Week 2 Unit 1: Security Concept
Security Concept Topics Authentication & Single Sign-On Authorization Management Web API Protection Identity Propagation 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2
Security Concept Authentication & single sign-on Your Cloud Platform Web application(s) User Web browser Access-protected Web resources App XS Cloud Platform Authenticate / single sign-on Delegate authentication & identity management Identity Provider (IdP) 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 3
Security Concept Identity provider options on Cloud Platform SAP s public identity provider on the Internet Free service Default identity provider for HCP trial accounts SAP ID service Internet Cloud solution for identity lifecycle management Pay-per-logon requests Preconfigured identity provider for productive HCP accounts SAP Cloud Identity Cloud Platform Integration with a corporate Identity and Access Management solution Prerequisite: SAML 2.0 compliance Bring your own identity provider Corporate network 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 4
Security Concept Authorization management Group is assigned to (static OR federated assignment) is assigned to (static assignment) XS App User is assigned to (static assignment) Role 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 5
Security Concept Web API protection Web browser Native mobile app Desktop / server application Your REST API on Cloud Platform API XS Cloud Platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 6
Security Concept Identity propagation Initial login App XS API XS API Cloud Platform SAP / Non-SAP Cloud Cloud Connector API SAP/Non-SAP Back-End System(s) Corporate Network Propagated identity 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 7
Security Concept Outlook for this week Unit 2: Securing HTML5 Apps Authenticating users via SAML Managing permissions and roles Unit 3: Securing Java Apps Authenticating users via SAML Managing groups and roles Unit 4: Securing Web APIs Protecting an API using OAuth 2.0 Testing with a REST client Units 5 & 6: Securing Native Services Configuring identity propagation between an HTML5 app and an XS service 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 8
Thank you Contact information: open@sap.com
2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 10
Week 2 Unit 2: Securing HTML5 Apps
Securing HTML5 Apps Authentication: SAML 2.0 neo-app.json { } "authenticationmethod": "saml", "logoutpage": "logout.html",... "routes": [... ], "securityconstraints": [... ],... 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2
Securing HTML5 Apps Authorization: Roles and permissions User accessprojectdata (Permission) Cloud Platform Employee (Custom Role) Public Resources HTML5 App Protected Resources /projects neo-app.json { }... "securityconstraints": [ "permission": "accessprojectdata", "description": "Protected Project Data", "protectedpaths": [ "/projects" ], ],... 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 3
Thank you Contact information: open@sap.com
2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 5
Week 2 Unit 3: Securing Java Apps
Securing Java Apps Authentication jdoe Username/Password X.509 Client Certificate Cloud Platform web.xml <login-config> <auth-method> [BASIC CERT FORM ] </auth-method> </login-config> SAML 2.0 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2
Securing Java Apps Authorization User web.xml... <security-role> <role-name>projectmanager</role-name> </security-role> ProjectManager (Predefined Role) Cloud Platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 3
Thank you Contact information: open@sap.com
2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 5
Week 2 Unit 4: Securing Web APIs
Securing Web APIs OAuth access token REST Client (e.g. native mobile app) Your REST API on Cloud Platform poai3-36d24fd wq59 API Cloud Platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2
Securing Web APIs OAuth 2.0 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 3
Securing Web APIs End-to-end flow 1. 1 HCP administrator registers OAuth client for the native mobile app 2. 2 App requests an access token from the OAuth authorization server. This requires the user to authenticate via SAML. 3. 3 App stores the access token and uses it to send an authorized API call 4. 4 The API can verify the token with the OAuth authorization server and returns the response to the app REST Client (e.g. native mobile app) 3 poa wq59 OAuth API 2 4 SAML OAuth 2.0 authorization server Cloud Platform Your REST API on Cloud Platform SAML 1 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 4
Securing Web APIs Using OAuth on Cloud Platform web.xml <filter> <display-name>oauth Filter to view sales data</display-name> <filter-name>oauthviewsalesdatafilter</filter-name> <filter-class> com.sap.cloud.security.oauth2.oauthauthorizationfilter </filter-class> <init-param> OAuth <param-name>http-method</param-name> API <param-value>get</param-value> </init-param> </filter> <filter-mapping> <filter-name>oauthviewsalesdatafilter</filter-name> <servlet-name>salesdataservlet</servlet-name> </filter-mapping>... Cloud Platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 5
Thank you Contact information: open@sap.com
2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 7
Week 2 Unit 5: Securing SAP HANA Native Services Part 1
Securing Native Services Part 1 Using XS on Cloud Platform Your HCP Account User REST/ ODATA API Cloud Platform XS Dedicated or shared 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2
Securing Native Services Part 1 User authentication and propagation Your HCP Account User SAML Login Identity Propagation API XS Authentication & SSO Dedicated or shared Identity Provider (IdP) Cloud Platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 3
Securing Native Services Part 1 Focus of Units 5 and 6 Your HCP Account User SAML Login Identity Propagation API XS Authentication & SSO Dedicated or shared Identity Provider (IdP) Cloud Platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 4
Securing Native Services Part 1 Identity propagation between HTML5/Java and XS Your HCP Account HTTP Destination (App2AppSSO*) API (SAML) XS Dedicated or shared Cloud Platform * Application-to-Application SSO Authentication 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 5
Securing Native Services Part 1 Trust setup Your HCP Account Local Service Provider TRUST SAML Identity Provider HTTP Destination (App2AppSSO*) API (SAML) XS Cloud Platform * Application-to-Application SSO Authentication 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 6
Securing Native Services Part 1 User management Your HCP Account Dynamic User Creation HTTP Destination (App2AppSSO*) API (SAML) SAML Identity Provider XS DB User Cloud Platform * Application-to-Application SSO Authentication 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 7
Securing Native Services Part 1 Configuration steps of the end-to-end scenario Unit 5 Part 1 Configure the local service provider for HTML5 apps Set up trust in XS to the HTML5 local service provider Enable dynamic user creation in XS Unit 6 Part 2 Configure HTTP destination for application-to-application SSO Configure SAML in XS Test the scenario 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 8
Securing Native Services Part 1 What you ve learned in this unit How to build Cloud Platform applications using HTML5 and XS The difference between authentication and propagation of a user s identity Configuration of trust between HTML5 and XS as a prerequisite for secure identity propagation 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 9
Securing Native Services Part 1 Further reading!i Additional Material http://scn.sap.com/community/developer-center/cloudplatform/blog/2016/03/21/principal-propagation-betweenhtml5-and-sap-hana-xs-on-sap-hana-cloud-platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 10
Thank you Contact information: open@sap.com
2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 12
Week 2 Unit 6: Securing SAP HANA Native Services Part 2
Securing Native Services Part 2 Identity propagation scenario Your HCP Account User SAML Login Identity Propagation API XS Authentication & SSO Dedicated or shared Identity Provider (IdP) Cloud Platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2
Securing Native Services Part 2 What we did in Part 1 Your HCP Account Local Service Provider TRUST SAML Identity Provider Dynamic User Creation XS DB User Cloud Platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 3
Securing Native Services Part 2 What we will do in Part 2 Local Service Provider Your HCP Account TRUST SAML Identity Provider Dynamic User Creation HTTP Destination (App2AppSSO*) API (SAML) XS DB User Cloud Platform * Application-to-Application SSO Authentication 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 4
Securing Native Services Part 2 What you ve learned in this unit How to configure a destination to propagate the user s identity from HTML5 to XS How to configure SAML in XS to support identity propagation from HTML5 How to test the scenario end-to-end 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 5
Securing Native Services Part 2 Further reading!i Additional Material http://scn.sap.com/community/developer-center/cloudplatform/blog/2016/03/21/principal-propagation-betweenhtml5-and-sap-hana-xs-on-sap-hana-cloud-platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 6
Thank you Contact information: open@sap.com
2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2016 SAP SE or an SAP affiliate company. All rights reserved. Public 8