Principle Propogation in Sap Netweaver

Only available on StudyMode
  • Download(s) : 149
  • Published : March 9, 2013
Open Document
Text Preview
SAP NetWeaver
Process Integration 7.1
Principal Propagation in SAP NetWeaver
Process Integration 7.1

SAP Regional Implementation Group
SAP NetWeaver Product Management
December 2007

SAP NetWeaver Process Integration 7.1

1

Agenda

1.
2.
3.
4.

Introduction
Principal Propagation for SAP NW 7.0
Web Service Security and SAML
Principal Propagation for SAP NW 7.1

SAP NetWeaver Process Integration 7.1

2

Agenda

1.
2.
3.
4.

Introduction
Principal Propagation for SAP NW 7.0
Web Service Security and SAML
Principal Propagation for SAP NW 7.1

SAP NetWeaver Process Integration 7.1

3

Principal Propagation Concept
Goal:
Securely pass the identity of user ‘U’ across SAP PI to receiver system
Run the receiver application under the same identity as the sender application

Benefits:
Dynamic configuration at the PI receiver channel
Permissions of the receiver application are checked against the original user
User can be audited in receiver system
Sender System
Sender
Application

Receiver System
M

PI

M

User
U

Receiver
Application
User
U

Authentication as of today, exemplarily shown with XI 3.0 protocol – Communication paths are statically configured in the following sense: -

Sender to IS: For Java proxies, an XI internally configured connection is always used. For ABAP proxies, the communication path is configured globally as an SM59 HTTP destination where the credentials (user/password or certificate) are usually stored within the destination. Nevertheless, it is possible to configure the destination as using the actual application user for logging into the IS.

-

IS to receiver: In the XI directory, a set of receiver channels with static connection attributes and user credentials similar to SM59 destinations are configured. However, in each channel user credentials must be defined for logging into the receiver system. On message execution, a certain channel is dynamically selected from this set depending on the actual message properties and the configuration rules.

– This configuration model bears the following weaknesses with respect to user credentials: -

Sender to IS:
Individual applications or individual messages can not use separately configured users for logging into the IS, but depend on the globally configured connection (Java proxies) or destination (ABAP proxies) in the sender system.

-

When application users are propagated to the IS (ABAP proxies only), each application user must be maintained with the corresponding execution rights in the IS.
IS to receiver:
Application users from the sender application can never be propagated by the IS to the receiver application as the users for logging into the receiver system are statically configured in the IS’ receiver channels.

Principal propagation means the ability to forward the user context of a message unchanged from the sender to the receiver. It enables authentication of a message in the receiver system with the same user that issued the message in the corresponding sender system. Thus, the receiver application is virtually part of the sender application, and the permissions and audit functions of the receiver application can be applied to the original user of the sender application Principal propagation is supported by the following adapters: – XI (for both ABAP and Java proxies)

– SOAP
– RFC
– WS-RM

Benefit of Principal Propagation
– enabling the XI 3.0 protocol and the new web service protocol (in the mediated scenario) for securely propagating the identity of the subject running in the sender/WS consumer application to the receiver/WS provider system so that the inbound proxy/web service on the receiver/WS provider system is executing under the same identity as the sender/WS consumer application. – For NW 04/04s lean/quick solution based on SAP logon ticket/SAP assertion ticket.

SAP NetWeaver Process Integration 7.1

4

Agenda

1.
2.
3.
4....
tracking img