SAP HANA Cloud – Virtual Bootcamp Securing SAP HANA Cloud Applications


Published on

Secure Cloud Application Development
Local Testing
Testing in the Cloud
Identity and Access Management in the Cloud
Security Troubleshooting

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SAP HANA Cloud – Virtual Bootcamp Securing SAP HANA Cloud Applications

  1. 1. Martin Raepple / Product Owner Identity and Access Management /SAP HANA Cloud Product TeamSAP HANA Cloud – Virtual BootcampSecuring SAP HANA Cloud Applications
  2. 2. © 2012 SAP AG. All rights reserved. 2DisclaimerThis presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAPsstrategy and possible future developments are subject to change and may be changed by SAP at anytime for any reason without notice. This document is provided without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent.
  3. 3. © 2012 SAP AG. All rights reserved. 3Agenda Enabling Authentication Enforcing Authorizations Logout Protecting fromCommon Web Attacks Configuring localtest user and roles Using thelocal TestIdentity Provider Default IdentityFederation with SAPID Service Identity Federationwith the corporateIdentity Provider Role Assignments Demo Logging andTracing SAMLDebuggingSecureCloud ApplicationDevelopmentSecurityTroubleshootingLocal TestingTesting in theCloudIdentity and AccessManagement inthe Cloud
  4. 4. Secure Cloud ApplicationDevelopment
  5. 5. © 2012 SAP AG. All rights reserved. 5Enabling Authentication (1/4)High-level ArchitectureSAP HANA CloudApplication Identity Provider(IdP)SAP HANACloudDelegate authenticationand identity management+ Keep focused on the business logicDelegation to a central service (IdP)enables Single Sign-On (SSO)between multiple Cloud applicationsMature and proven security standardsfor integration with IdPThree options:• Local IdP in the SAP HANA CloudSDK  for Testing only!• SAP ID Service  „out-of-the-box“IdP in the Cloud• Your own IdP (e.g. in the corporatenetwork)++Local User StoreCentral User Store+
  6. 6. © 2012 SAP AG. All rights reserved. 6Enabling Authentication (2/4)Declarative …<login-config><auth-method>FORM</auth-method></login-config><security-constraint><web-resource-collection><web-resource-name>Protected</...><url-pattern>/admin/*</url-pattern></web-resource-collection><auth-constraint><role-name>Administrator</role-name></auth-constraint></security-constraint><security-role><description>Administration users</...><role-name>Administrator</role-name></security-role>web.xml: Supported Authentication Methods: FORM Delegates authentication to the SAP IDService or another IdP according to theSecurity Assertion Markup Language(SAML) 2.0 protocol BASIC HTTP "basic" authentication schemeaccording to RFC 2617. Web browsersprompt users to enter a user name andpassword. The actual authentication isstill delegated to the SAP ID service orto a SCIM*-compliant IdP*
  7. 7. © 2012 SAP AG. All rights reserved. 7Enabling Authentication (3/4)… and ProgrammaticString user = request.getRemoteUser();if (user != null) {response.getWriter().println("Hello, " + user);} else {LoginContext loginContext;try {loginContext = LoginContextFactory.createLoginContext("FORM");loginContext.login();response.getWriter().println("Hello, " +request.getRemoteUser());} catch (LoginException e) {e.printStackTrace();}}
  8. 8. © 2012 SAP AG. All rights reserved. 8Enabling Authentication (4/4)Excursus: SAML-based Single Sign-On (SSO)1. User accesses protected web resourceon SP2. SP sends SAML Authentication Requestvia HTTP redirect to trusted IdP3. IdP authenticates the user(if not done already)4. Upon successful authentication, IdP sendsSAML Response (which includes the SAMLAssertion) to the SAML Service Pro viaHTTP POSTUser3124SAML RequestSAML Response1234Identity Provider(IdP)SAP HANA CloudApplicationSAP HANACloudTrust
  9. 9. © 2012 SAP AG. All rights reserved. 9Enforcing Authorizationsprotected void doGet(HttpServletRequest request, HttpServletResponseresponse) throws ServletException, IOException {PrintWriter out = response.getWriter();if(!request.isUserInRole("Administrator")){response.sendError(403, "Logged in user does nothave role Administrator");return;} else {out.println("Hello administrator");}}
  10. 10. © 2012 SAP AG. All rights reserved. 10Programmatic Logoutpublic class LogoutServlet extends HttpServlet {...LoginContext loginContext = null;if (request.getRemoteUser() != null) {try {loginContext = LoginContextFactory.createLoginContext();loginContext.logout();} catch (LoginException e) {response.getWriter().println("Logout failed. Reason: " +e.getMessage());}} else {response.getWriter().println("You have successfully loggedout.");}}
  11. 11. © 2012 SAP AG. All rights reserved. 11Protecting from Common Web AttacksCross-Site Scripting (XSS) AttackThe two most important countermeasures to preventXSS attacks are to:Constrain inputEncode outputSAP HANA Cloud XSS Output Encoding LibraryString encodedFirstname = null;IXSSEncoder xssEncoder = XSSEncoder.getInstance();try {encodedFirstname =xssEncoder.encodeHTML(firstName).toString();} catch (UnsupportedEncodingException e) {e.printStackTrace();}out.println("<br>Hello, " + encodedFirstname);AttackerVulnerable CloudApplicationInfectswithmaliciousscript1Downloadspage withmaliciousscript2Victim3executes scriptin the contextof the Victim’ssession
  12. 12. © 2012 SAP AG. All rights reserved. 12Protecting from Common Web AttacksCross-Site Request Forgery (XSRF) AttackAttack depends on the predictability of therequest URL to the vulnerable ApplicationA countermeasure to prevent XSRF attacks isto generate and add a token or nonce perrequest which is checked on the server-sideSAP HANA Cloud provides protection based onApache Tomcats CSRF Prevention Filter.web.xml:<filter><filter-name>CsrfFilter</filter-name><filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class><init-param><param-name>entryPoints</param-name><param-value>/home</param-value></init-param></filter>Attacker‘sWeb-Site<img src="">1Victim‘sWeb BrowserVulnerableApplicationwww.webapp.com2JSESSIONID=abc123
  13. 13. Local Testing
  14. 14. © 2012 SAP AG. All rights reserved. 14Configuring Test Users and Managing Roles on the Local ServerSAP HANA Cloud Eclipse Tools: Servers view  Local Server  Users tab.Local TestUsersAssigned Rolesto the selectedUser in the localServerUser Attributeand ValuesLocal Server<local_server_dir>/config_master/ HANA CloudApplication
  15. 15. Testing in the Cloud
  16. 16. © 2012 SAP AG. All rights reserved. 16Using the local Test Identity Providerneousers.jsonLocal ServerSAP HANA Cloudlocal Test IdentityProviderSAP HANA CloudApplicationTrustSAP HANACloud The local test IdP is packaged within theSAP HANA Cloud SDK. When you start thelocal server, it will start as well. Define local test IdP users and theirattributes Configuring the service provider of youraccount in SAP HANA Cloud Configuring trust on SAP HANA Cloud tothe local Test IdP Configuring trust on the local Test IdPto SAP HANA Cloud Access your application deployed onthe SAP HANA Cloud and test it againstthe local test IdP and its defined users andattributes.11223344
  17. 17. Identity and AccessManagement in the Cloud
  18. 18. © 2012 SAP AG. All rights reserved. 18 SAP ID Service User ID Validated E-Mail Address First Name, Last Name,Display NameDefault Identity Federation with SAP ID ServiceSAP HANA CloudApplicationSAPID ServiceSAP HANACloud+ By default, SAP HANA Cloudapplications delegates authenticationand identity management to SAP IDService. No further configuration for theTrust Relationship is required.SAP ID Service is a public, SAML 2.0-compliant Identity Provider in theCloud. It manages ~4.2 Million Users(e.g. for the SAP Community Network)With SAP ID Server, users can benefitfrom SSO to other SAP On-Demandsolutions and web sites+ SAP Public Web Sites(, SMP) SAP Business ByDesign SAP JAM …CloudTrust + SSO~4.2 Million Users+
  19. 19. © 2012 SAP AG. All rights reserved. 19Identity Federation with the corporate Identity ProviderCorporateIdPEmployeesCorporateNetworkSAP HANA CloudApplicationSAP HANACloudTrust + SSOTrust+ SSO+ SAP HANA Cloud applications candelegate authentication and identitymanagement to an existing CorporateIdP that can for example authenticateyour companys employees.Trust must be configured similar to thelocal Test IdP scenario: Configuring the service provider of youraccount in SAP HANA Cloud Configuring trust on SAP HANA Cloudto the Corporate IdP Configuring trust on the Corporate IdPto SAP HANA Cloud+ (Corporate-wide unique) User ID any User Profile Attribute from theCorp. User Directory
  20. 20. © 2012 SAP AG. All rights reserved. 20Role Assignments in the CloudEmployees inDepartment Sales+ Roles allow you to control the accessto application resources in SAP HANACloudIn the Cloud, you can assign Groups orindividual users to a roleGroups are collections of roles thatallow the definition of business-levelfunctions within your account. They aresimilar to the actual business rolesexisting in an organizationSAP HANACloudGroup Sales++jdoe@acme.comRole AdministratorRoles:CRM UserAccount Owner
  21. 21. DEMOSSO and Identity Federation with a corporate Identity Provider (IdP)
  22. 22. Troubleshooting
  23. 23. © 2012 SAP AG. All rights reserved. 23Network Protocol Analyzer• Wireshark• Fiddler• SAML Tracer (Firefox Add-In)
  24. 24. © 2012 SAP AG. All rights reserved. 24SAP HANA Cloud
  25. 25. Online Q&A
  26. 26. © 2012 SAP AG. All rights reserved. 26Questions & AnswersQ: Is there anything specific for securing REST services?A: Right now, REST clients calling services exposed by the same application from within the UI (e.g. SAP UI JavaScriptusing an OData Model) can re-use an already established logon session (e.g. via SAML2) of the user at the UI.Applications exposing (REST) services and no UI can use HTTP Basic Authentication via SSL at the moment to protectthose services. For those scenarios we plan to support the Open Authorization Framwork (OAuth) in the SAP HANACloud Platform which helps to avoid storing the username and password in the Client application.Q: So once a user is authenticated in the browser, the browser based UI could use REST services?A: Yes!
  27. 27. © 2012 SAP AG. All rights reserved. 27SAP Hana Cloud Virtual Bootcamp SessionsScheduleNext upcoming bootcamp session 6th Virtual Bootcamp: Working with the HANA Cloud portalOverview of the features, capabilities and installation procedureDetails and schedule will be provided soon.At the end of each session, we will give some time for Q&A.Remarks:■ The Virtual Bootcamp sessions are scheduled for the developers of our Hana Cloud Applications partnersand the community interested in our Hana Cloud Applications partner program.■ The sessions will be recorded and provided to our Hana Cloud Partner community.
  28. 28. Thank You!Contact information:Martin RaeppleSAP HANA