SAP customers are starting to run their core business solutions — ERP systems and analytics applications, for example — in increasingly collaborative environments, sending proprietary information and critical data through networks and applications that are either hosted or running in the cloud. In this newly open and networked environment, customers are rightfully looking for guidance on how to secure it all.
At SAP, we’ve spoken with our customers about their key security concerns, assessed our current security offerings, and pinpointed what improvements are needed to help customers keep their networks and enterprise information secure.
Our overarching goal is to enable integrated security management throughout a company’s processes and solutions. To achieve this, we plan to enhance our security offerings in support of networked solutions and applications, and to augment the security capabilities available in SAP NetWeaver Identity Management (SAP NetWeaver ID Management).1
Support for SAML 2.0 and Identity Federation
I have seen a vast adoption of service-oriented architecture (SOA) — and companies will likely continue to adopt networked applications with the goal of taking data and applications out of silos and exposing them as services across a heterogeneous landscape of both SAP and non-SAP systems. The name of the game here is connectivity, which is enabled through standards-based enterprise services or Web services. Of course, with this connectivity, securing a network of applications can be a real challenge. That’s why helping companies improve the security of networked environments is one of SAP’s top security initiatives this year.
In the past, SAP has worked to ensure the authenticity, integrity, and confidentiality of the Web services that enable networked applications by using XML signatures or XML encryption. Companies could delegate this authentication to external mechanisms through Java Authentication and Authorization (JAAS) mechanisms. SAP also implemented Web-based authentication mechanisms, like Security Assertion Mark-up Language (SAML) 1.0/1.1. SAML is a standard protocol for authentication and single sign-on (SSO).2 With a SAML assertion, you can authenticate users. Of course, these SSO mechanisms stop at the company’s boundaries; they cannot span into other companies’ systems for B2B or B2C scenarios.
SAML 2.0, on the other hand, goes beyond SAML 1.0/1.1’s capabilities and enables identity federation. With identity federation, you leverage cross-domain SSO. This means you can enable users within your partners’ domain to securely access data or systems in your own company’s domain — without making your company responsible for maintaining and administrating the other companies’ users. SAML 2.0 assertions enable you to federate your own users’ identities and set up trust relationships with your business partners’ users for authentication and SSO. In addition, using SAML 2.0 sets your company up with a recognized international security standard. Many non-SAP systems already have — or are being prepared to accept and offer — identity provider (IdP) and service provider (SP) capabilities that make SAML 2.0 possible. To continue to provide utmost security for networked applications, SAP has been investing heavily in technology that will enable SAML 2.0.
New IdP and STS Capabilities in SAP NetWeaver ID Management
To take advantage of SAML 2.0, you’ll need to set up an IdP — which will issue the SAML assertions for Web-based authentication and SSO — and a security token service (STS), which will enforce access decisions via SAML assertions in composite business processes. SAP plans to release an IdP in enhancement package 1 for SAP NetWeaver ID Management 7.1, which SAP plans to make available in the spring of 2010 (see Figure 1). It makes sense to bundle this technology within SAP NetWeaver ID Management for two main reasons:
- SAP NetWeaver ID Management already enables customers to provision users and roles throughout a heterogeneous landscape. The new functionality expands on these access management capabilities.
- From an integration perspective, it is logical to bundle the SAML 2.0 technology for authentication and SSO with the source of the identity information.
||SAP NetWeaver ID Management 7.1 will support SAML 2.0 by providing an IdP and a security token service for service providers
New SP Capabilities in SAP Business Suite
In addition to the IdP functionality that issues SAML 2.0 assertions, SAP will also provide an SP capability that enables systems to receive the assertions and accept SAML 2.0 as an authentication and SSO mechanism. SAP plans to implement SP functionality in its newest SAP Business Suite release — planned for release in 2010 — as well as in Java 7.2, which SAP plans to release in the newest versions of SAP NetWeaver Composition Environment and SAP NetWeaver Business Process Management (SAP NetWeaver BPM).
Additional Security Functionality in SAP NetWeaver ID Management
The enhanced Web-based and Web-service-based (SOA-based) authentication and SSO features planned for SAP NetWeaver ID Management will give customers increased flexibility and efficiency. But that’s not all SAP has planned.
SAP is also working to improve the integration of SAP NetWeaver ID Management with SAP Business-Objects Access Control and SAP Business Suite. This integration will enable companies to set up a business-driven identity model and provide a sustainable way to prevent segregation of duties issues.
For example, if an employee’s job functions or tasks are expanded, companies must be able to communicate relevant access changes to any systems that the employee will now need to use in that expanded role. The improved business-driven identity model will make it easier to set up the necessary processes required to expand a user’s role and system access. In addition, the tools that SAP Business Suite and SAP BusinessObjects Access Control provide to support these change processes are accessible to the IT security administrator, as well as the casual end user.
Additional features SAP has planned to help reduce TCO and increase the usability of SAP NetWeaver ID Management include:
- Expanded auditing and logging capabilities to help customers see who has access to information and processes in their company; to provide the reporting and auditing dashboards that will enable this, SAP plans to enhance the integration between SAP NetWeaver Business Warehouse (SAP NetWeaver BW) and SAP NetWeaver ID Management
- Enhanced functionality within SAP NetWeaver ID Management’s Identity Center and Virtual Directory Server to support new identity services based on standards or to provision users for new technologies, such as cloud-based applications3
- Enhancements to the user interface to include predefined content and capabilities that will allow customers to develop custom-built UIs
- Reduced administrative work required to manage SAP NetWeaver ID Management
- Extension of the role management concept to include context-based roles (thereby reducing the amount of required back-end roles) and to allow for more granular role-based access, based on the specific areas a user is responsible for — cost centers or personnel areas, for example
All in all, SAP plans to make SAP NetWeaver ID Management more business-content aware, meaning that the solution will more readily react to modified business processes or organizational changes. It also means customers will be even closer to achieving integrated security management.
To reach this goal, SAP’s long-term plan is to improve SAP NetWeaver ID Management’s integration with SAP NetWeaver BPM, provisioning users and roles for composite business processes throughout a heterogeneous landscape. This way, companies can leverage a central repository of enterprise or Web services. The repository will hold security metadata, such as security policies for authentication and authorization and Web services security settings.
By combining this unified repository with role-specific tools to support various SAP NetWeaver ID Management users, business process experts will be able to expand the design of business processes to include identity management models and to securely configure composite business processes (see Figure 2).
||A common process layer shared between SAP NetWeaver BPM and SAP NetWeaver ID Management will help customers make sure that security is an embedded part of their company’s business processes
SAP is working to align the shipping dates of both SAP BusinessObjects Access Control and SAP NetWeaver ID Management to ensure that both products have synchronized development cycles, leading to improved integration. Currently, the projected shipping date is Q4 2010.
Summary: Enhanced SAP Security Offerings Meet the Needs of Networked Applications
The adoption of collaborative networks, cloud computing, and networked applications is on the rise. And SAP is ready to support its customers as they work to secure their data in this new IT environment. SAP plans to invest in SAML 2.0 to improve Web-based and SOA-based authentication, SSO, and identity federation. These capabilities — along with other enhancements — will be shipped with SAP NetWeaver ID Management, which will also have a tighter integration with SAP BusinessObjects Access Control and SAP Business Suite. The long-term vision? To enable integrated security management by making SAP NetWeaver ID Management more business-content aware and by providing a common repository to hold security metadata.
For more information, visit www.sdn.sap.com/irj/scn/sapteched.
Gerlinde Zibulski (firstname.lastname@example.org) has been with SAP for more than 11 years. She brings to the table her experience in consulting, product management, executive assistance, and product strategy. Since 2001, Gerlinde has specialized in the security features and functions of SAP and is now the Head of the Solution Management Team for Security and Identity Management within the SAP Technology Group. Gerlinde holds a master’s degree in economics from the Private University Witten/Herdecke.
1 For more information on SAP NetWeaver ID Management, see “Identity Management That’s Integrated into Your Current Business Processes” by Regine Brehm and Jens Koster in the July-September 2009 issue of SAPinsider. [back]
2 To learn more about how SSO promotes security, see “Enable Governance and Security Across Your Business Processes” by Yonko Yonchev and Peter McNulty in the October-December 2009 issue of SAPinsider. [back]
3 If you have to provision users into cloud-based applications today, we recommend using the Virtual Directory Server. [back]