sci263- identity virtualization

8/8/2019 SCI263- Identity Virtualization

http://slidepdf.com/reader/full/sci263-identity-virtualization 1/21

SCI263

Identity Virtualization with SAP

NetWeaver Virtual Directory Server

John Erik Setsaas SAP Labs NorwayKåre Indroy SAP Labs NorwayKristian Lehment SAP AGSerge Muts SAP Labs LLC

October 2010

© 2010 SAP AG. All rights reserved. / Page 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP

assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.




1.Introduction1.1. Heterogeneous Environment

1.2. Client-Side Expectations

1.3. Server Side Expectations

2.SAP NetWeaver Virtual Directory Server

2.1. Overview and Architecture

2.2. SAP Centric Use Cases

2.3. Complex Operations and Use Cases3.Exercises

Agenda


Heterogeneous Environment

Identity information spread on largenumber of repositories

Large number of applications needaccess to identity information

Few ―de facto‖ standard protocols for

accessing information …

… but, not all of them are supported by all

data repositories

SunOne

eDirectory

ActiveDirectory

Oracle

SAPNWIdM

mySQL

RepositoriessupportingLDAP

Repositories NOTsupporting LDAP

Clientapps





Multiple Access Points

Complexity of configuration

For LDAP data sources

IP, Port

Username, password Starting Point (on DN form)

For Non-LDAP enabled

Connection string

Tables/Views

URLs

Ports

Other data source specific detailed information

Error-prone configuration process

Applications often designed tosupport only ONE back-end

jdbc:solid://10.8.108.163:1315/opi/testsolid.jdbc.SolidDriver

OSC

191.216.2.128:391

cn=suser,O=exchange********

ou=exchange,O=mx

dir.sap.com:389

cn=manager

********

Dc=sap,dc=com



Schema Differences

Same piece of information can be

stored under different attributesClients do not know what attribute toask for

Most often: clients are not always CAPABLEof asking various questions

Differences between databases areeven bigger

There is no attempt to follow any standardsat all

Data sourcecontains mailattribute, stored asrfc822mailbox

Get mailaddress?(MAIL)

Get mailaddress?(rfc822mailbox)

NO!

YES!

Client A Client B





Information Formatting

Data sources may have their ownway of formatting stored identityinformation

This requires post-processing on theclient side

Not always possible

Client applications may not be capable ofdoing necessary transformations

Client are not even accepting the result

OK. Use it !!

Client A Client B

Userapplication

cn=Alexis Rogers

cn=Rogers, Alexis

Not OK! Post-processsearch result

Both repositories contain theusers name (cn attribute)but differently formatted







2.2. SAP Centric Use Cases2.3. Complex Operations and Use Cases

3.Exercises

Agenda




Client-Side Expectations

Fan-Out Operation

To carry out the same operation (typically search) on multiple data sources

Seamless operation

Different data source types Different protocols

Different schemas

Different name spaces

Simplification

Authentication Options

Performance








3.Exercises

Agenda




Server-Side Expectations

General

Control of operational propertiesbased on user identity

Number of elements returned

Returned attribute list

Contents of attributes

Time limit for operation

Access control

Complicated

Time-consuming

Setting up

Applying

Sometimes not sufficient

A

B

C

A

B

Information

for client A

Informationfor client B

C is not allowed toperform operation








3.Exercises

Agenda




Identity Management Architecture

SAP NetWeaverIdentity Management 7.1

Identity Center

Workflow andMonitoring UI(AS Java)

ManagementConsole

DispatcherRuntime Engine

Event AgentService

Detect changesRead / write

S

A P

G

R C

W e b

s er v i c e s

S A P

H C M

V i r t u al D i r e c t or y S er v e

r

IdentityCenterDatabase

E-MailSystem

ActiveDirectory

SAPPortal

SAPERP

others

…


Identity Virtualization

Virtual Directory Server (VDS) provides

Single consistent view and entry point for multiple

distributed identity data sources

Identity information as a service for applicationsthrough standard protocols (LDAP, SPML)

Abstraction layer for underlying data stores

Consumer only sees one standard interface

Transform incoming LDAP requests, and connectdirectly to the existing data repositories

Data stays within original data source

Efficient caching

Properties Real-time access to data

No need to consolidate data sources

No extra data store

Quick LDAP deployment

Easier and cheaper maintenance

Attribute manipulation

Name space modifications

Complex operations on-the-fly

SPML

Database

SPML LDAP

LDAP JDBC

ApplicationDirectoryServer

DirectoryServer

Virtual Directory Server




Architecture

Multiple Inbound Protocols

Configuration

managementand version

control

LDAPExtensible Transformation

Framework

Virtual DirectoryKernel

Connector Framework

In-MemoryCache

ProtocolConnectors

Web ServicesConnectors

ApplicationConnectors

LDAP DB API SPML DSML … SAPSales

Force…

JavaGUI


Identity Services

VDS provides web services access to identity information stored in an identity store

VDS accepts SPML (Service Provisioning Markup Language) requests

VDS acts as an abstraction layer between identity services clients and the identity information




Connector Development Kit

Purpose and Components

Purpose To provide a development toolkit and guidelines for customers and third party vendors to

create an SAP NetWeaver Identity Management connector for non-SAP applications.

Components

Identity Center

Main functionality used here: Identity provisioning


Single access point for data updates in multiple repositories


Connector Development Kit:

Two Integration Steps

Identity Center Integration

The connector tasks integrate into theexisting (common) provisioning frameworkin the Identity Center

One set of tasks has to be customized to worktogether with the target application utilizingVDS

Virtual Directory Server Integration

The generic VDS core functionality has tobe extended

Source code has to be developed which willbe used by VDS to connect to the targetapplication.

Identity Center

Provisioning Framework

Connector tasks


Application IntegrationCode

Application Java Library

Target ApplicationTwo parts that build the connector; to be created by customeror 3rd. party vendor

Typically exists within 3rd. party application

I d e n t i t y M a n a g e m e n t C o n n e c t o r

V D S

C o n n

e c t o r




Connectivity Architecture

Provisioning Framework

Independent of repositories and back-ends

Hooks into the partner‘s set of IC connector

tasks

…

IC Tasks (Set From Partner) Hooked into the provisioning framework

Virtual Directory Server (VDS)

Connectors from Partners Multiple connectors in a virtual tree

Back-Ends (Third-Party Applications)


3rd. Party Connector Certification

– SAP ICC Integration Scenario “NW-IDM-CON”

General information about third party certifications with SAP products is available here:

http://www.sdn.sap.com/irj/sdn/interface-certifications

You may contact the SAP Integration and Certification Center (ICC) directly using this mailaddress: [email protected]

NOW AVAILABLE: the integration scenario offered by the SAP Integration and CertificationCenter (ICC). The scenario is called NW-IDM-CON and it is now listed on the IntegrationScenario/Interface reference table of the ICC on the SDN.

Partners of SAP as well as potential partners and independent software vendors (ISVs) areinvited to use the Connector Development Kit (CDK) to create an Identity Managementconnector for their application, and to integrate the application in the Identity Managementlandscape. This connector can then be certified by the SAP ICC.

And there is an additional ―ONE TIME OFFER‖ from SAP: Every company that signs a

certification agreement in the category ―NW-IDM-CON‖ before December 31st. 2010 willreceive a 20 percent discount on the certification fee. So please: go to the ICC websiteand find out who to contact!


mailto:[email protected]

mailto:[email protected]







Extending VDS

Custom-made extension classes

Java code

May be created and compiled from GUI Automatically detected and reloaded by running server

VDS supplies templates

Most often – only tailoring of existing code isneeded

Each class must implement predefined interface

One for each type of the extensions








2.3. Complex Operations and Use Cases

3.Exercises

Agenda




SAP Template -

Example for HCM LDAP Extract for IDM

Adding information of several connected HCM systems

Identity Center (IC)

IdentityStore


The new template HCM LDAP EXTRACT for IDM.xml

allows to add information from different HCM systems

For example while transferring the data from an HCMsystem an ID from this system can be added, so that theIdentity Center knows from which system the informationcame from

Extendable

LDAP LDAP LDAP


Integration of SAP Business Objects Access

Control

VDS deals with all connection to/from SAP Business Objects Access Control through the web

service API exposed by SAP Business Objects Access Control

Configuration of the VDS is necessary so that the Identity Center gets access toSAP Business Objects Access Control

VDS 7.1 contains templates for SAP Business Objects Access Control release 5.2 and 5.3GRC AE 52 Integration.xml GRC AE 53 Integration SP2.xml











Agenda


“Complex” Operations

Traditional (―simple‖) virtual directory operations

Carried out toward single back-end

Efficient

Example: VDS acts as a ‗proxy‘ for a single LDAP Data Source

VDS implements several complex operations

Uses ‖simple‖ operations as building blocks for constructing more advanced operations

Final result constructed from simple operation results

Construction rules depend on operation

Example: A legacy identity data source is missing e-mail addresses, the VDS can ‗join‘ the

search results from an LDAP containing the e-mail addresses based on a matching attribute

Complex operation can also be used as building block for other complexoperations

Recursive




Complex Operations

Multi-Search (union)

One incoming search request is

submitted to several repositoriesThe search result is returned asone data set

Client application sees this asone search and one repository

Can not determine where entries arecoming from


Complex Operations

Join

Join the attributes from master data

source with attributes from multipleadditional data sources

Attribute source may be any back-endaccessible through Virtual Directory Server

Recursive cascade join

Attribute values resolved on one level can beused as keys for resolving attributes onanother level

Smart attribute value processing

Optimized number of searches




Complex Operations

Dynamic Adds

Fetch attributes from multipleadditional data sources - before entryis provisioned Attribute source may be any back-end

accessible through Virtual Directory Server

Unlimited cascade fetching Attribute values resolved on one level can be

used as keys for resolving attributes onanother level

Smart attribute value processing Optimized number of searches

ADD Request


Complex Operations

Load Balancing

Two configuration options for

accessing back-end datasources

Round-robin

Weighted ratio

May be configured per operation

Separate algorithms for search andupdate operations

UpdateRequest

50%

SEARCHRequest

Select one of configured datasource whereoperation will becarried out

20%

30%




Use Case: LDAP Enabling

The Virtual Directory gives LDAPaccess to one or more data stores

LDAP

Database

Proprietary data sources

The user will see all information asone LDAP tree


Use Case: LDAP Enabling

LDAP enabling of SQL database

Database fields Name

Dept.

e-mail




Use Case: Attribute Mapping

Different clients may expect differentattributes for the same purpose

mail

rfc822mailbox

Prefixing of the attribute

‖smtp:[email protected]‖

[email protected]


Use Case: Cross-Repository Join

Name: Randi SoligardE-mail: [email protected]

E-mail: [email protected]




Use Case: Referenced Lookup

The Virtual Directory checks the lookupdatabase for the correct server, based onthe e-mail address

[email protected]

[email protected]

sap.com SapUser,*****, 389

su,*****, 636

domainuser,********, 389


Use Case: Company Merger

Two companies merge

Different databases and metadirectories

Using Virtual Directory to get access

to the information











Agenda


Exercises

1. Creating a new configuration

2. User Groups and Rules

3. Build a virtual tree

4. Configure VDS Logging

5. Add an LDAP data source

6. Add Database Connection

7. Add ObjectClass

8. Attribute Manipulation

9. Create a Multi Search Group

10. Optional – Create a Custom Connector

SQL ServerDatabase

LDAP

LDAP JDBC

MS ExcelApplication

SunOneLDAP


Standalone Log Viewer

Identity Center




Further Information

SAP Public Web:

SAP Developer Network (SDN): www.sdn.sap.com

Business Process Expert (BPX) Community: www.bpx.sap.com

SAP BusinessObjects Community (BOC): boc.sap.com

Further technical information from the SAP Technology RIG

Webinars: http://www.sdn.sap.com/irj/scn/ipnw-khnc

How to Guides: http://www.sdn.sap.com/irj/scn/howtoguides.

Podcasts: http://www.sdn.sap.com/irj/scn/sap-how-it-works-elearning.

You can also follow SAP Technology RIG on Facebook and Twitter

http://www.facebook.com/pages/SAP-RIG/119256894764191?ref=ts

http://twitter.com/saprig


Further Information

SAP Public Web:

SAP Developer Network (SDN):

http://www.sdn.sap.com/irj/sdn/nw-identitymanagement

Related SAP Education and Certification Opportunities

http://www.sap.com/education/ - Course ID: TZNWIM

Related Workshops/Lectures at SAP TechEd 2010

SCI101, SAP NetWeaver Identity Management 7.2: Highlights of the Next Release, Lecture

SCI261, SAP NetWeaver Identity Management 7.1 – Workflow Configuration, Hands-On

SCI262, Compliant Identity Management with SAP NetWeaver IDM and SAP BusinessObjects AccessControl, Hands-On

SCI263, Identity Virtualization with SAP NetWeaver IDM Virtual Directory Server, Hands-On

SCI265, Managing Federated Identities for Service-Based Single Sign-On, Hands-On

http://www.sdn.sap.com/

http://www.bpx.sap.com/

http://boc.sap.com/

http://www.sdn.sap.com/irj/scn/ipnw-khnc

http://www.sdn.sap.com/irj/scn/howtoguides

http://www.sdn.sap.com/irj/scn/sap-how-it-works-elearning


http://www.sap.com/education/

http://www.sap.com/education/













http://www.sdn.sap.com/irj/scn/howtoguides




http://boc.sap.com/

http://www.bpx.sap.com/

http://www.sdn.sap.com/



Contact

Feedback

Please complete your session evaluation.

Be courteous — deposit your trash,and do not take the handouts for the following session.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distr ibutors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries,eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+,POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or othercountries.

Oracle is a registered trademark of Orac le Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citr ix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C ® , World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in othercountries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves inform ational purposes only.National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without theexpress prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies,developments, and functionalities of the SAP ® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/ordevelopment. Please note that this document is subject to change and may be changed by SAP at any tim e without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or otheritems contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the impl ied warranties ofmerchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these

© 2010 SAP AG. All Rights Reserved

sci263- identity virtualization

Documents