sci263- identity virtualization
TRANSCRIPT
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 1/21
SCI263
Identity Virtualization with SAP
NetWeaver Virtual Directory Server
John Erik Setsaas SAP Labs NorwayKåre Indroy SAP Labs NorwayKristian Lehment SAP AGSerge Muts SAP Labs LLC
October 2010
© 2010 SAP AG. All rights reserved. / Page 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP
assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 2/21
© 2010 SAP AG. All rights reserved. / Page 3
1.Introduction1.1. Heterogeneous Environment
1.2. Client-Side Expectations
1.3. Server Side Expectations
2.SAP NetWeaver Virtual Directory Server
2.1. Overview and Architecture
2.2. SAP Centric Use Cases
2.3. Complex Operations and Use Cases3.Exercises
Agenda
© 2010 SAP AG. All rights reserved. / Page 4
Heterogeneous Environment
Identity information spread on largenumber of repositories
Large number of applications needaccess to identity information
Few ―de facto‖ standard protocols for
accessing information …
… but, not all of them are supported by all
data repositories
SunOne
eDirectory
ActiveDirectory
Oracle
SAPNWIdM
mySQL
RepositoriessupportingLDAP
Repositories NOTsupporting LDAP
Clientapps
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 3/21
© 2010 SAP AG. All rights reserved. / Page 5
Heterogeneous Environment
Multiple Access Points
Complexity of configuration
For LDAP data sources
IP, Port
Username, password Starting Point (on DN form)
For Non-LDAP enabled
Connection string
Tables/Views
URLs
Ports
Other data source specific detailed information
Error-prone configuration process
Applications often designed tosupport only ONE back-end
jdbc:solid://10.8.108.163:1315/opi/testsolid.jdbc.SolidDriver
OSC
191.216.2.128:391
cn=suser,O=exchange********
ou=exchange,O=mx
dir.sap.com:389
cn=manager
********
Dc=sap,dc=com
© 2010 SAP AG. All rights reserved. / Page 6
Heterogeneous Environment
Schema Differences
Same piece of information can be
stored under different attributesClients do not know what attribute toask for
Most often: clients are not always CAPABLEof asking various questions
Differences between databases areeven bigger
There is no attempt to follow any standardsat all
Data sourcecontains mailattribute, stored asrfc822mailbox
Get mailaddress?(MAIL)
Get mailaddress?(rfc822mailbox)
NO!
YES!
Client A Client B
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 4/21
© 2010 SAP AG. All rights reserved. / Page 7
Heterogeneous Environment
Information Formatting
Data sources may have their ownway of formatting stored identityinformation
This requires post-processing on theclient side
Not always possible
Client applications may not be capable ofdoing necessary transformations
Client are not even accepting the result
OK. Use it !!
Client A Client B
Userapplication
cn=Alexis Rogers
cn=Rogers, Alexis
Not OK! Post-processsearch result
Both repositories contain theusers name (cn attribute)but differently formatted
© 2010 SAP AG. All rights reserved. / Page 8
1.Introduction1.1. Heterogeneous Environment
1.2. Client-Side Expectations
1.3. Server Side Expectations
2.SAP NetWeaver Virtual Directory Server
2.1. Overview and Architecture
2.2. SAP Centric Use Cases2.3. Complex Operations and Use Cases
3.Exercises
Agenda
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 5/21
© 2010 SAP AG. All rights reserved. / Page 9
Client-Side Expectations
Fan-Out Operation
To carry out the same operation (typically search) on multiple data sources
Seamless operation
Different data source types Different protocols
Different schemas
Different name spaces
Simplification
Authentication Options
Performance
© 2010 SAP AG. All rights reserved. / Page 10
1.Introduction1.1. Heterogeneous Environment
1.2. Client-Side Expectations
1.3. Server Side Expectations
2.SAP NetWeaver Virtual Directory Server
2.1. Overview and Architecture
2.2. SAP Centric Use Cases2.3. Complex Operations and Use Cases
3.Exercises
Agenda
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 6/21
© 2010 SAP AG. All rights reserved. / Page 11
Server-Side Expectations
General
Control of operational propertiesbased on user identity
Number of elements returned
Returned attribute list
Contents of attributes
Time limit for operation
Access control
Complicated
Time-consuming
Setting up
Applying
Sometimes not sufficient
A
B
C
A
B
Information
for client A
Informationfor client B
C is not allowed toperform operation
© 2010 SAP AG. All rights reserved. / Page 12
1.Introduction1.1. Heterogeneous Environment
1.2. Client-Side Expectations
1.3. Server Side Expectations
2.SAP NetWeaver Virtual Directory Server
2.1. Overview and Architecture
2.2. SAP Centric Use Cases2.3. Complex Operations and Use Cases
3.Exercises
Agenda
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 7/21
© 2010 SAP AG. All rights reserved. / Page 13
Identity Management Architecture
SAP NetWeaverIdentity Management 7.1
Identity Center
Workflow andMonitoring UI(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead / write
S
A P
G
R C
W e b
s er v i c e s
S A P
H C M
V i r t u al D i r e c t or y S er v e
r
IdentityCenterDatabase
E-MailSystem
ActiveDirectory
SAPPortal
SAPERP
others
…
© 2010 SAP AG. All rights reserved. / Page 14
Identity Virtualization
Virtual Directory Server (VDS) provides
Single consistent view and entry point for multiple
distributed identity data sources
Identity information as a service for applicationsthrough standard protocols (LDAP, SPML)
Abstraction layer for underlying data stores
Consumer only sees one standard interface
Transform incoming LDAP requests, and connectdirectly to the existing data repositories
Data stays within original data source
Efficient caching
Properties Real-time access to data
No need to consolidate data sources
No extra data store
Quick LDAP deployment
Easier and cheaper maintenance
Attribute manipulation
Name space modifications
Complex operations on-the-fly
SPML
Database
SPML LDAP
LDAP JDBC
ApplicationDirectoryServer
DirectoryServer
Virtual Directory Server
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 8/21
© 2010 SAP AG. All rights reserved. / Page 15
Architecture
Multiple Inbound Protocols
Configuration
managementand version
control
LDAPExtensible Transformation
Framework
Virtual DirectoryKernel
Connector Framework
In-MemoryCache
ProtocolConnectors
Web ServicesConnectors
ApplicationConnectors
LDAP DB API SPML DSML … SAPSales
Force…
JavaGUI
© 2010 SAP AG. All rights reserved. / Page 16
Identity Services
VDS provides web services access to identity information stored in an identity store
VDS accepts SPML (Service Provisioning Markup Language) requests
VDS acts as an abstraction layer between identity services clients and the identity information
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 9/21
© 2010 SAP AG. All rights reserved. / Page 17
Connector Development Kit
Purpose and Components
Purpose To provide a development toolkit and guidelines for customers and third party vendors to
create an SAP NetWeaver Identity Management connector for non-SAP applications.
Components
Identity Center
Main functionality used here: Identity provisioning
Virtual Directory Server
Single access point for data updates in multiple repositories
© 2010 SAP AG. All rights reserved. / Page 18
Connector Development Kit:
Two Integration Steps
Identity Center Integration
The connector tasks integrate into theexisting (common) provisioning frameworkin the Identity Center
One set of tasks has to be customized to worktogether with the target application utilizingVDS
Virtual Directory Server Integration
The generic VDS core functionality has tobe extended
Source code has to be developed which willbe used by VDS to connect to the targetapplication.
Identity Center
Provisioning Framework
Connector tasks
Virtual Directory Server
Application IntegrationCode
Application Java Library
Target ApplicationTwo parts that build the connector; to be created by customeror 3rd. party vendor
Typically exists within 3rd. party application
I d e n t i t y M a n a g e m e n t C o n n e c t o r
V D S
C o n n
e c t o r
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 10/21
© 2010 SAP AG. All rights reserved. / Page 19
Connectivity Architecture
Provisioning Framework
Independent of repositories and back-ends
Hooks into the partner‘s set of IC connector
tasks
…
IC Tasks (Set From Partner) Hooked into the provisioning framework
Virtual Directory Server (VDS)
Connectors from Partners Multiple connectors in a virtual tree
Back-Ends (Third-Party Applications)
© 2010 SAP AG. All rights reserved. / Page 20
3rd. Party Connector Certification
– SAP ICC Integration Scenario “NW-IDM-CON”
General information about third party certifications with SAP products is available here:
http://www.sdn.sap.com/irj/sdn/interface-certifications
You may contact the SAP Integration and Certification Center (ICC) directly using this mailaddress: [email protected]
NOW AVAILABLE: the integration scenario offered by the SAP Integration and CertificationCenter (ICC). The scenario is called NW-IDM-CON and it is now listed on the IntegrationScenario/Interface reference table of the ICC on the SDN.
Partners of SAP as well as potential partners and independent software vendors (ISVs) areinvited to use the Connector Development Kit (CDK) to create an Identity Managementconnector for their application, and to integrate the application in the Identity Managementlandscape. This connector can then be certified by the SAP ICC.
And there is an additional ―ONE TIME OFFER‖ from SAP: Every company that signs a
certification agreement in the category ―NW-IDM-CON‖ before December 31st. 2010 willreceive a 20 percent discount on the certification fee. So please: go to the ICC websiteand find out who to contact!
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 11/21
© 2010 SAP AG. All rights reserved. / Page 21
Extending VDS
Custom-made extension classes
Java code
May be created and compiled from GUI Automatically detected and reloaded by running server
VDS supplies templates
Most often – only tailoring of existing code isneeded
Each class must implement predefined interface
One for each type of the extensions
© 2010 SAP AG. All rights reserved. / Page 22
1.Introduction1.1. Heterogeneous Environment
1.2. Client-Side Expectations
1.3. Server Side Expectations
2.SAP NetWeaver Virtual Directory Server
2.1. Overview and Architecture
2.2. SAP Centric Use Cases
2.3. Complex Operations and Use Cases
3.Exercises
Agenda
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 12/21
© 2010 SAP AG. All rights reserved. / Page 23
SAP Template -
Example for HCM LDAP Extract for IDM
Adding information of several connected HCM systems
Identity Center (IC)
IdentityStore
Virtual Directory Server
The new template HCM LDAP EXTRACT for IDM.xml
allows to add information from different HCM systems
For example while transferring the data from an HCMsystem an ID from this system can be added, so that theIdentity Center knows from which system the informationcame from
Extendable
LDAP LDAP LDAP
© 2010 SAP AG. All rights reserved. / Page 24
Integration of SAP Business Objects Access
Control
VDS deals with all connection to/from SAP Business Objects Access Control through the web
service API exposed by SAP Business Objects Access Control
Configuration of the VDS is necessary so that the Identity Center gets access toSAP Business Objects Access Control
VDS 7.1 contains templates for SAP Business Objects Access Control release 5.2 and 5.3GRC AE 52 Integration.xml GRC AE 53 Integration SP2.xml
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 13/21
© 2010 SAP AG. All rights reserved. / Page 25
1.Introduction1.1. Heterogeneous Environment
1.2. Client-Side Expectations
1.3. Server Side Expectations
2.SAP NetWeaver Virtual Directory Server
2.1. Overview and Architecture
2.2. SAP Centric Use Cases
2.3. Complex Operations and Use Cases3.Exercises
Agenda
© 2010 SAP AG. All rights reserved. / Page 26
“Complex” Operations
Traditional (―simple‖) virtual directory operations
Carried out toward single back-end
Efficient
Example: VDS acts as a ‗proxy‘ for a single LDAP Data Source
VDS implements several complex operations
Uses ‖simple‖ operations as building blocks for constructing more advanced operations
Final result constructed from simple operation results
Construction rules depend on operation
Example: A legacy identity data source is missing e-mail addresses, the VDS can ‗join‘ the
search results from an LDAP containing the e-mail addresses based on a matching attribute
Complex operation can also be used as building block for other complexoperations
Recursive
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 14/21
© 2010 SAP AG. All rights reserved. / Page 27
Complex Operations
Multi-Search (union)
One incoming search request is
submitted to several repositoriesThe search result is returned asone data set
Client application sees this asone search and one repository
Can not determine where entries arecoming from
© 2010 SAP AG. All rights reserved. / Page 28
Complex Operations
Join
Join the attributes from master data
source with attributes from multipleadditional data sources
Attribute source may be any back-endaccessible through Virtual Directory Server
Recursive cascade join
Attribute values resolved on one level can beused as keys for resolving attributes onanother level
Smart attribute value processing
Optimized number of searches
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 15/21
© 2010 SAP AG. All rights reserved. / Page 29
Complex Operations
Dynamic Adds
Fetch attributes from multipleadditional data sources - before entryis provisioned Attribute source may be any back-end
accessible through Virtual Directory Server
Unlimited cascade fetching Attribute values resolved on one level can be
used as keys for resolving attributes onanother level
Smart attribute value processing Optimized number of searches
ADD Request
© 2010 SAP AG. All rights reserved. / Page 30
Complex Operations
Load Balancing
Two configuration options for
accessing back-end datasources
Round-robin
Weighted ratio
May be configured per operation
Separate algorithms for search andupdate operations
UpdateRequest
50%
SEARCHRequest
Select one of configured datasource whereoperation will becarried out
20%
30%
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 16/21
© 2010 SAP AG. All rights reserved. / Page 31
Use Case: LDAP Enabling
The Virtual Directory gives LDAPaccess to one or more data stores
LDAP
Database
Proprietary data sources
The user will see all information asone LDAP tree
© 2010 SAP AG. All rights reserved. / Page 32
Use Case: LDAP Enabling
LDAP enabling of SQL database
Database fields Name
Dept.
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 17/21
© 2010 SAP AG. All rights reserved. / Page 33
Use Case: Attribute Mapping
Different clients may expect differentattributes for the same purpose
rfc822mailbox
Prefixing of the attribute
‖smtp:[email protected]‖
© 2010 SAP AG. All rights reserved. / Page 34
Use Case: Cross-Repository Join
Name: Randi SoligardE-mail: [email protected]
E-mail: [email protected]
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 18/21
© 2010 SAP AG. All rights reserved. / Page 35
Use Case: Referenced Lookup
The Virtual Directory checks the lookupdatabase for the correct server, based onthe e-mail address
sap.com SapUser,*****, 389
su,*****, 636
domainuser,********, 389
© 2010 SAP AG. All rights reserved. / Page 36
Use Case: Company Merger
Two companies merge
Different databases and metadirectories
Using Virtual Directory to get access
to the information
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 19/21
© 2010 SAP AG. All rights reserved. / Page 37
1.Introduction1.1. Heterogeneous Environment
1.2. Client-Side Expectations
1.3. Server Side Expectations
2.SAP NetWeaver Virtual Directory Server
2.1. Overview and Architecture
2.2. SAP Centric Use Cases
2.3. Complex Operations and Use Cases3.Exercises
Agenda
© 2010 SAP AG. All rights reserved. / Page 38
Exercises
1. Creating a new configuration
2. User Groups and Rules
3. Build a virtual tree
4. Configure VDS Logging
5. Add an LDAP data source
6. Add Database Connection
7. Add ObjectClass
8. Attribute Manipulation
9. Create a Multi Search Group
10. Optional – Create a Custom Connector
SQL ServerDatabase
LDAP
LDAP JDBC
MS ExcelApplication
SunOneLDAP
Virtual Directory Server
Standalone Log Viewer
Identity Center
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 20/21
© 2010 SAP AG. All rights reserved. / Page 39
Further Information
SAP Public Web:
SAP Developer Network (SDN): www.sdn.sap.com
Business Process Expert (BPX) Community: www.bpx.sap.com
SAP BusinessObjects Community (BOC): boc.sap.com
Further technical information from the SAP Technology RIG
Webinars: http://www.sdn.sap.com/irj/scn/ipnw-khnc
How to Guides: http://www.sdn.sap.com/irj/scn/howtoguides.
Podcasts: http://www.sdn.sap.com/irj/scn/sap-how-it-works-elearning.
You can also follow SAP Technology RIG on Facebook and Twitter
http://www.facebook.com/pages/SAP-RIG/119256894764191?ref=ts
http://twitter.com/saprig
© 2010 SAP AG. All rights reserved. / Page 40
Further Information
SAP Public Web:
SAP Developer Network (SDN):
http://www.sdn.sap.com/irj/sdn/nw-identitymanagement
Related SAP Education and Certification Opportunities
http://www.sap.com/education/ - Course ID: TZNWIM
Related Workshops/Lectures at SAP TechEd 2010
SCI101, SAP NetWeaver Identity Management 7.2: Highlights of the Next Release, Lecture
SCI261, SAP NetWeaver Identity Management 7.1 – Workflow Configuration, Hands-On
SCI262, Compliant Identity Management with SAP NetWeaver IDM and SAP BusinessObjects AccessControl, Hands-On
SCI263, Identity Virtualization with SAP NetWeaver IDM Virtual Directory Server, Hands-On
SCI265, Managing Federated Identities for Service-Based Single Sign-On, Hands-On
8/8/2019 SCI263- Identity Virtualization
http://slidepdf.com/reader/full/sci263-identity-virtualization 21/21
Contact
Feedback
Please complete your session evaluation.
Be courteous — deposit your trash,and do not take the handouts for the following session.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distr ibutors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries,eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+,POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or othercountries.
Oracle is a registered trademark of Orac le Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citr ix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C ® , World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in othercountries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves inform ational purposes only.National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without theexpress prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies,developments, and functionalities of the SAP ® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/ordevelopment. Please note that this document is subject to change and may be changed by SAP at any tim e without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or otheritems contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the impl ied warranties ofmerchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct special indirect or consequential damages that may result from the use of these
© 2010 SAP AG. All Rights Reserved