Вы находитесь на странице: 1из 56

SAP Active Directory

Integration – SSO and


Usermanagement
André Fischer (andre.fischer@sap.com)
Project Manager CTSC

Michael Sambeth (michael.sambeth@sap.com)


NetWeaver Practice Unit Enterprise Portal
Agenda

Introduction

User Management

Single Sign On

Conclusion

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 2


Agenda

Introduction

User Management

Single Sign-on

Conclusion

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 3


What the user wants …

ERP CRM ESS Groupware

Intranet Workflow Internet


...
Access

Portal

Logon

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 4


What the administrator wants …

Central user management


Single point of administration
Assign user rights in various applications with one keystroke
Lock or Delete users centrally

Central user repository


Avoid redundant user information

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 5


What are the prerequisites ?

Integrated Cross-Application User Management


Central storage of user information
Group assignement
Basic user data
Application specific user data
Standard Access protocol
Interoperability, Multi vendor and platform support
Solution: LDAP
LDAP Directories serve as central repository for user master data.
Access to this data is provided using the standardized Lightweight
Directory Access Protocol (LDAP).
Applications from multiple vendors and platforms can work as LDAP clients
-> Interoperatibility
Authentication

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 6


What are the prerequisites ?

Single Sign-On (SSO)


User authenticates once against a security system
User is afterwards automatically authenticated to access other systems
Authentication against external applications is transparent for the user
Logon-Procedure for initial authentication must be secure

Solution
SAP Logon Tickets
E.g. with SAP Enterprise Portal, SAP WebAS,...

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 7


… and how can it be realized in a Microsoft Environment !

SAP
Enterprise Portal / Web AS can use LDAP Directories as User Repository
(User Persistence Store)
Enterprise Portal provides SSO to SAP and MS backend systems using SAP
Logon Tickets
SAP provides a Directory Interface for User Management via LDAP
mySAP HR can create / update users in LDAP Directories
SAP user data can be synchronized with user data in LDAP Directories

Microsoft Active Directory


Supports LDAP
Active Directory is SAP certified (BC-USR-LDAP)
Windows authentication can be used as external authentication for mySAP
Enterprise Portal (SSO to EP)

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 8


The big picture

mySAP
3rd party Microsoft based mySAP Systems
Applications applications HR WebDynpro CUA
Java
Application
UME
SAP (Web AS Java)
ISAPI Filter
User data
SSO SSO SSO SSO SSO SSO

SAP Enterprise Portal


UME (Web AS Java)

Create and Use as user Synchronize Use as user


modify users repository user data repository

Active
Directory

SSO Authentication

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 9


Agenda

Interduction
User Management
Single Sign-on

Conclusion

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 10


User Management (step 1)

mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data

SAP EP & SAP J2EE


SAP Enterprise Portal
Use Directory as UME (Web AS Java)
user repository for
Create and Use as user Synchronize Use as user
EP and JAVA users modify users repository user data repository

Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 11
mySAP HR LDAP interface

Goal
Create / modify users in the directory server automatically from employee
data stored in mySAP HR

Reason
mySAP HR is master system for (basic) employee data
First name
Last name
Employee number
Manager
….
Optimize Administration of users
Reduction in operational costs
Correctness of data
Speed of the process

Restriction
Only export of data

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 12


User information in Active Directory

Attributes that can be provided by mySAP HR

distinguishedName: CN=Andre Fischer, CN=Users, DC=MSCTSC, DC=SAP,DC=CORP;


sn: Fischer
givenName: Andre
employeeNumber: 0123456
sAMAccountName M0123456
userPrincipalName andre.fischer@mstsc.sap.corp
… …

Attributes that are provided by Active Directory


and Exchange Administration

mail: andre.fischer@sap.com
memberOf: CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;
CN=Domain Admins,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;
… CN=SAP Users,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 13


Data export from mySAP HR using LDAP interface

SAP HR WebAS
>= 6.10

<=4.6C RFC LDAP


Active
Directory

LDAP
>=4.7

Extraction Mapping Create / update users

SAP data field ->


Employee data: User attributes
Personel number LDAP attribute Cn
First Name Sn
Last Name givenName
... ...

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 14


Results of export using mySAP HR LDAP interface

=> New users are created as deactived accounts in Active Directory

=> Existing user accounts will be updated

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 15


User Management (step 2)

mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data

SAP EP & SAP J2EE


SAP Enterprise Portal
Use Directory as UME (Web AS Java)
user repository for
Create and Use as user Synchronize Use as user
EP and JAVA users modify users repository user data repository

Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 16
Active Directory - Useradministration

Activate account

Assign groups

Set / Reset password

Perform additional
administrative tasks …

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 17


User Management (step 3)

mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data

SAP EP & SAP J2EE


SAP Enterprise Portal
Use Directory as UME (Web AS Java)
user repository for
Create and Use as user Synchronize Use as user
EP and JAVA users modify users repository user data repository

Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 18
Architecture: User Management Engine

Portal
Server

User Persistence Store Store portal-


LDAP or Portal specific data
Portal Database or Database
SAP System
UM Instance PCD Instance

Basic user data User/group role User Roles


assignment (Metadata)
Basic group data
User mapping (for Content role
User group
SSO purposes) assignment
assignment
User’s
personalization data

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 19


UME: Active Directory as User Persistence Store

Portal Users are stored in the Directory

Active Directory groups can be assigned to Portal Roles

Portal specific information is stored in portal database


group <-> role assignment
User <-> role assignement

Portal User Id = sAMAccountName (default)

Multiple domains are supported if an attribute is used as portal


user id that is unique in the complete forest (the
sAMAccountName is only unique in a domain)

LDAP access of the portal to the directory should be secured by


SSL

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 20


UME result

User can log on


to SAP EP
immediately

User is
assigned to
roles that are
assigned to the
user or the
groups the user
has been
assigned to

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 21


User Management (step 4)

mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data

SAP EP & SAP J2EE


SAP Enterprise Portal
Use Directory as UME (Web AS Java)
user repository for
Create and Use as user Synchronize Use as user
EP and JAVA users modify users repository user data repository

Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 22
Overview SAP LDAP user synchronisation
4.7 and Mandatory for 4.5 & 4.6
higher optional for 4.7 and higher

LDAP ALE
LDAP

CUA on
WebAS

SAP ABAP user management data can be synchronized with a LDAP


directory with systems based on WebAS 6.10 or higher
SAP Systems with Release 4.5 and higher can be integrated into LDAP
using CUA
LDAP directory interface provides mapping capabilities LDAP attributes
and SAP data fields
SAP User synchronisation and distribution can be performed by
background jobs

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 23


LDAP Connector

SAP Application Server Domain Controller:


Active Directory
Work Process LDAP
Connector
Call Function
‘LDAP_XXX‘

Connection with
LDAP Server LDAP

Function
‘LDAP_XXX‘ RFC

Executable LDAP_RFC shipped since Release 4.6A


Loads LDAP Library of operating system at runtime

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 24


LDAP Connector as Service on Windows

SAP Application Server Domain Controller: Active Directory

Work Process LDAP


Connector
Call Function
‘LDAP_XXX‘

Connection with
LDAP Server LDAP

Function
‘LDAP_XXX‘ RFC

If operating system of SAP Application Server


does not provide a LDAP Library
LDAP connector runs as Service on Windows
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 25
Result of SAP user LDAP synchronisation

User is created / updated


with basic user data
from LDAP directory
First Name
Last Name
eMail
Roles (optional)

Users are created


without password
Passwords are not
needed if SSO using
SAP Logon Tickets is
used
No security risk since
users cannot log on
eithout using SSO via
Enterprise portal using
an initial password

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 26


Q&A: Usermanagement with Microsoft Active Directory

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 27


Agenda

Introduction

User Management

Single Sign-on

Conclusion

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 28


What is Single Sign-on (SSO)?

Single Sign-on
User authenticates once against a security
system
User is afterwards automatically authenticated to
other systems

Authentication
Initial check of user credentials (for example
username/password)

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 29


Why using Single Sign-on ?

Typical situation
In a complex system landscape an employee has many user IDs with different
passwords
Different procedures for each system to roll-out, reset and change
new/existing passwords
Users find continuous password changing for many systems annoying

Problems
High administration cost and effort
Security risk: Users write passwords down and store them where they can easily
be found

Solution: Single Sign-on


Users only have to remember one password to gain access to every system
Administration costs and effort are drastically reduced

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 30


Authentication Methods – Initial Logon Procedure

Enterprise Portal 6.0 supports various authentication methods


User ID / password
LDAP Directory (for example Active Directory)
Portal Database
SAP System
X.509 digital certificates
Third-party authentication
Integrated windows authentication
SAP authentication (SAP Web AS or R/3)
Others through JAAS interface (pluggable JAAS login modules, e.g. RSA)

SAP integrates into existing Active Directory landscapes


Initial logon procedure to authenticate user can be delegated to Active
Directory
No additional costs since no 3rd party software is required
Authentication methods can also be used if portal runs on UNIX
SAP provides necessary interfaces and tools
UME: LDAP Adapter for Active Directory
ISAPI Filter for IIS (IISProxy.dll)

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 31


Integrated Windows authentication –
SSO Microsoft Windows Logon to Enterprise Portal

Prerequisites SAP Enterprise Portal


Separate Webserver: IIS with
IISProxy.DLL filter 4.
Browser: Microsoft Internet Explorer ISAPI Filter redirects HTTP request
EP checks HTTP Header variable 5.
REMOTE_USER**
Authentication of users is delegated to SAP
Logon
the operating system SAP ISAPI Filter
Ticket
Previous logon to Windows operating issued
system can be reused IIS
3.
User is not required to reenter his or her Check
Windows authentication credentials credentials

Limitations 2.
Login
Multiple domains are now supported*.
In this case an attribute that is unique in
all domains has to be used as portal 1.
logon id (for example userPrincipalName) Auth.
Can only be used in Intranet scenarios Active
Directory

*Solution is available for EP 6.0 SP2 on project basis


** EP <=EP6.0 SP2 Patch4: NTLM header is used

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 32


Authentication Methods – User Id / Password (LDAP)

Active
Directory
Prerequisites
User Persistence Store: Active
2. LDAP bind
Directory Check
credentials
Authentication of users is delegated
SAP Enterprise Portal
to the operating system
User must enter his or her Windows 3.
authentication credentials SAP Logon
Ticket issued
1.
Typical scenarios Login

Extranet scenarios
Intranet scenarios where a second
login using the same username /
password should be use

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 33


Overview – SSO from EP to backend systems

SAP EP provides SSO to 3rd party


backend systems using Applications
SAP Logon Tickets
Account Aggregation New

SAP Logon Tickets can be SSO22KerbMap SAP Web


Module Server
used for SSO to: Filter or
SSO SSO SSO Shared
SAP Applications Library
SAP Logon Ticket SAP Logon Ticket
Web based applications
with the SAP Web Server SAP Enterprise Portal
filter
JAVA and C applications
using SAP‘s shared Initial Logon or
library SSO

Microsoft Applications
using SSO2KerbMap
Module *

* Active Directory 2003 required


 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 34
SSO – Account Aggregation

Features:
Account aggregation can be used if the external system does not
support SAP logon tickets
System is maintained in portal system landscape
Portal components connect to the external system with the user’s
credentials (user ID and password), e.g. with SAP AppIntegrator
Credentials submitted via HTTP GET Query String or HTTP POST body
User mapping and credentials information are securely stored in the
Portal Database

Drawbacks and Limitations:


Redundant administration of credentials
Stored credentials have to be changed if password changes in a
backend syste
Administrative overhead
Security update of MS IE http://user:pwd@server.com
Username and password must not be sent in a URL via the network

Conclusion:
Seamless SSO technique such as SAP Logon Tickets is preferred
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 35
SSO – SAP Logon Tickets

Portal Server issues an SAP logon ticket to a user after


successful initial authentication

SAP logon ticket is stored as per session cookie on the client


browser

SAP logon ticket is used to authenticate user to applications


User gets access to multiple applications and services
After initial logon no further user logons required

SAP logon tickets contains user name(s)

SAP Logon Ticket is signed using digital signatures

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 36


Verifying the SAP Logon Ticket

Backend
System
Portal
Server’s
public-key
certificate

SAP Logon Ticket

Step 1:

Verification of the digital signature provided with the SAP logon ticket.

=> Application needs access to issuing server’s public-key certificate

Step 2:

Retrieval of the user ID which is stored in the SAP logon ticket.

=> No additional authentication necessary.

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 37


SSO to SAP Backend Systems using SAP Logon Tickets

SAP User ID‘s must be equal in all SAP backend system

Portal UserID = SAP UserID in backend systems


Logon Ticket issued by the portal server contains the portal userID
only
Initial portal authentication is sufficient

Portal UserID ≠ SAP UserID in backend systems


The user has to logon once initially to the SAP Reference system
Logon Ticket issued by the portal server contains both, the portal
userID and SAP userID in backend systems

If SAP User ID‘s of a portal user are not equal in all SAP backend
system SSO via account aggregation has to be used

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 38


SAP Reference System

Contains the SAP User ID‘s

Used for mapping between SAP Users and Portal Users in EP

SAP Users can be created / modified using LDAP directory


interface

Users have only to logon once to the SAP reference system

SAP CUA system can be used as SAP Reference system

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 39


SSO to SAP components using SAP Logon Tickets
Portal SSO

Web SAP
WebDynpro SAP Dynpro
Logon
Ticket

WebAS
BSP-Pages SAP
Logon
Initial Ticket

Logon
SAPGUI for HTML
ITS SAP
SAP
Logon
Ticket Web
Windows
SAP
SAPGUI for Windows Logon SAP
Ticket

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 40


Web Server Filter, Shared Library and Java classes

Web Server Filter


available for several Web Servers (IIS, Apache, iPlanet)
verifies SAP Logon Ticket and extracts portal user id
Adds portal user id to http header
Example: Use by ASP applications

Shared Library
Dynamic Link Library for verifying SSO Tickets in third party
Software
Native support of SSO using SAP Logon Tickets for applications
written in C, Visual Basic
SAP provides C samples

Java Classes
Java Classes provided by SAP
Operating System independent
Javadoc on SDN contains JAVA samples

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 41


SSO to MS based backend systems innovation

Goal:
Use of Kerberos for authentication on MS backend servers

Windows authentication (Kerberos) is the preferred authentication


method in Microsoft environments

Problem:
Kerberos does not work well across the Internet (firewall config)
Windows integrated authentication can only be used in intranet
scenarios (firewall config, trusted domains)
To perform Kerberos on a client’s behalf the server needs to have
the client’s primary credentials (RFC 1510)
Client’s password OR
Client’s ticket granting ticket (TGT) and the corresponding session key
But, Windows Server must NOT know the client’s password which
would be a severe breach of trust

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 42


Solution: SSO22KerbMap Module

Applicable where
Kerberos would not
Work natively, e.g.
Managability / over the Internet
Constraints

Kerberos Constrained Delegation with Protocol Transition

Authentication On behalf
of a end user

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 43


Kerberos constrained delegation using protocol transition

Microsoft has enhanced its implementation of the Kerberos


protocol
Constrained delegation: Service may request a (constrained)
Kerberos ticket on behalf of a user for specified services only
Protocol transition: Client may be authenticated using other
methods than Kerberos
IIS Active Directory
ISAPI
FIlter
(SSO22 Kerberos
Clients
Kerb IIS Back-end Server
SAP Logon Tickets
Map Constrained
Module) IIS Back-end Server
Delegation

SAP has developed the SSO22KerbMap Module (ISAPI Filter)


Protocol transition: Filter allows authentication using SAP Logon
Tickets
Constrained delegation: Filter can aquire Kerberos Tickets on behalf
of user that is authenticated by a SAP Logon Ticket

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 44


SSO22KerbMap Module - Flowchart

7
Identification + 3+5
ADS 2003
Constrained
delegation

Kerberos
Windows
Client HTTP (S) Backend
IIS 6 Application
(IE)
2
1 SAP Logon
Ticket

4 Impersonation

1. Client with (valid) SAP Logon Ticket


2. Authentication to IIS. ISAPI Filter DLL checks validity of SAP Logon Ticket
3. Identification: ISAPI Filter searches for a user in Active Directory with the user
id contained in SAP Logon Ticket.
4. Impersonation as user (LogonAsUser)
5. Constrained Delegation managed by ADS
6. Kerberos Authentication when connecting to backend service as fully
qualified Windows Domain User
7. Windows backend application/service accepts contrained kerberos ticket
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 45
Configuration of delegation in Active Directory

Sample configuration
in ADS for
Outlook Web Accesss

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 46


Microsoft Exchange Front-End and Back-End Server
Architecture

Global catalog
server
Firewall

Client – Exchange
Extranet back-end servers

Client - Intranet

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 47


Outlook Web Access using SSO22KerbMap Module

Exchange Exchange
Frontend Server Backend Server(s)
passthrough Impersonation
3
authentication Kerberos ticket
Check SAP Logon
Ticket

SSO22KerbMap

SSO22KerbMap
Module
1

Module
2

Active Check if server is trusted


Directory for delegation

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 48


Outlook WebAccess for Exchange 2003

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 49


Portalized Outlook WebAccess

* German localization
 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 50
Summary

SAP Logon Tickets


for Authentication
ADS 2003 on IIS web server

Kerberos Constrained Delegation with Protocol Transition

Authentication Microsoft
to backend S4U2-
Kerberos
Extensions

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 51


Agenda

Introduction

User Management

Single Sign-on

Conclusion

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 52


Conclusion

SAP Enterprise portal supports open standard LDAP


integrates into exisiting LDAP Directories
Existing groups can be used for role assignment

SAP Enterprise portal provides SSO using SAP Logon Tickets to


SAP systems
MS based applications

SAP provides DLL to use integrated windows authentication as


SSO to EP

SAP Enterprise Portal serves as an


end-to-end SSO solution

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 53


Q&A: Single sign-on to Microsoft Systems

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 54


References

SSO2KerbMap Module Download & Dokumentation:


SAP Software Distribution Center: http://service.sap.com/swdc -> Search
and search for the string „sso22kerbmap“
SAP Note 735639 “SSO2 To Kerberos Mapping Filter: Known issues”
http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVEN
T=DISPL_TXT&_NNUM=735639&_NLANG=E

SAP Application Integrator HowTo:


http://service.sap.com/EP60howtoguides

Customizing MS Outlook Web Access:


http://www.microsoft.com/technet/prodtechnol/exchange/2000/library/CUSTO
WA.mspx
http://www.msexchange.org/articles/Exchange_2003_Outlook_Web_Access_
Themes.html

Microsoft 2003 Kerberos Constrained Delegation:


http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/constdel.mspx
http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 55


Copyright 2004 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of
Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®,
OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix
and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented
and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and service names mentioned are the trademarks of
their respective companies.

 SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 56