This section contains the following topics:
CA SSO Agent for SAP Integration
CA SSO Agent for SAP Authentication Modes
Components in a CA SSO Agent for SAP Environment
CA SSO supports the following SSO deployment options for SAP.
A Web Agent hosted on a front-end web server provides authentication. The web server acts as a proxy for requests to the SAP Web Application Server.
A Tier 1 solution is the minimum requirement for SSO. However, Tier-1 solutions have the following limitations:
Two security options apply:
User credentials are stored in the ERP database/directory. The database/directory may not be encrypted, and may be located on the web server leaving user information vulnerable to attack.
Users log on to the ERP solution as a super user, masking the identity of the true user.
A CA SSO Connector hosted on the ERP System provides authentication. CA SSO and ERP session linkages are maintained using the SessionLinker.
This product is a Tier-2 solution that enables the ERP solution to verify that information that is passed by CA SSO was sent by CA SSO. This critical capability ensures that even internal users are not attempting to compromise the SAP system.
This product has the following benefits:
This product provides seamless single-sign on (SSO) integration among the following types of applications:
The Web AS J2EE engine lets you integrate a third-party authentication product with the standard Pluggable Authentication Module (PAM) framework. You can protect applications that are deployed on the Web AS J2EE engine with a Login Stack or Authentication template. Create the template from a standard or custom Java Authentication and Authorization Service (JAAS) login module.
The Java Authentication and Authorization Service (JAAS), from Sun Microsystems, implements a Java technology version of the standard PAM framework, and supports user-based authorization.
You can customize the Login Stack or the Authentication template to use a set of JAAS-based login modules arranged in a particular order in the login stack. A custom login module that is based on the JAAS framework can be developed and registered with the Security Provider service offered with the Web AS J2EE engine. This engine provides a pluggable mode of developing and deploying the login modules independently of the application, which uses it as a part of a login stack protecting the application.
The Enterprise Portal from SAP also allows usage of the custom login module, as part of the login stack, to act as an authentication mechanism for access to Enterprise Portal. You can modify the Enterprise Portal authentication scheme. The authentication scheme references an authentication template or login stack inside the SAP Web AS.
This product is the SSO solution for integration with SAP Web AS. The agent specifically addresses SSO with J2EE-based applications deployed on the SAP Web AS J2EE engine, including the Enterprise Portal application. The current solution allows extension of these SSO capabilities with applications deployed outside of SAP Web AS too.
This product provides increased security using a Tier 2 session validation whereby the point of trust is moved from the web server to the SAP Web AS J2EE engine.
Many web-based applications use an independent session management scheme, such as a session cookie or session ticket. Therefore, these applications can bypass the CA SSO replay prevention and session management logic. The possibility that the CA SSO and application sessions can become asynchronous to each other is one of the main security problems when integrating applications that maintain their own sessions. This product includes the SessionLinker component to prevent session synchronization issues. The SessionLinker web server plug-in monitors the CA SSO Session ID header against the Web AS session ticket. When the two sessions diverge, the SessionLinker acts. The SessionLinker prevents the application from operating until a new session within the SAP Web AS is established.
In addition to providing enhanced security, this product uses the increased number of authentication mechanisms available with CA SSO.
Note: This product only controls the authentication for the applications that are deployed on the SAP Web AS and for the Enterprise Portal. The SAP Web AS J2EE engine itself controls and administers all authorizations and roles.
This product uses either one or both of the following modes to authenticate users:
Validates user sessions against the Policy Server, which confirms that the SMSESSION cookie the user presents is legitimate. The Policy Server returns the ID of the SAP Web AS user in an active response to CA SSO Agent for SAP, which asserts that ID to the SAP Web Application Server. The SAP Web Application server authorizes the user.
Receives Federation Profile cookies from CA Federation. This prodcut extracts the contents of the cookie, and then asserts the SP side user ID and the user attributes (from the cookie) to the SAP Web Application server. The SAP Web Application server authorizes the user.
Both modes can be used together. For example, you can use the SSO mode to authenticate the users inside your organization, and you can use the Federation mode to authenticate users outside of your organization. However, only one mode can be used in a web browser session.
If both modes are used together and the user is authenticated by CA SSO and CA Federation, then the CA SSO authentication takes priority. For example, if CA Federation operates with the CA SSO Connector enabled, then the CA SSO authentications take priority over the CA Federation authentications.
This product has the following components:
A user refers to a web browser of an end user. A client is the HTTP-based web client, which accesses the J2EE engine of the SAP Web Application Server.
When this product operates in SSO mode, the agent-supported web server runs as a front-end to the SAP Web Application Server J2EE engine. The applications that are deployed on the J2EE engine are accessible through the CA SSO supported front-end web server.
The Web Agent is configured on the web server, which protects the application on this web server and the J2EE engine that is accessed through the web server.
The web server also hosts the CA SSO SessionLinker web server plug-in. The SessionLinker intercepts the requests and tracks the Web AS J2EE session against the CA SSO Session ID using the following items:
The CA SSO SessionLinker synchronizes the CA SSO session with the third-party application session for better security. For example, if a user logs out of the third-party application, the CA SSO SessionLinker logs the user out of CA SSO. Conversely, if a user logs out of CA SSO, the SessionLinker invalidates the related session of the third-party application.
Note: The CA SSO SessionLinker supports only the SSO Mode. The CA SSO SessionLinker is not used in Federation Mode.
When this product operates in SSO mode, the Policy Server governs access to the applications deployed on the web server and the SAP Web Application Server J2EE engine.
The Policy Server also hosts the SessionLinker Policy Server plug-in.
Note: The CA SSO SessionLinker supports only the SSO Mode. The CA SSO SessionLinker is not used in Federation Mode.
The SAP Web Application Server J2EE engine is a J2EE-compliant operating environment for running J2EE applications. Login stacks or authentication templates protect the applications that are deployed on the J2EE engine. The login stacks or authentication templates consist of JAAS-compliant login modules, which are also deployed on the J2EE engine.
The following login modules are deployed as part of the login stack:
Custom JAAS-compliant login module that validates the CA SSO session of the user with the CA SSO Java Agent API.
Web AS J2EE engine login module, which creates the MYSAPSSO2 ticket for the authenticated user. The J2EE engine supports the use of logon tickets for SSO in an SAP system environment. The logon ticket is stored as a session cookie, named MYSAPSSO2, in the web browser of the user.
CA Federation enables customers to establish federated partnerships in a flexible way, together with or independent of a Web access management system. CA Federation supports standards-based federation. Organizations act as the asserting party, providing user authentication and assertion of identity, or as the relying party, consuming the identity to allow access to web resources and services.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|