Roles tab Click Add Click Modify (located in the table row of the Modify Column on the far right-hand side).
53
Click Add Enter “memberof“ for the SAML 2 Attribute Enter Engineers for the value field Note values are case sensitive Choose OK
Choose Browse (located in the table row of the Browse Column on the far right-hand side).
Search for and Select PermanentAccountRequester from the Available Roles Click Add
Repeat the same steps for Purchasers assigning role PermanentAccountRequester
SAML 2 Attribute
Value Role
memberof Purchasers
PermanentAccountRequester
Result Choose Save (not pictured)
54
6.3 Configuring Identity Federation with Persistent Pseudonyms
Use this procedure to enable identity federation when no previous linking between the accounts exists. Once authenticated by the identity provider, the service provider can enable users to link their account interactively themselves or the service provider can create a federated account automatically with SAML 2 attributes supplied by the identity provider. If the accounts are already linked, logon occurs with the persistent name ID
Choose Edit Identity Federation tab Choose Add
Select “Format Name” as Persistent Note- The name ID is a permanent opaque string generated by the identity provider for a service provider or an affiliation of service providers Click OK
Enter opaqueid_boilit for the User Attribute Check all 4 check boxes Choose Add from the Profile Attributes tab After successful identity federation, the user attribute opaqueid_boilit will store the user’s opaque ID for this specific SAML 2 Identity Provider, i.e. boilit. Likewise, on the corresponding SAML 2 Identity Provider (boilit), another user attribute will be storing the same opaque ID for this user; thus linking the user account on the Identity Provider and the Service Provider.
55
This user attribute does not need to be manually created in UME.
Enter fname for the Profile Attribute Choose First Name as the User Attribute from the drop down list Check is Mandatory Click OK
Create a 2nd
Profile attribute Enter lname for the SAML2 Attribute Choose Last Name as the User Attribute from the drop down list Check is Mandatory Click OK
Create a 3rd Profile attribute Enter email for the SAML2 Attribute Choose E-Mail as the User Attribute from the drop down list Check is Mandatory Click OK
Result – You should have 3 profile attributes create (see picture) Choose Save
To map user attributes other than the attributes that are part of user profile by default to SAML attributes in a SAML 2.0 authentication response, you must add them to the system In this exercise we will create a new custom attribute – Cost Center which will be used as part of the persistent federation
56
Choose Local Provider tab Choose Edit Choose User Attributes tab Choose Add
Enter Cost Center for the User Attribute Alias Enter costcenter as the User Attribute Name Click OK Click Save
Choose Trusted Providers
Click Edit
Choose Profile Attributes tab Click Add
57
Enter ccenter for the SAML2 Attribute Choose Cost Center as the User Attribute from the drop down list Not mandatory Click OK Click Save
Result
The calculated role allows you to dynamically allocate roles to an identity. In this case, a persistent identity is being created on the MeasurIt server with roles dynamically created based on the group at Boilit for the same identity
Choose Calculated Roles Click Add Click Modify
58
Click Add Add the condition (pictured) Click OK
SAML 2 Attribute Value
memberof Engineers
Now we need to enter which role needs to be given if the condition is met that the employee is member of group “Engineers“
Under the column “Selected Roles”, click the button “Browse”. In the window that opens, type OrderC* and then select the role “OrderCreator”. Click “Ok”.
Repeat the process to add a Calculated Roles for Purchasers
59
SAML 2 Attribute Value
memberof Purchaser
Assign role OrderApprover
Result
We now have to specify which group will have identities federated from the BoilIt portal to the MeasurIt portal. We want all BoilIt employees to be able to access the MeasuIt portal, but only engineers and purchasers should be able to log in and place orders/approve orders
Choose Default Groups tab Choose Modify
Search for available groups”, type BoilIt* and hit “Go”. Select “BoilIt Users”, click on “Add” and then click “Ok”.
Result (pictured) Choose Save
60
Congratulations – Measurit Configuration is Completed!
You can proceed to work with your corresponding identity provider to finish the remaining Test Cases
61
Testing
Test Case 1 The Transient identifier provides anonymity in that the service provider – MeasurIt does not persist data about the Boilit visiting users
Logon to the Boilit portal https://<Fully qualified hostname>:50001/boilitportal/index.jsp as user Bo. You
may be prompted to change your password if this is the first logon attempt
After successful login The Boilit Portal home page is displayed. You can see the technical information on the right hand side indicating the principal, identity provider, assigned group and roles.
62
Now click the link to Measurit Portal
The Measurit Portal home page is displayed and the principal is not BO. It is a transient Id generated by the
Identity Provider – Boilit. All Boilit users with a first and last name can access (are trusted by) the MeasurIt
portal to see the catalog.
63
Transient Name ID Formats the name ID is a temporary opaque string generated by the identity provider for
a service provider for the lifetime of a security session. You can see this is captured in the Measurit
Authentication log files .
Optional - To access Measurit log files Open SAP NetWeaver Administrator (http://<hostname>:<port>/nwa).
SAP NetWeaver Administrator Problem management Logs and Traces Log Viewer .
You can alternatively use the quick link: http://<host>:<port>/nwa/logs.
Use the predefined views in Log Viewer to access the Authentication Logs
You can cut-n-paste the Transient ID from the Technical Info section of the Measurit Portal into the User filter field to see the log information
64
Test Case 2
Logon to the Boilit portal https://<Fully qualified hostname>:50001/boilitportal/index.jsp as user Angie
You can see from the Technical Info that Angie is assigned to group Engineers
65
Click on Measurit Portal
User attributes and access rights are generated based on rules applied to attributes sent in SAML messages Angie can request a permanent account because she is a member of Engineers
Click Logon
66
Select Register Now and Federate Accounts
Angie is a member of the default group – Boilit Users and she has the role OrderCreator
Select a few items into your shopping cart and place an order
67
Sample Result
Close the MeasurIt Portal page and return to the Boilit homepage (It should still be open) and click Logout
Verify that Angie’s account was provisioned in the Measurit Portal by using the Advanced Search
68
Verify that Angie’s costcenter was federated by clicking on the Customized Information tab
69
Test Case 3
Now Login as Per
Click on Measurit Portal
70
Request to link Per’s account with boilit0789
Approve or reject any pending orders
71
Logoff Per
Logon to the Measurit Portal and verify the boilit0789 is linked to Per
72
If time permits promote Bo to the Engineers group in the Boilit Portal. What is the expected behavior of the
identity federation with Measurit Portal? Test your assumptions
Thank you for your participation and enjoy TechEd 2010!
73
Supplement
You can also make your metadata publically accessible by selecting Enabled from the Public Access. Don’t forget to Save. Now your corresponding group can access your metadata from a url.
https://<host>:<port>/java/saml2/metadata
Your corresponding group can specify the Metadata URL instead of uploading a file
© 2010 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.