Identity Management, Single-Sign On, Operations

Tilo Boettcher

Snr. Program Manager Microsoft Corporation Tilo.Boettcher@microsoft.com

Introduction
Identity Management Single Sign On Operations using System Center Operations Manager

What the user has

ERP Intranet

CRM

ESS Internet

Groupware

Workflow
Logon

...
Logon

Logon

PC Logon

What the user wants

ERP Intranet

CRM

ESS Internet

Groupware

Workflow

...

Access

PC Logon

What the administrator wants

Central user management Single point of administration Assign user rights in various applications with one keystroke Lock or Delete users centrally Central user repository Avoid redundant user information

Introduction

Identity Management
Single Sign On Operations using System Center Operations Manager

User Management integration w/o MIIS using SAP standard interfaces

SAP NetWeaver
Enterprise Portal mySAP Business Suite and SAP R/3 CRM ERP R/3 HR

SAP Web AS ABAP

UME CUA

User store

LDAP synchronisation

Microsoft Active Directory

Microsoft Windows Server

7

Data export from mySAP HR

using LDAP interface
SAP HR WebAS >= 6.10

<=4.6C

RFC

LDAP

Active Directory

>=4.7

LDAP

Extraction Employee data: Personel number First Name Last Name ...

Mapping SAP data field -> LDAP attribute

Create / update users User attributes Cn Sn givenName ...

DEMO
Login over MS ADS

SAP UME OVER MS ADS

SSO LOGIN into ERP

user

Microsoft SAP EP 6.0 Active Directory (LDAP)

9

SAP ECC 5.0

Sales HR

SAP LDAP user synchronisation

4.7 and higher
LDAP LDAP Mandatory for 4.5 & 4.6 optional for 4.7 and higher

ALE

CUA on WebAS
SAP ABAP user management data can be synchronized with a LDAP directory with systems based on WebAS 6.10 or higher SAP Systems with Release 4.5 and higher can be integrated into LDAP using CUA LDAP directory interface provides mapping capabilities of LDAP attributes and SAP data fields SAP User synchronisation and distribution can be performed by background jobs

10

Result of SAP user LDAP sync.

User is created / updated with basic user data from LDAP directory First Name Last Name eMail Roles (optional) Users are created without password Passwords are not needed if SSO using SAP Logon Tickets is used No security risk since users cannot log on without using SSO via Enterprise Portal using an initial password

11

Identity Management using MIIS in a Microsoft Environement

SAP Standard Interfaces SAP Web AS ABAP: LDAP Synchronisation with Active Directory SAP Web AS JAVA: Support of LDAP Directories (Active Directory) as user store SAP HR: LDAP Interface HR Data Retrieval in a LDAP Enabled Directory Service Microsoft Identity Integration Server MIIS 2003 SP1 SAP Management Agent

MIIS will get additions with Identity Lifecycle Manager ILM 2007 soon
http://www.microsoft.com/windowsserver/ilm2007/default.mspx

12

MIIS 2003 SP1: SAP Agent

Goals Use supported SAP interfaces SAP certification in progress Dont require reconfiguration of SAP Support default configurations out of the box Make it possible to use any BAPI on the SAP application server that can be called remotely Use SAP technology to connect directly to SAP Leverage SAP security infrastructure Eliminate manual file creation processes Scenarios Employees as authoritative data for provisioning Feed updated email, user ID attributes back to SAP Provision and manage SAP HR/CUA users

13

Architecture: Objectives

Provide ability to directly reach SAP for imports and exports use BAPIs to accomplish this integration Reuse SAPs technology and communication security for offbox invocation of BAPIs Allow for SAP configurations that arent the standard out of the box solution by making it possible to use a configuration tool that connects to the SAP application server and discovers the BAPI that can be called remotely. Build a UI that exposes features to help users arbitrarily map any BAPI parameter component to any connector space attributes for a particular set of MA operations. Allow user-defined operations to handle cases where retrieving a single object (for example an employee) might require calling several BAPIs to get the personal information, the communication ID, the organizational assignment, the managers ID, the department and cost center names, etc. All of these pieces of information require calling different BAPIs with a way to tie all of the information together into a single object. We designed the architecture to accommodate this kind of user-defined operation.
14

User Management integration with MIIS Provisioning, Deprovisioning, Synchronization, Password Synch., Users, Customers, Employees
MIIS Server
Export

SAP MA

BAPI BAPI

SAP

MIIS Sync Engine File MA

SAP is the example

connected data source

BAPIs (a set of APIs for interacting with

SAP) are used for import and export

The SAP Management Agent is built using

an easy-to-use set of .NET interfaces

Import employees, users, customers Export users, updates to employees and

customers

MIIS usage

User Management integration with MIIS

SAP NetWeaver
Enterprise Portal mySAP Business Suite and SAP R/3 CRM ERP R/3 HR

SAP Web AS ABAP UME CUA

User store

Provisioning

Data extraction

MIIS

Microsoft Active Directory

Microsoft Windows Server

17

Introduction Identity Management

Single Sign On
Operations using System Center Operations Manager

SAP EP: SSO to SAP backend applications

WebDynpro

SAP Logon Ticket

Web Dynpro

SAP

BSP-Pages SAP Logon Ticket

WebAS

Initial
SAPGUI for HTML

Logon
SAP Logon Ticket

ITS

SAP

Web
Windows

20

SAPGUI for Windows

SAP Logon Ticket

SAP

SSO SAP Logon Tickets

Portal Server issues an SAP logon ticket to a user after successful initial authentication SAP logon ticket is stored as per session cookie on the client browser SAP logon ticket is used to authenticate user to applications User gets access to multiple applications and services After initial logon no further user logons required SAP logon tickets contains user name(s) SAP Logon Ticket is signed using digital signatures

21

SAP EP: Authentication Methods

Initial Logon Procedure

Authentication methods User ID / password LDAP Directory (for example Active Directory) Portal Database SAP System X.509 digital certificates Third-party authentication Integrated windows authentication SAP authentication (SAP Web AS or R/3) Others through JAAS interface (pluggable JAAS login modules, e.g. RSA)

22

SAP EP: SSO

to SAP and MS backend applications
SAP NetWeaver - Portal Framework
User (Windows Workstation) mySAP Business Suite and SAP R/3

SSO or Authentication SAP Enterprise Portal

SAP Logon Ticket

Authentication

SAP Logon Ticket

SAP Kerberos Ticketing Bridge

IIS
Kerberos Ticket

Microsoft Active Directory

Microsoft Windows Server

23

Identify user

Introduction Identity Management Single Sign On

Operations using System Center MOM

System Center Operatioins Manager

9,000+ customers Award Winning Capabilities:

Windows IT Pro 2005 Readers Choice Winner

Proven Infrastructure Management

Proven Partner MPs

Strong Product Roadmap

25

MOM: Analyst Momentum

Gartner Companies considering a management tool for their Windows centric server environment should definitely place MOM 2005 on their evaluation list. David Coyle, April 05 Forrester With the release of MOM 2005, Microsoft has made important improvements to the product it is set to become the No. 1 or No. 2 player in the Windows server platform management market within the next three years. Thomas Mendel, Sept 04 IDC Sept 05 numbers show MOM growing at 5x the market rate: Windows Perf Mgmt growing @ 13% yr/yr growth MOM growing at @ 60% yr/yr

26

Horizon for SAP Tidal Software

What does Horizon do? SAP Monitoring in MOM Automates SAP Performance Management through Expert-in-a-Box technology, modeled on the same processes used by expert SAP Basis Administrators Uses MOM Reporting to deliver extensive SLA Reporting: trend and track SAP service to the business Automates manual repetitive tasks How does Horizon add Value? Reduces cost and increases effectiveness of SAP administration and operation Automates many routine tasks performed by SAP Basis Administrators Informs administrators of impending issues before customers call for help. Faster diagnosis of transient outages with Snap Shot monitoring Reduced number of experts required to diagnose complex multi-tier problems Automates creation and distribution of Service Level reporting for management and operations Embedded SAP best practices make junior administrators more experienced, offload Basis work to Operations, and improve quality of after hours coverage
27

DEMO
System Center MOM
No Agent needed: Use of WS-Management SAP NetWeaver 2004s Microsoft System Center Operations Manager

28

www.microsoft-sap.com