Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • OpenSAP Hcp1 Week2 All Slides

    Загружено:

    Sayini Satish
    62 просмотров47 страниц
    OpenSAP Hcp1 Week2 All Slides

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    OpenSAP Hcp1 Week2 All Slides

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    62 просмотров47 страниц

    OpenSAP Hcp1 Week2 All Slides

    Загружено:

    Sayini Satish
    OpenSAP Hcp1 Week2 All Slides

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 47

    Week 2 Unit 1:

    Security Concept

    Security Concept
    Topics
    Authentication & Single Sign-On
    Authorization Management
    Web API Protection
    Identity Propagation

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Security Concept
    Authentication & single sign-on
    Your SAP HANA Cloud Platform
    Web application(s)
    Web
    browser

    Access-protected
    Web resources

    XS
    App
    SAP HANA
    Cloud Platform

    User

    Authenticate /
    single sign-on

    Delegate
    authentication &
    identity management

    Identity Provider (IdP)


    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Security Concept
    Identity provider options on SAP HANA Cloud Platform
    SAPs public identity provider on the Internet
    Free service
    Default identity provider for HCP trial accounts

    SAP ID service

    Cloud solution for identity lifecycle


    management
    Pay-per-logon requests
    Preconfigured identity provider for productive
    HCP accounts

    SAP Cloud Identity

    Integration with a corporate Identity and Access


    Management solution
    Prerequisite: SAML 2.0 compliance

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Internet

    SAP HANA
    Cloud Platform

    Bring your own


    identity provider

    Corporate
    network

    Public

    Security Concept
    Authorization management

    Group
    is assigned to

    is assigned to

    (static OR federated
    assignment)

    (static assignment)
    App

    XS
    is assigned to

    User
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    (static assignment)

    Role
    Public

    Security Concept
    Web API protection

    Native mobile app

    Your REST API on


    SAP HANA Cloud Platform

    Web browser
    XS
    API
    SAP HANA
    Cloud Platform

    Desktop / server application

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Security Concept
    Identity propagation
    Initial login

    App

    XS

    XS
    API

    API

    SAP HANA
    Cloud Platform

    SAP /
    Non-SAP Cloud

    SAP HANA Cloud Connector

    API

    SAP/Non-SAP
    Back-End System(s)

    Propagated
    identity

    Corporate Network
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Security Concept
    Outlook for this week
    Unit 2: Securing HTML5 Apps
    Authenticating users via SAML
    Managing permissions and roles

    Unit 3: Securing Java Apps


    Authenticating users via SAML
    Managing groups and roles

    Unit 4: Securing Web APIs


    Protecting an API using OAuth 2.0
    Testing with a REST client

    Units 5 & 6: Securing SAP HANA Native Services


    Configuring identity propagation between an HTML5 app
    and an SAP HANA XS service
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Thank you

    Contact information:
    open@sap.com

    2016 SAP SE or an SAP affiliate company. All rights reserved.


    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
    SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
    company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
    Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
    National product specifications may vary.
    These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
    affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
    services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
    constituting an additional warranty.
    In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
    or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
    developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
    for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
    undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    10

    Week 2 Unit 2:
    Securing HTML5 Apps

    Securing HTML5 Apps


    Authentication: SAML 2.0

    neo-app.json
    {
    "authenticationMethod": "saml",
    "logoutPage": "logout.html",
    ...
    "routes": [
    ...
    ],
    "securityConstraints": [
    ...
    ],
    ...
    }

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing HTML5 Apps


    Authorization: Roles and permissions
    accessProjectData
    (Permission)

    User
    Employee
    (Custom Role)

    Public
    Resources

    SAP HANA
    Cloud Platform

    neo-app.json
    {
    ...
    "securityConstraints": [
    "permission": "accessProjectData",
    "description": "Protected Project Data",
    "protectedPaths": [
    "/projects"
    ],
    ],
    ...

    Protected
    Resources
    /projects

    HTML5 App

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Thank you

    Contact information:
    open@sap.com

    2016 SAP SE or an SAP affiliate company. All rights reserved.


    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
    SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
    company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
    Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
    National product specifications may vary.
    These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
    affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
    services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
    constituting an additional warranty.
    In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
    or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
    developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
    for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
    undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Week 2 Unit 3:
    Securing Java Apps

    Securing Java Apps


    Authentication
    jdoe

    web.xml

    <login-config>
    <auth-method>
    [BASIC|CERT|FORM|]
    </auth-method>
    </login-config>

    Username/Password

    X.509

    Client Certificate

    SAP HANA
    Cloud Platform

    SAML 2.0

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing Java Apps


    Authorization

    User

    ProjectManager
    (Predefined Role)

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    web.xml
    ...
    <security-role>
    <role-name>ProjectManager</role-name>
    </security-role>
    SAP HANA
    Cloud Platform

    Public

    Thank you

    Contact information:
    open@sap.com

    2016 SAP SE or an SAP affiliate company. All rights reserved.


    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
    SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
    company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
    Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
    National product specifications may vary.
    These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
    affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
    services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
    constituting an additional warranty.
    In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
    or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
    developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
    for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
    undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Week 2 Unit 4:
    Securing Web APIs

    Securing Web APIs


    OAuth access token

    REST Client
    (e.g. native mobile app)

    Your REST API on


    SAP HANA Cloud Platform

    API

    poai3-36d24fdwq59
    SAP HANA
    Cloud Platform

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing Web APIs


    OAuth 2.0

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing Web APIs


    End-to-end flow
    1.
    1 HCP administrator registers OAuth
    client for the native mobile app
    2 App requests an access token
    2.
    from the OAuth authorization
    server. This requires the user to
    authenticate via SAML.
    3 App stores the access token and
    3.
    uses it to send an authorized API
    call
    4 The API can verify the token with
    4.
    the OAuth authorization server and
    returns the response to the app

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    REST Client
    (e.g. native mobile app)

    SAML

    2
    4
    OAuth

    API

    SAML
    1
    OAuth 2.0
    authorization
    server

    poawq59

    SAP HANA
    Cloud Platform

    Your REST API on


    SAP HANA Cloud
    Platform
    Public

    Securing Web APIs


    Using OAuth on SAP HANA Cloud Platform
    web.xml
    <filter>
    <display-name>OAuth Filter to view sales data</display-name>
    <filter-name>OAuthViewSalesDataFilter</filter-name>
    <filter-class>
    com.sap.cloud.security.oauth2.OAuthAuthorizationFilter
    </filter-class>
    <init-param>
    OAuth
    <param-name>http-method</param-name>
    API
    <param-value>get</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>OAuthViewSalesDataFilter</filter-name>
    <servlet-name>SalesDataServlet</servlet-name>
    </filter-mapping>
    ...
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    SAP HANA
    Cloud Platform

    Public

    Thank you

    Contact information:
    open@sap.com

    2016 SAP SE or an SAP affiliate company. All rights reserved.


    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
    SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
    company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
    Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
    National product specifications may vary.
    These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
    affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
    services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
    constituting an additional warranty.
    In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
    or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
    developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
    for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
    undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Week 2 Unit 5: Securing SAP


    HANA Native Services Part 1

    Securing SAP HANA Native Services Part 1


    Using SAP HANA XS on SAP HANA Cloud Platform

    Your HCP Account


    REST/
    ODATA

    XS

    API

    User

    Dedicated or shared
    SAP HANA

    SAP HANA
    Cloud Platform
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 1


    User authentication and propagation

    Your HCP Account


    SAML Login

    User

    Identity
    Propagation

    API

    XS
    Dedicated or shared
    SAP HANA

    Authentication & SSO

    SAP HANA
    Cloud Platform

    Identity Provider
    (IdP)
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 1


    Focus of Units 5 and 6

    Your HCP Account


    SAML Login

    User

    Identity
    Propagation

    API

    XS
    Dedicated or shared
    SAP HANA

    Authentication & SSO

    SAP HANA
    Cloud Platform

    Identity Provider
    (IdP)
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 1


    Identity propagation between HTML5/Java and SAP HANA XS

    Your HCP Account

    HTTP
    Destination
    (App2AppSSO*)

    API
    (SAML)

    XS

    Dedicated or shared
    SAP HANA

    SAP HANA
    Cloud Platform
    * Application-to-Application SSO Authentication
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 1


    Trust setup

    Your HCP Account

    TRUST
    SAML
    Identity
    Provider

    Local
    Service
    Provider
    HTTP
    Destination
    (App2AppSSO*)

    API
    (SAML)

    XS

    SAP HANA
    Cloud Platform
    * Application-to-Application SSO Authentication
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 1


    User management

    Your HCP Account


    Dynamic User
    Creation

    HTTP
    Destination
    (App2AppSSO*)

    API
    (SAML)

    SAML
    Identity
    Provider

    XS DB User
    SAP HANA
    Cloud Platform
    * Application-to-Application SSO Authentication
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 1


    Configuration steps of the end-to-end scenario
    Unit 5 Part 1
    Configure the local service provider for HTML5 apps
    Set up trust in XS to the HTML5 local service provider
    Enable dynamic user creation in XS
    Unit 6 Part 2
    Configure HTTP destination for application-to-application
    SSO
    Configure SAML in XS
    Test the scenario

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 1


    What youve learned in this unit
    How to build SAP HANA Cloud Platform
    applications using HTML5 and SAP HANA XS
    The difference between authentication and
    propagation of a users identity
    Configuration of trust between HTML5 and
    SAP HANA XS as a prerequisite for secure
    identity propagation

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 1


    Further reading

    !i

    Additional
    Material

    http://scn.sap.com/community/developer-center/cloudplatform/blog/2016/03/21/principal-propagation-betweenhtml5-and-sap-hana-xs-on-sap-hana-cloud-platform

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    10

    Thank you

    Contact information:
    open@sap.com

    2016 SAP SE or an SAP affiliate company. All rights reserved.


    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
    SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
    company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
    Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
    National product specifications may vary.
    These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
    affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
    services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
    constituting an additional warranty.
    In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
    or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
    developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
    for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
    undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    12

    Week 2 Unit 6: Securing SAP


    HANA Native Services Part 2

    Securing SAP HANA Native Services Part 2


    Identity propagation scenario

    Your HCP Account


    SAML Login

    User

    Identity
    Propagation

    API

    XS
    Dedicated or shared
    SAP HANA

    Authentication & SSO

    SAP HANA
    Cloud Platform

    Identity Provider
    (IdP)
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 2


    What we did in Part 1

    Your HCP Account


    Dynamic User
    Creation

    TRUST
    SAML
    Identity
    Provider

    Local
    Service
    Provider

    XS DB User
    SAP HANA
    Cloud Platform

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 2


    What we will do in Part 2

    Your HCP Account


    Dynamic User
    Creation

    TRUST
    Local
    Service
    Provider

    SAML
    Identity
    Provider

    HTTP
    Destination
    (App2AppSSO*)

    API
    (SAML)

    DB User

    XS

    SAP HANA
    Cloud Platform
    * Application-to-Application SSO Authentication
    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 2


    What youve learned in this unit
    How to configure a destination to propagate
    the users identity from HTML5 to
    SAP HANA XS
    How to configure SAML in SAP HANA XS to
    support identity propagation from HTML5
    How to test the scenario end-to-end

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Securing SAP HANA Native Services Part 2


    Further reading

    !i

    Additional
    Material

    http://scn.sap.com/community/developer-center/cloudplatform/blog/2016/03/21/principal-propagation-betweenhtml5-and-sap-hana-xs-on-sap-hana-cloud-platform

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Thank you

    Contact information:
    open@sap.com

    2016 SAP SE or an SAP affiliate company. All rights reserved.


    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
    SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
    company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
    Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
    National product specifications may vary.
    These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
    affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
    services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
    constituting an additional warranty.
    In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
    or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
    developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
    for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
    undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

    2016 SAP SE or an SAP affiliate company. All rights reserved.

    Public

    Вам также может понравиться