The benefits of Principal Propagation based on SAML in SAP NetWeaver SOA Middleware – Process Integration 7.1
By Julia Doll, SAP NetWeaver Product Management – SOA Middleware
In case of a typical B2B scenario, the messages travel outside the company. In other scenarios, they need to travel across different domains of a company. No matter where they go, there are always points in the message transit that are unsafe.
Since security is an important factor in a system that needs to handle high availability, performance and high workloads, different standards are implemented to ensure reliability of the middleware. SAP NetWeaver SOA Middleware covers amongst others WS-Security Policy, WS-Trust, WS-Secure Conversation and WS-Security. Another important feature is Principle Propagation based on SAML, which will be described in this blog.
Principal Propagation works similar to a single sign on procedure. If the user logs into a sender system where his user name and password are provided, those credentials will be sent to the receiver system from SAP NetWeaver SOA Middleware – Process Integration 7.1, which works as a trusted broker or middle party in the communication. This is described in the figure below.
Then onwards, the login into the receiver system works automatically without the receiver system knowing the user as long as SAP NetWeaver SOA Middleware – PI trusts and validates the user credentials from the sender. The open standard providing that feature for Web Services is called SAML and it gives guidelines for its implementation. SAML is a protocol where the user credentials are passed from the sender to the receiver as assertion tokens and authenticated in the receiver based on the sending user. That enables an easier integration of several systems with different groups of users.
SAML is used by the standard called Web Service Security, which is providing message level security for SOAP messages by using existing standards like: XML Signature, XML Encryption, X.509, SAML and Kerberos Security tokens. Therefore, it extends the SOAP messages header with security information for every recipient and also provides end-to-end security. The Single sign-on offered from Web Service Security is based on security tokens like SAML.
The following is the overview of the different Security standards supported by SAP NetWeaver: