Principle Propogation in Sap Netweaver
SAP NetWeaver
Process Integration 7.1
Principal Propagation in SAP NetWeaver
Process Integration 7.1
SAP Regional Implementation Group
SAP NetWeaver Product Management
December 2007
SAP NetWeaver Process Integration 7.1
1
Agenda
1.
2.
3.
4.
Introduction
Principal Propagation for SAP NW 7.0
Web Service Security and SAML
Principal Propagation for SAP NW 7.1
SAP NetWeaver Process Integration 7.1
2
Agenda
1.
2.
3.
4.
Introduction
Principal Propagation for SAP NW 7.0
Web Service Security and SAML
Principal Propagation for SAP NW 7.1
SAP NetWeaver Process Integration 7.1
3
Principal Propagation Concept
Goal:
Securely pass the identity of user ‘U’ across SAP PI to receiver system Run the receiver application under the same identity as the sender application Benefits:
Dynamic configuration at the PI receiver channel
Permissions of the receiver application are checked against the original user
User can be audited in receiver system
Sender System
Sender
Application
Receiver System
M
PI
M
User
U
Receiver
Application
User
U
Authentication as of today, exemplarily shown with XI 3.0 protocol
– Communication paths are statically configured in the following sense:
-
Sender to IS: For Java proxies, an XI internally configured connection is always used. For ABAP proxies, the communication path is configured globally as an SM59 HTTP destination where the credentials (user/password or certificate) are usually stored within the destination. Nevertheless, it is possible to configure the destination as using the actual application user for logging into the IS.
-
IS to receiver: In the XI directory, a set of receiver channels with static connection attributes and user credentials similar to SM59 destinations are configured. However, in each channel user credentials must be defined for logging into the receiver system. On message execution, a certain channel is
dynamically
Process Integration 7.1
Principal Propagation in SAP NetWeaver
Process Integration 7.1
SAP Regional Implementation Group
SAP NetWeaver Product Management
December 2007
SAP NetWeaver Process Integration 7.1
1
Agenda
1.
2.
3.
4.
Introduction
Principal Propagation for SAP NW 7.0
Web Service Security and SAML
Principal Propagation for SAP NW 7.1
SAP NetWeaver Process Integration 7.1
2
Agenda
1.
2.
3.
4.
Introduction
Principal Propagation for SAP NW 7.0
Web Service Security and SAML
Principal Propagation for SAP NW 7.1
SAP NetWeaver Process Integration 7.1
3
Principal Propagation Concept
Goal:
Securely pass the identity of user ‘U’ across SAP PI to receiver system Run the receiver application under the same identity as the sender application Benefits:
Dynamic configuration at the PI receiver channel
Permissions of the receiver application are checked against the original user
User can be audited in receiver system
Sender System
Sender
Application
Receiver System
M
PI
M
User
U
Receiver
Application
User
U
Authentication as of today, exemplarily shown with XI 3.0 protocol
– Communication paths are statically configured in the following sense:
-
Sender to IS: For Java proxies, an XI internally configured connection is always used. For ABAP proxies, the communication path is configured globally as an SM59 HTTP destination where the credentials (user/password or certificate) are usually stored within the destination. Nevertheless, it is possible to configure the destination as using the actual application user for logging into the IS.
-
IS to receiver: In the XI directory, a set of receiver channels with static connection attributes and user credentials similar to SM59 destinations are configured. However, in each channel user credentials must be defined for logging into the receiver system. On message execution, a certain channel is
dynamically