>net services in portal sdn documents
TRANSCRIPT
SAML for Web ServicesInteroperability with .NET
SAP NetWeaver Product Management Security
June 2008
© SAP 2008 Page 2
Agenda
1. Web Services Security – A short primerInteroperability and StandardsWS-Security Basics
2. Standards-based Single Sign-On for Web ServicesSingle Sign-On Technologies & StandardsWS-Security SAML Token Profile
3. Web Services Single Sign-On with SAP NetWeaverSAML Token Profile support in current SAP NetWeaver releasesRoadmap
4. Interoperability in Practice: Web Services SSO between SAP NetWeaverand Microsoft .NET
Web Services Security in the Microsoft .NET FrameworkImplementation of an interoperable Web Service Consumer in .NETConfiguration of an interoperable Web Service Provider in SAP NetWeaver
© SAP 2008 Page 3
Definition of Interoperability
The IEEE defines interoperability as:
The ability of two or more systems or components toexchange information and to use the informationthat has been exchanged*
* Institute of Electrical and Electronics Engineers. IEEE Standard Computer Dictionary: A Compilation of IEEEStandard Computer Glossaries. New York, NY: 1990
© SAP 2008 Page 4
Interoperability – The Value Of Standards
Interoperability is achieved by standards, supports the seamless exchangeand use of business information
ServiceInfrastructureServiceInfrastructure
ServiceInfrastructureServiceInfrastructure
BusinessApplicationBusinessApplication
BusinessApplicationBusinessApplication
Semantic InteroperabilityApplications understand and correctlyuse the information being exchanged
Semantic InteroperabilityApplications understand and correctlyuse the information being exchanged
Technical InteroperabilitySystems are connected and canexchange information
Technical InteroperabilitySystems are connected and canexchange information
© SAP 2008 Page 5
Platform BPlatform A
Role of Web Service Standards
Web Service (WS) standards define the format of the message in transit toguarantee the interoperable exchange between service consumer and provider ona technical levelWeb Service Standards don’t specify any infrastructure- or application-specificaspects, such as
APIs or programming languages that applications must use to send or delivermessages – these are always platform-specificRuntime architecture and components
Web ServiceConsumer
Web ServiceConsumer
SourceInfrastructure
SourceInfrastructure
DestinationInfrastructureDestination
Infrastructure
Send Deliver
Web ServiceProvider
Web ServiceProvider
Message
Scope of Web ServiceStandards
API API
© SAP 2008 Page 6
The SOAP protocol on its own does not provideany security mechanisms for
Message Integrity & ConfidentialityAuthenticationNon Repudiation of origin or receiptBut: SOAP can be extended to provideadditional features
Up to the year 2002, best practice was to secureWeb Services using Secure Sockets Layer (SSL)
But SSL provides transport – not application-level securitySOAP Messages secure point-to-point, not end-to-endMessages stored unencrypted in files or databases at intermediariesnot independent of underlying transport protocol
WS-Security submitted to standards body (OASIS) in Sept 2002 andapproved as an OASIS Standard in April 2004
WS-Security – Motivation
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
SOAP message format
© SAP 2008 Page 7
WS-Security Overview
The OASIS WS-Security Standard extends a SOAP message by one or moreWS-Security Headers (wsse:Security) which contains security informationfor each recipient
This new SOAP Header contains all relevant security metadata to secure aSOAP message, such as
Security Tokens to carry security information (e.g. user authenticationdata, X.509 certificates)A Timestamp to protectagainst Replay AttacksSignatures to protectagainst message tampering*Encrypted Keys and Datato protect confidential information
Single Sign-On is provided by usinge.g. SAML Security Tokens
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
Security Token
Timestamp
Signature
Encrypted Key+ Data
WS-SecurityHeader
* The act of altering something secretly or improperly
© SAP 2008 Page 8
Summary
WS-Security is a rich framework to secure SOAP on the messagelayer
WS-Security provides a general-purpose mechanism for associatingsecurity tokens with message content
No specific type of security token is required. The specification isdesigned to be extensible, so as to support multiple security tokenformats
© SAP 2008 Page 9
Agenda
1. Web Services Security – A short primerInteroperability and StandardsWS-Security Basics
2. Standards-based Single Sign-On for Web ServicesSingle Sign-On Technologies & StandardsWS-Security SAML Token Profile
3. Web Services Single Sign-On with SAP NetWeaverSAML Token Profile support in current SAP NetWeaver releasesRoadmap
4. Interoperability in Practice: Web Services SSO between SAP NetWeaverand Microsoft .NET
Web Services Security in the Microsoft .NET FrameworkImplementation of an interoperable Web Service Consumer in .NETConfiguration of an interoperable Web Service Provider in SAP NetWeaver
© SAP 2008 Page 10
Definition of Single Sign-On (SSO)
Wikipedia defines Single Sign-On as:
Single Sign-On (SSO) is a method of access controlthat enables a user to authenticate once andgain access to the resources of multiplesoftware systems*.
* http://en.wikipedia.org/wiki/Single_sign-on
© SAP 2008 Page 11
Basic Architectural Pattern for Single Sign-On(SSO)
1
2
3
4
TrustRelationship
Issuing Authority: A systementity that issues security-relatedinformation about individualusers. Usually this includes atleast identity information aboutthe user (e.g. a user name or E-Mail address)
Relying Party: A system entitythat decides to take an actionbased on the security informationprovided by the Issuing Authority.The Relying Party must have atrust relationship with the IssuingAuthority
User: A natural person whomakes use of a system and itsresources
1. User authenticates at Issuing Authority and request thesecurity data that is required to access a protectedresource at the Relying Party
2. Issuing Authority responds with the security informationabout the user
3. User authenticates with the issued data at the RelyingParty to access a protected resource
4. Relying Party authenticates the user based on thesecurity information issued by the Issuing Authority andsends response
IssuingAuthorityIssuing
Authority
UserUser RelyingParty
RelyingParty
© SAP 2008 Page 12
Important Characteristics of Single Sign-OnTechnologies and Standards
Cross-DomainIs it possible to use the SSO technology onlywithin a security domain (i.e. the corporateIntranet) or can it be used across differentdomains (e.g. in a B2B scenario)?
Cross-PlatformWhich platforms are supported by the SSOtechnology? Is it a widely adopted standard inthe industry or a vendor-specific technology?
User AgentWhich type of user agent (e.g. Web Browser,Web Service Consumer, Mobile Clients) issupported by the SSO technology?
Domain A
Domain BSSO
SSO
SSO
SSO
Non-SAPPlatform
Non-SAPPlatform
SAPNetWeaver
SAPNetWeaver
© SAP 2008 Page 13
Single Sign-On Technologies and StandardsSupported by SAP
For Web Services, SAML and its associated token profile for WS-Securityis the most widely adopted standard in the industry!
Standard / Technology Cross-Domain
CrossPlatform
UserAgent
SAP Logon Ticket No Yes • Web Browser• Web Service Consumer
OASIS Security AssertionMarkup Language (SAML) Yes Yes • Web Browser
OASIS WS-Security SAMLToken Profile Yes Yes • Web Service Consumer
SPNego / WindowsIntegrated Authentication No No • Web Browser
• Web Service Consumer
X.509/PKI Yes Yes • Web Browser• Web Service Consumer
© SAP 2008 Page 14
Benefits of the Security Assertions MarkupLanguage (SAML)
Interoperable securitysolution to allow systemsintegration with great ease andminimal resourcesSAML is a protocol for encodingsecurity related information(assertions) into XML andexchanging this information in arequest/response fashionProvides standard basedmechanisms to exchangesecurity information using SOAP,HTTP(s)SAML is an OASIS standard
© SAP 2008 Page 15
SAML Based Scenarios
1. Authentication
2. A
cces
s to
Res
ourc
e
Web Service based SSOSAML Token ProfileWeb Service Security Standard
Web Browser based SSOSAML Browser/Artifact ProfileSAML Standard
SAMLIdentity Provider
SAMLIdentity Provider
SAMLService Provider
SAMLService Provider
ServiceConsumer
ServiceConsumer
© SAP 2008 Page 16
Security Assertion Markup Language (SAML)
Building BlocksAssertions: statements about a subject.This could be an authentication, attributeinformation, or authorization permissions
Protocols: SAML definesrequest/response protocols for obtainingassertions
Protocol Bindings: defines how SAMLprotocols map to transport and messagingprotocols, e.g. SAML SOAP Binding
Profiles: define how assertions, protocols,and bindings are combined for particularuse cases
Profiles
Bindings
Assertions and Protocol
SAML AssertionSAML Assertion
© SAP 2008 Page 17
SAML Assertion
A SAML Assertion can consist of
Authentication Statement:Piece of data that represents an actof authentication performed on asubject (user) by the SAML IssuingAuthority
Other Statements:Attribute Statement, AuthorizationDecision Statement
SAML AssertionSAML Assertion
AuthenticationStatement
Other StatementsOther Statements
© SAP 2008 Page 18
Profiles
Bindings
Assertions and Protocol
Relationship Between WS Security SAMLToken Profile and the SAML Standard
SAML AssertionsSAML Assertions
SAML Token Profile
references
SAML ConfirmationMethodsSOAP Message Security
Username Token Profile
...
SAML
WS-Security
© SAP 2008 Page 19
SAML Token ProfileA short primer
The SAML Token Profiledefines the use of SAMLAssertions as SecurityTokens in the WS-SecurityHeader
The SAML Token is used bythe service provider toauthenticate the user basedon the identity information inthe SAML Assertion inincoming requests from serviceconsumers
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
WS-Security
SAML Token
SAML Assertion
AuthenticationStatement
© SAP 2008 Page 20
The Token Issuer or Security Token Service (STS) is adistinguished Web service that issues, exchanges and validatessecurity tokensThe STS has broad applicability in that it can be used to issuesecurity tokens in a wide range of formats (e.g. Certificates,SAML assertions)Basic operations supported by an STS:
Issue a new tokenRenew tokenValidate a tokenCancel a token
Role of the Token Issuer (aka Security TokenService, STS) in Web Services SSO
Token Issuer(STS)
Token Issuer(STS)
31
Web ServiceConsumer
Security TokenRequest
Security TokenResponse
SecurityToken
AuthenticationData
Authenticate userGeneraterequested Token
2
© SAP 2008 Page 21
Token Issuer(STS)
Token Issuer(STS)
Web Services SSO with SAML– General Message Exchange
1. Web Service (WS) Consumerauthenticates at the Token Issuer(Security Token Service, STS) andrequests a SAML Token
2. Token Issuer authenticates the User andissues a SAML Token to the WSConsumer
3. WS Consumer uses the SAML Token forauthentication at the WSProvider
4. WS Provider must trust the assertion inthe SAML Token to authenticate the WSConsumer and sends back the response
1
2
3
4SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
WS-Security
SAML Token
Web ServiceConsumer
Web ServiceConsumer
Web ServiceProvider
Web ServiceProvider
The SAML Token profile addresses two major questions:How can the SAML Token be bound to the SOAP message so that the serviceprovider can be sure that they belong together?How can the service provider be sure that the sender of the message is really thesubject in the assertion?
© SAP 2008 Page 22
Sender-Vouches (SV) Subject Confirmation MethodThe WS Consumer cryptographically binds the assertion to the body of theSOAP message by signing both with its private keyThe WS Provider compares the identity information from the message signaturewith the subject information in the assertion
Holder-of-Key (HoK) Subject Confirmation MethodThe assertion holds a key that is used by the WS Consumer tocryptographically bind (sign) the assertion and the body of the SOAP messageThe WS Provider uses the same key to verify the signature. The subject in theassertion is the party that can demonstrate that it is the holder of the key.
Token Issuer(STS)
Token Issuer(STS)
Web ServiceProvider
Web ServiceProvider
Sender-Vouches: Basis of trust is the WS Consumer‘s certificate
Holder-of-Key:Basis of trust is the
Token Issuer‘scertificate
Confirmation of the Subject IdentitySAML Confirmation Methods Overview
Web ServiceConsumer
Web ServiceConsumer
© SAP 2008 Page 23
Web ServiceProvider
Web ServiceProvider
1. User authenticates at the Token Issuer (STS)and requests a SAML Token with the WS-Trustprotocol
2. Token Issuer authenticates the User and issues aSAML Token in the response to the WS Consumerwith the WS-Trust protocol
3. WS Consumer uses its private key to create asignature over the SAML Token and the messagebody
4. To confirm the WS Consumeridentity, WS Provider verifiesthe signature and comparesthe identity information inthe SAML Token withthe identity informationof the WSConsumer’sPublic Keycertificate
Web ServiceConsumer
Web ServiceConsumer
Confirmation of the Subject IdentitySender-Vouches Subject Confirmation
WS ConsumerPrivate key
WS ConsumerPublic keyCertificate
TrustRelationship
SAML Token (SV)
21
3 4
Prerequisites:Pre-established trustrelationship betweenWS Provider and WSConsumerWS-Consumer mustpossess a signaturekey pair
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
WS-SecuritySAML Token
Token Issuer(STS)
Token Issuer(STS)
© SAP 2008 Page 24
Web ServiceProvider
Web ServiceProvider
SAML Token
Confirmation of the Subject IdentityHolder-of-Key (HoK) Subject Confirmation (1/2)
1. User authenticates at the TokenIssuer (STS) and requests a SAMLToken with the WS-Trust protocol.Optionally, the user provides keymaterial to the Issuer for the short-lived key
2. The Token Issuer generates theshort-lived symmetric key, encrypts itwith the WS Provider‘s public key.The key is added to the SAMLAssertion which is then signed bythe Token Issuer with its signaturekey
3. The Token Issuer issues the SAMLAssertion as a SAML Token in theWS-Trust response message to theWS Consumer, along with its keymaterial used to generate thesymmetric short-lived key
SAML AssertionSAML Assertion
EncryptedShort-lived Key(Client + ServerKey Material)
Signature(Token Issuer, STS)
1
WS ConsumerPublic Key Certificate
2
3
SAML Token(HoK)
Token IssuerPublic keyCertificate
Short-lived Key
Token Issuer(STS)
Token Issuer(STS)
Web ServiceConsumer
Web ServiceConsumer
© SAP 2008 Page 25
Web ServiceConsumer
Web ServiceConsumer
Token Issuer(STS)
Token Issuer(STS)
Confirmation of the Subject IdentityHolder-of-Key (HoK) Subject Confirmation (2/2)
4. The WS Consumer also generates the short-livedsymmetric key based on both parties key material
5. The WS Consumer signs the SAML Token and themessage body with the previously generated short-livedsymmetric key and sends a request to the WS Provider
5
4
Token IssuerPublic keyCertificate
TrustRelationship
SAML Token(HoK)
6
7
Prerequisites:Pre-established trustrelationship betweenWS Provider andToken Issuer
7. The WS Provider verifiesthe WS Consumer‘s (i.e. thekey holder‘s) signature byusing the decrypted short-lived symmetrickey. The Token Issuerconfirmed that the holderof the key is the subject inthe assertion.
6. The WS Provider verifies the Token Issuers signature in the SAML Token anddecrypts the short-lived symmetric key contained in the SAML Token using itsprivate key.
Short-lived KeyShort-lived Key
Web ServiceProvider
Web ServiceProvider
© SAP 2008 Page 26
The WS-Security header containsthe following authenticationinformation:The user with the identifier
TechEd08\stefaniehas been successfullyauthenticated at
7:35 pm on Sept. 9th, 2008using her
password.The issuer
TechEdAuthorityconfirms
that the subject of the assertion isthe party that signedthe message
Syntax and Semantics of the SecurityInformation: Example of a SAML Token
TechEdAuthority.com
SAML AssertionSAML Assertion
<wsse:Security><saml:AssertionIssuer=" " ...IssueInstant="2008–09–09T19:54:00.000Z">
<saml:AuthenticationStatementAuthenticationMethod="...password"
AuthenticationInstant="2008–09–09T19:53:00.000Z"><saml:Subject><saml:NameIdentifier
Format="...WindowsDomainQualifiedName">TechEd08\stefanie
</saml:NameIdentifier></saml:Subject>
<saml:SubjectConfirmation><saml:ConfirmationMethod>...SenderVouches
</saml:ConfirmationMethod>
</saml:SubjectConfirmation></saml:AuthenticationStatement>
</saml:Assertion>
</wsse:Security>
© SAP 2008 Page 27
How are the Common SSO Issues Addressedby WS-Security and the SAML Token Profile?
Syntax and Semantics of the security informationHow is the security information serialized on the wire?What is the syntax and semantics of this serialized securityinformation about an end user (identity)?
Confirmation of the user’s identityHow can the Relying Party be sure that the request or messagesent by the user is associated with the identity data in the issuedsecurity information?
Protocol to transfer the security information betweenthe parties
How does a user request the security information from theIssuing Authority?How does a user transfer this security information to the RelyingParty?
Name, User IDRolesGroups...
User RelyingParty ?
UserRelyingParty
SAML AssertionsSAML Assertions
SAML ConfirmationMethods
SAML Token Profile
© SAP 2008 Page 28
Summary
SAML is a proven and widely adopted standard in the industry forinteroperable, cross-domain SSO
The SAML Token Profile specifies how SAML is used to support SSOfor Web Services
SAML Token Profile defines two subject confirmation methods:Sender-Vouches and Holder-of-Key
Both confirmation methods differ mainly in trust relationship setupand key management
© SAP 2008 Page 29
Agenda
1. Web Services Security – A short primerInteroperability and StandardsWS-Security Basics
2. Standards-based Single Sign-On for Web ServicesSingle Sign-On Technologies & StandardsWS-Security SAML Token Profile
3. Web Services Single Sign-On with SAP NetWeaverSAML Token Profile support in current SAP NetWeaver releasesRoadmap
4. Interoperability in Practice: Web Services SSO between SAP NetWeaverand Microsoft .NET
Web Services Security in the Microsoft .NET FrameworkImplementation of an interoperable Web Service Consumer in .NETConfiguration of an interoperable Web Service Provider in SAP NetWeaver
© SAP 2008 Page 30
SAML Token Profile Support in SAP NetWeaverSupport in Current Releases 7.0 and 7.1 (1/3)
Support for signed and unsigned Sender-Vouches SAML assertionsOnly for authentication purposes, i.e. no attribute-based authorizationFor WS-Consumer, only a local token issuer is supported (i.e. no external STS)
SAML 1.1 Sender Vouches (WS-Consumer, WS-Provider)SAML Token (SV) Web Service
ProviderWeb Service
ProviderWeb ServiceConsumer
Web ServiceConsumer
Non-SAP PlatformNon-SAP Platform SAP NetWeaverSAP NetWeaver
SAML Token (SV) Web ServiceProvider
Web ServiceProvider
Web ServiceConsumer
Web ServiceConsumer
SAPNetWeaver
SAPNetWeaver
Non-SAP PlatformNon-SAP PlatformTokenIssuer(local)
TokenIssuer(local)
Supported inSAP NetWeaver 7.0 >= SP14 (ABAP)SAP NetWeaver 7.1 (Java, ABAP)
© SAP 2008 Page 31
SAML Token Profile Support in SAP NetWeaverSupport in Current Releases 7.0 and 7.1 (2/3)
Only support for symmetric keys in SAML 1.1 Holder of Key Tokens (i.e.no support for asymmetric keys)
Optional user mapping from external (non-SAP platform) username to SAPusername in ABAP table USREXTID
SAML 1.1 Holder of Key (HOK) (WS-Provider)
SAML Token (HoK) Web ServiceProvider
Web ServiceProvider
Web ServiceConsumer
Web ServiceConsumer
Non-SAP PlatformNon-SAP Platform SAP NetWeaverSAP NetWeaver
Planned for SAP EHP1*, SP2 for SAP NetWeaver 7.1:SAP NetWeaver 7.01 SP2 (ABAP) (Oct 2008)SAP NetWeaver 7.11 SP1 (Java, ABAP) (Dec 2008)
Live-Demoin this
Session!* Enhancement Package
© SAP 2008 Page 32
SAML Token Profile Support in SAP NetWeaverSupport in Current Releases 7.0 and 7.1 (3/3)
SAP NetWeaver Web Service Consumers can request a SAML Holder-of-Key Token from an external Token Issuer (STS)
SAML 1.1 Holder of Key (HOK) (WS-Consumer)
SAML Token (HoK) Web ServiceProvider
Web ServiceProvider
Web ServiceConsumer
Web ServiceConsumer
Planned for SAP EHP2* for SAP NetWeaver 7.1SAP NetWeaver 7.02 (ABAP) (Q3 2009)SAP NetWeaver 7.12 (Java, ABAP) (Q3 2009)
SAP NetWeaverSAP NetWeaver Non-SAPPlatform
Non-SAPPlatform
SAPNetWeaver
SAPNetWeaver
Token Issuer(STS)
Token Issuer(STS) Trust
RelationshipToken Acquisition
/ Issuance
* Enhancement Package
© SAP 2008 Page 33
Agenda
1. Web Services Security – A short primerInteroperability and StandardsWS-Security Basics
2. Standards-based Single Sign-On for Web ServicesSingle Sign-On Technologies & StandardsWS-Security SAML Token Profile
3. Web Services Single Sign-On with SAP NetWeaverSAML Token Profile support in current SAP NetWeaver releasesRoadmap
4. Interoperability in Practice: Web Services SSO between SAPNetWeaver and Microsoft .NET
Web Services Security in the Microsoft .NET FrameworkImplementation of an interoperable Web Service Consumer in .NETConfiguration of an interoperable Web Service Provider in SAP NetWeaver
© SAP 2008 Page 34
WS-Security Support in Microsoft .NET
.NET 2.0 supports core Web Service standards, such as WSDL 1.1and SOAP 1.1/1.2Web Services Enhancements (WSE) for Microsoft .NET 2.0 is asupported add-on to Microsoft Visual Studio .NET and the Microsoft .NET 2.0Framework providing support for WS-Security and other advanced Web ServiceprotocolsWith .NET 3.0, these advanced Web Service protocols became an integral partof the .NET Framework, which is now called the Windows CommunicationFoundation (WCF, formerly known as ’Indigo’)
.NET 3.0.NET 3.0
.NET Application.NET Application .NET Dev.-Tools.NET Dev.-Tools
Windows(XP, Server 2003/R2, Vista, Longhorn)
Windows(XP, Server 2003/R2, Vista, Longhorn)
WCF(Indigo)
WPF(Avalon)
WCS(Infocard)
WWF(Workflow)
.NET 2.0 CLR, .NET 2.0 Base Class LibrariesASP.NET 2.0, ADO.NET 2.0, WinForms 2.0
© SAP 2008 Page 35
Host EnvironmentHost Environment
.NET WCF Core Concepts
The WCF programming model unifies the existing communicationtechnologies for distributed computing in .NET 2.0 (e.g. Web Services/WSE,.NET Remoting, Distributed Transactions, Message Queues) into a singleService-oriented programming modelA Service in WCF is composed of three parts
a Service Class (e.g. written in C#) that implements the Servicea Service Host Environment to host the Service (e.g. IIS, Self-Hosting)one or more Endpoints to which Clients can connect
An Endpoint defines the Contract (What ?), the Address (Where ?)and the Binding (How ?) of a Service
Web ServiceConsumer
Web ServiceConsumer
WCF Service
ServiceClass
Endpoint
Endpoint
Endpoint
Contract Address Binding
© SAP 2008 Page 36
.NET WCF Bindings
Bindings define the Transport (e.g. HTTP), Encoding (e.g. TextMessage) and Protocol (e.g. Web Services) required to communicatewith the Service
WCF is shipped with predefined, System-Provided Bindings. TheseBinding can be configured declaratively
Developers can also create their own Custom Bindings with theWCF API that provide full control over the messaging stack when oneof the system-provided bindings does not meet the requirements of aconsumer or providerconstructed from threeelements
Transport
Encoder
Protocol(s)
HTTP Text Security ...WCF Binding
TransportTCPHTTPMSMQ...
EncodersTextBinary...
ProtocolSecurityReliability.NET...
© SAP 2008 Page 37
Web Services Security Support in.NET WCF System-Provided Bindings
Support* for Web Services Core- and WS-Security Standards in WCF System-Provided Bindings:
Support for Web Services Core- and WS-Security Standards in SAP NetWeaver
basicHTTPBinding
wsHttpBinding
wsFederationHttpBinding
SOAP
1.1
1.2
1.2
WSDL
1.1
1.1
1.1
Interoperability
Func
tion
alit
y
SecurityToken
Profiles
UsernameX.509
UsernameX.509
UsernameX.509SAML 1.1
WS-Security
1.0
1.1
1.1
SAP NetWeaver• 7.0 SP14• 7.1
SOAP
1.1
WSDL
1.1
SecurityToken
Profiles
UsernameX.509SAML 1.0
WS-Security
1.0
* http://msdn2.microsoft.com/en-us/library/ms730294.aspx
© SAP 2008 Page 38
SAML Token Profile Support in .NET WCF
The system-provided wsFederationHttpBinding in WCF uses the SAMLToken Profile for Web Services SSO scenarios. This binding has the followingconstraints:
SAML 1.1 Assertions with Holder-of-Key subject confirmation method
Web Services Security 1.1 and SOAP 1.2
WCF has no system-provided binding that matches the supported standards in SAPNetWeaver (SAML Token Profile 1.0, WS-Security 1.0, SOAP 1.1)
With the WCF APIs, developers can create SAML 1.1 Assertions with Sender-Vouches Confirmation Method
However, WCF does not support the STR-Transform algorithm which is requiredto sign SAML Tokens with Sender-Vouches confirmation method
System.IdentityModel.Tokens.SamlConstants.SenderVouches
To implement an interoperability scenario between SAP NetWeaver and.NET, a WCF custom binding is required to support the use of SAMLToken Profile 1.0, WS-Security 1.0 and SOAP 1.1 on the WS Consumerside. In addition, Holder-of-Key support in SAP NetWeaver is a prerequisite.
!
© SAP 2008 Page 39
Microsoft .NET3.0/WCF
Microsoft .NET3.0/WCF
Interoperability Scenario between SAPNetWeaver and Microsoft .NET WCF
TrustRelationship
3
4
2
16
5
SAML Token (HoK)
SSO withWindowsIntegrated
Authentication
SAML Token (HoK)
SSO(SAML Token
Profile)
InitialAuthentication
at DomainController
1. The user logs on to the Windowsdomain with his Windows Credentials
2. The WS Consumer authenticates atthe Token Issuer with WindowsIntegrated Authentication andrequests a SAML HoK Token thatcontains the domain identity
3. The Token Issuer issues the SAMLToken
4. The WS Consumer sends the requestusing the Custom Binding (WS-Sec1.0, SOAP 1.1, SAML Token Profile1.0)
5. The WS Provider maps theWindows User identity to the ABAPUser identity
6. WS Provider sends response
Token Issuer(STS)
Token Issuer(STS)
Web ServiceConsumer
Web ServiceConsumer
Microsoft .NET3.0/WCF
Microsoft .NET3.0/WCF
Web ServiceProvider
Web ServiceProvider
SAP NetWeaverSAP NetWeaver
© SAP 2008 Page 40
Web Service ProviderWeb Service Provider
Configuration Steps for the InteroperabilityScenario with SAML Token Profile (HoK)
Implement the Custom Binding for.NET/WCFConfigure an endpoint of the WebService Provider to support symmetrickey encryption/signature usingSAML-bases messageauthenticationMaintain mapping of external user id(e.g. Windows Domain Name) tointernal SAP user id
SE38 - RSUSREXTID
SOAMANAGER
Web ServiceConsumer
Web ServiceConsumer
SAP NetWeaverSAP NetWeaver
WS EndpointConfiguration
Microsoft .NET3.0/WCF
Microsoft .NET3.0/WCF
User Mapping
Custom Binding
.NET/WCF Code
© SAP 2008 Page 41
Implementation of the Custom Binding in the.NET/WCF Web Service Consumer (1/2)
SymmetricSecurityBindingElement secBinding = newSymmetricSecurityBindingElement();
secBinding.DefaultAlgorithmSuite =SecurityAlgorithmSuite.Basic128Rsa15;
secBinding.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
secBinding.IncludeTimestamp = true;
secBinding.SetKeyDerivation(false);
// set WSS 1.0 and SOAP 1.1
secBinding.MessageSecurityVersion =MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
// don't encrypt signature
secBinding.MessageProtectionOrder =MessageProtectionOrder.SignBeforeEncrypt;
...
… using WS-Security1.0 …
… based on thisalgorithm suite …
… without encryptingthe signature in the WS-Security header.
Use a symmetric key toprotect the message ...
Web ServiceConsumer
Web ServiceConsumer
Custom Binding
© SAP 2008 Page 42
Implementation of the Custom Binding in the.NET/WCF Web Service Consumer (1/2)
...
IssuedSecurityTokenParameters itp = newIssuedSecurityTokenParameters();
itp.ReferenceStyle =SecurityTokenReferenceStyle.Internal;
itp.InclusionMode =SecurityTokenInclusionMode.AlwaysToRecipient;
itp.TokenType = "urn:oasis:names:tc:SAML:1.1:assertion";
itp.KeyType = SecurityKeyType.SymmetricKey;
itp.KeySize = 128;
itp.RequireDerivedKeys = false;
itp.IssuerAddress = new EndpointAddress(newUri("http://localhost:8000/samlsts"));
// set sts binding
itp.IssuerBinding = new WSHttpBinding("stsBinding");
secBinding.ProtectionTokenParameters = itp;
Get an issued token toprotect the message …
… using the SAMLToken Profile 1.0 with aSAML 1.1 assertion …
… that holds thesymmetric key toprotect the message …
… from the TokenIssuer (STS) with thisURL.
Web ServiceConsumer
Web ServiceConsumer
Custom Binding
© SAP 2008 Page 43
Configuring SAML Holder-of-Key Token for theABAP Web Service Provider (1/3)
Invoke TransactionSOAMANAGER
2 Switch to the tabApplication andScenarioConfiguration andselect Single ServiceAdministration
1WS Endpoint
Configuration
© SAP 2008 Page 44
Configuring SAML Holder-of-Key Token for theABAP Web Service Provider (2/3)
Search for the service,select it in the searchresults list and click onApply Selection
3
Click on CreateService to create anew service or selectan existing entry andclick on Edit
4
WS EndpointConfiguration
© SAP 2008 Page 45
Configuring SAML Holder-of-Key Token for theABAP Web Service Provider (3/3)
For SAML Holder-of-KeyAuthentication, selectSymmetric Message
Signature/Encryption inTransport GuaranteeCommunication Security
Single Sign-On usingSAML in AuthenticationSettingsAuthentication Method
MessageAuthentication
5
Click on Save6
WS EndpointConfiguration
© SAP 2008 Page 46
Configuring the SAML User Mapping in the ASABAP (1/4)
Start the ABAP Editor withtransaction SE38
1
Enter RSUSREXTID andclick on Execute (F8)
2
User Mapping
© SAP 2008 Page 47
Configuring the SAML User Mapping in the ASABAP (2/4)
Enter the SAP user nameand select SA for theExternal ID type.Optionally, enter the prefix(e.g. Token Issuer/STSname + "::" + WindowsDomain Name) and/or suffixthat is present in the externalname. In addition, enter theDN of the Token Issuer‘s(STS) certificate
Save the new mapping withExecute (F8) and review thechanges made in themapping table.
3
4
User Mapping
© SAP 2008 Page 48
Configuring the SAML User Mapping in the ASABAP (3/4)
Display the current SAMLuser mappings with the DataBrowser (SE16)
Enter VUSREXTID for theTable Name and press F7
Select SA for the ExternalID type and press Enter
5
6
7
User Mapping
© SAP 2008 Page 49
Configuring the SAML User Mapping in the ASABAP (4/4)
Display the externalSAML Mapping
8User Mapping
© SAP 2008 Page 50
<saml:Assertion AssertionID="saml-bac86b5d" Issuer="urn:wcf.SAMLSTS“ ...><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:
nameid-format:WindowsDomainQualifiedName">SAP_ALL\D044724</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">...<KeyInfo><o:SecurityTokenReference><o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier">EZJTP...</o:KeyIdentifier>
</o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>Oe6n+sudejob5AEH...</e:CipherValue>
</e:CipherData></e:EncryptedKey>
</KeyInfo></saml:SubjectConfirmation>
</saml:Subject></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>...<Reference URI="#saml-bac86b5d">
</SignedInfo><SignatureValue>lZ1GzQ3yO887oiwY...</SignatureValue><KeyInfo><o:SecurityTokenReference><o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier">kfXogbsH...</o:KeyIdentifier>
</o:SecurityTokenReference></KeyInfo>
</Signature></saml:Assertion>
SAML Token Issued by the .NET WCF TokenIssuer and Used for Authentication at SAP
Encrypted symmetric key
User Identity Information fromWindows Integrated Authentication
Subject ConfirmationMethod (HoK)
Token Issuersignature
© SAP 2008 Page 51
Copyright 2008 SAP AGAll Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changedwithout prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior writtenpermission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies,developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note thatthis document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant theaccuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express orimplied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitationshall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durchSAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.
Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte können Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie diedazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen vonProdukten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zuInformationszwecken. Produkte können länderspezifische Unterschiede aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Formauch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet. Bei dieser Publikation handelt es sich um eine vorläufige Version, die nicht Ihrem gültigen Lizenzvertragoder anderen Vereinbarungen mit SAP unterliegt. Diese Publikation enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts. SAP entsteht aus dieserPublikation keine Verpflichtung zu einer bestimmten Geschäfts- oder Produktstrategie und/oder bestimmten Entwicklungen. Diese Publikation kann von SAP jederzeit ohne vorherigeAnkündigung geändert werden.
SAP übernimmt keine Haftung für Fehler oder Auslassungen in dieser Publikation. Des Weiteren übernimmt SAP keine Garantie für die Exaktheit oder Vollständigkeit der Informationen, Texte,Grafiken, Links und sonstigen in dieser Publikation enthaltenen Elementen. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a.,aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts.SAP haftet nicht für entstandene Schäden. Dies gilt u. a. und uneingeschränkt für konkrete, besondere und mittelbare Schäden oder Folgeschäden, die aus der Nutzung dieser Materialienentstehen können. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit.
Die gesetzliche Haftung bei Personenschäden oder Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinks zugreifen,unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über InternetseitenDritter ab.
Alle Rechte vorbehalten.