05 Sso Miis Mom
Transcript of 05 Sso Miis Mom
-
8/13/2019 05 Sso Miis Mom
1/28
Identity Management,Single-Sign On,
Operations
Tilo BoettcherSnr. Program ManagerMicrosoft [email protected]
-
8/13/2019 05 Sso Miis Mom
2/28
Introduction
Identity Management
Single Sign On
Operations using System Center Operations Manager
-
8/13/2019 05 Sso Miis Mom
3/28
3
What the user has
ERP CRM ESS Groupware
Intranet Workflow Internet ...
PC
Logon
Logon Logon
Logon
-
8/13/2019 05 Sso Miis Mom
4/28
4
What the user wants
ERP CRM ESS Groupware
Intranet Workflow Internet ...
PC
Logon
Access
-
8/13/2019 05 Sso Miis Mom
5/28
5
What the administrator wants
Central user management
Single point of administration
Assign user rights in various applications with one keystroke
Lock or Delete users centrally
Central user repository
Avoid redundant user information
-
8/13/2019 05 Sso Miis Mom
6/28
Identity Management
Introduction
Single Sign On
Operations using System Center Operations Manager
-
8/13/2019 05 Sso Miis Mom
7/28
7
User Management integration w/o MIIS
using SAP standard interfaces
SAP NetWeaver
Microsoft Windows Server
Enterprise
Portal
Microsoft Active Directory
mySAP Business Suite
and SAP R/3
UME
HR
SAP Web AS
ABAP
CRM ERP R/3
CUA
User store LDAP synchronisation
http://www.sap.com/index.epx -
8/13/2019 05 Sso Miis Mom
8/28
8
Data export from mySAP HR
using LDAP interface
Employee data:
Personel number
First Name
Last Name
...
WebAS>= 6.10
Extraction
Active
Directory
SAP HR
SAP data field ->
LDAP attribute
Mapping
RFC LDAP
Create / update users
User attributes
Cn
Sn
givenName
...
LDAP
=4.7
-
8/13/2019 05 Sso Miis Mom
9/28
9
DEMOSAP UME OVER MS ADS
SAP EP 6.0Microsoft
Active Directory (LDAP)SAP ECC 5.0
Login over MS ADS SSO LOGIN into ERP
user
Sales HR
-
8/13/2019 05 Sso Miis Mom
10/28
10
SAP LDAP user synchronisation
SAP ABAP user management data can be synchronized with a LDAP directorywith systems based on WebAS 6.10 or higher
SAP Systems with Release 4.5 and higher can be integrated into LDAP usingCUA
LDAP directory interface provides mapping capabilities of LDAP attributes andSAP data fields
SAP User synchronisation and distribution can be performed by backgroundjobs
CUA onWebAS
Mandatory for 4.5 & 4.6optional for 4.7 and higher
LDAP ALELDAP
4.7 andhigher
-
8/13/2019 05 Sso Miis Mom
11/28
11
Result of SAP user LDAP sync.
User is created / updated with
basic user data from LDAPdirectory
First Name
Last Name
eMail
Roles (optional)
Users are created withoutpassword
Passwords are not needed ifSSO using SAP Logon Ticketsis used
No security risk since userscannot log on without usingSSO via Enterprise Portalusing an initial password
-
8/13/2019 05 Sso Miis Mom
12/28
12
Identity Management using MIIS
in a Microsoft Environement
SAP Standard Interfaces
SAP Web AS ABAP: LDAP Synchronisation with Active Directory
SAP Web AS JAVA: Support of LDAP Directories (ActiveDirectory) as user store
SAP HR: LDAP Interface HR Data Retrieval in a LDAP EnabledDirectory Service
Microsoft Identity Integration Server
MIIS 2003 SP1 SAP Management Agent
MIIS will get additions withIdentity Lifecycle Manager ILM 2007 soonhttp://www.microsoft.com/windowsserver/ilm2007/default.mspx
-
8/13/2019 05 Sso Miis Mom
13/28
13
MIIS 2003 SP1: SAP Agent
Goals
Use supported SAP interfaces SAP certification in progress
Dont require reconfiguration of SAP
Support default configurations out of the box
Make it possible to use any BAPI on the SAP application serverthat can be called remotely
Use SAP technology to connect directly to SAP
Leverage SAP security infrastructure
Eliminate manual file creation processes
Scenarios
Employees as authoritative data for provisioning
Feed updated email, user ID attributes back to SAP
Provision and manage SAP HR/CUA users
-
8/13/2019 05 Sso Miis Mom
14/28
-
8/13/2019 05 Sso Miis Mom
15/28
User Management integration with MIIS
SAP is the example
connected data source
BAPIs (a set of APIs for interacting with
SAP) are used for import and export
The SAP Management Agent is built using
an easy-to-use set of .NET interfaces Import employees, users, customers
Export users, updates to employees and
customers
MIIS Server
Provisioning, Deprovisioning, Synchronization,Password Synch., Users, Customers, Employees
MIISSync
Engine
SAP MA
File MA
SAPBAPI
BAPIExport
-
8/13/2019 05 Sso Miis Mom
16/28
MIIS usage
-
8/13/2019 05 Sso Miis Mom
17/28
17
User Management integration with MIIS
SAP NetWeaver
Microsoft Windows Server
EnterprisePortal
Microsoft Active Directory
mySAP Business Suite
and SAP R/3
UME
HR
SAP Web AS
ABAP
CRM ERP R/3
CUA
User store Provisioning Data extraction
MIIS
http://www.sap.com/index.epx -
8/13/2019 05 Sso Miis Mom
18/28
Single Sign On
Introduction
Identity Management
Operations using System Center Operations Manager
SAP EP SSO SAP b k d li i
-
8/13/2019 05 Sso Miis Mom
19/28
20
SAP EP: SSO to SAP backend applications
Initial
Logon
SAP
Logon
Ticket
SAPLogon
Ticket
SAP
Logon
Ticket
SAP
Logon
Ticket
SAPGUI for Windows
Windows
SAP
Web
WebAS
SAP
SAP
ITS
WebDynpro
WebDynpro
BSP-Pages
SAPGUI for HTML
SSO SAP L Ti k t
-
8/13/2019 05 Sso Miis Mom
20/28
21
SSO SAP Logon Tickets
Portal Server issues an SAP logon ticket to a user after
successful initial authentication
SAP logon ticket is stored as per session cookieon the client browser
SAP logon ticket is used to authenticate user to applications
User gets access to multiple applications and services
After initial logon no further user logons required
SAP logon tickets contains user name(s)
SAP Logon Ticket is signed using digital signatures
SAP EP: Authentication Methods
-
8/13/2019 05 Sso Miis Mom
21/28
22
SAP EP: Authentication Methods
Initial Logon Procedure
Authentication methods
User ID / password
LDAP Directory (for example Active Directory)
Portal Database
SAP System
X.509 digital certificates
Third-party authentication
Integrated windows authentication
SAP authentication (SAP Web AS or R/3)
Others through JAAS interface (pluggable JAAS loginmodules, e.g. RSA)
SAP EP SSO
-
8/13/2019 05 Sso Miis Mom
22/28
23
SAP EP: SSO
to SAP and MS backend applications
SAP NetWeaver - Portal Framework
SAP
Enterprise
Portal
Microsoft Active Directory
mySAP
Business
Suite and
SAP R/3
Authentication
Identify
user
IIS
SAP
Kerberos
Ticketing
BridgeSAP
Logon
Ticket
Kerberos
Ticket
SAP
Logon
Ticket
User
(Windows
Workstation)
SSO
or
Authentication
Microsoft Windows Server
-
8/13/2019 05 Sso Miis Mom
23/28
Operations using System Center MOM
Introduction
Identity Management
Single Sign On
S t C t O ti i M
-
8/13/2019 05 Sso Miis Mom
24/28
25
System Center Operatioins Manager
9,000+ customers
Award Winning Capabilities:
Windows IT Pro 2005 ReadersChoice Winner
Proven InfrastructureManagement
Proven Partner MPs
Strong Product Roadmap
MOM: Analyst Momentum
-
8/13/2019 05 Sso Miis Mom
25/28
26
MOM: Analyst Momentum
GartnerCompanies considering a management tool for their Windows centricserver environment should definitely place MOM 2005 on theirevaluation list.
David Coyle, April 05
ForresterWith the release of MOM 2005, Microsoft has made importantimprovements to the product it is set to become the No. 1 or No. 2player in the Windows server platform management market within thenext three years.
Thomas Mendel, Sept 04
IDC
Sept 05 numbers show MOM growing at 5x the market rate:
Windows Perf Mgmt growing @ 13% yr/yr growth
MOM growing at @ 60% yr/yr
H i f SAP Tid l S ft
-
8/13/2019 05 Sso Miis Mom
26/28
27
Horizon for SAP Tidal Software
What does Horizon do? SAP Monitoring in MOM
Automates SAP Performance Management through Expert-in-a-Boxtechnology, modeled on the same processes used by expert SAP BasisAdministrators
Uses MOM Reporting to deliver extensive SLA Reporting: trend and trackSAP service to the business
Automates manual repetitive tasks
How does Horizon add Value? Reduces cost and increases effectiveness of SAP administration and
operation Automates many routine tasks performed by SAP Basis Administrators Informs administrators of impending issues before customers call for help. Faster diagnosis of transient outages with Snap Shot monitoring
Reduced number of experts required to diagnose complex multi-tierproblems Automates creation and distribution of Service Level reporting for
management and operations Embedded SAP best practices make junior administrators more
experienced, offload Basis work to Operations, and improve quality of afterhours coverage
-
8/13/2019 05 Sso Miis Mom
27/28
28
DEMOSystem Center MOM
SAP NetWeaver 2004sMicrosoft System Center
Operations Manager
No Agent needed: Use of WS-Management
-
8/13/2019 05 Sso Miis Mom
28/28
www.microsoft-sap.com