On-Premise User Connector for SAP Cloud Applications
SAP Cloud Platform provides basic authentication and authorization services to applications running on the platform. For more information, see Securing Applications. In terms of authentication, the primary mechanism supported in SAP Cloud Platform is Security Assertion Markup Language (SAML) 2.0. If you use SAML 2.0, SAP Cloud Platform acts as a service provider (SP), and an external system acts as an identity provider (IDP). By default, any application running on SAP Cloud Platform can use SAP ID service as an identity provider. This means that any user registered in SAP Community Network (SCN) can be authenticated by SAP ID service and use the application. This can be very convenient for applications that target the SCN members. However, for applications targeting corporate business users which do not have SCN accounts, this will require creation of user accounts in SCN.
Alternatively, companies can use an IDP located in their corporate network. SAP provides its own IDP. For more information about the SAP IDP, see SAP Single Sign-On. This IDP can have direct access to the users’ identity information. The limitation in this case is that users can authenticate with the on-premise IDP when they are in the corporate network only.
SAP Cloud Platform provides a user management API (UM API) to applications since they need to access user identity information. At the moment, the application can access identity information about the currently logged-in user only. However, most business applications require searching of users by different criteria and the retrieval of user details.
Thus we have the following new requirements:
- Users should be able to authenticate outside the corporate network.
- Applications should be able to search for users and retrieve their details.
To satisfy these requirements, an on-premise user connector can be used. For the applications, the use of this connector is transparent. They use the same UM API to check credentials, to search for users, or to retrieve user details. The calls to the UM API lead to requests to an on-premise SAP Single Sign-On (SSO) system. These requests are sent through a secure tunnel established using SAP Cloud connector.
The authorization model in SAP Cloud Platform is based on the Java EE authorization model. The developers of Web and EJB modules can define roles in their deployment descriptors. The authorization checks can be declarative (defined in the deployment descriptor) or programmatic (implemented in the application code). The SAP Cloud Platform allows assignment of roles to individual users or to groups of users. When the on-premise user connector is used, the groups maintained in the on-premise system are automatically propagated to SAP Cloud Platform. The group information can be used to simplify the role assignment process. Application roles can be assigned to a group and then all group members have the same access rights for an application. This also allows control of user permissions directly from the on-premise system by changing the group membership.
In this example, a sample leave request application is running in SAP Cloud Platform. The application is accessed both from inside and from outside the corporate network using a desktop or a mobile client. In the SAP SSO system, each user is a member of one of the following groups: Employees, Managers, Partners, or Auditors. While the members of the groups Employees and Managers are internal, the members of the groups Partners and Auditors are external. Only internal members are authorized to use the leave request application.
Michael is an employee and would like to request leave. He is not in the office and has no access to the corporate network. One possibility for him is to request his leave using his mobile device. When he accesses the leave request application and enters his corporate username and password, SAP Cloud Platform validates the credentials against the SAP SSO system. After successful authentication, he can request his leave.
The manager Denise is also out of the office, but she receives notifications about submitted leave requests on her mobile device. Denise has a corporate mobile device with a client certificate installed on it. This certificate is issued by the on-premise SAP SSO system, and is mapped to her user in this system. After she receives Michael’s request, Denise accesses the leave request application using her client certificate to authenticate. SAP Cloud Platform validates the certificate against the on-premise SAP SSO system and authenticates her. Denise is recognized as a manager based on her group assignment in the on-premise system. She wants to check which employees from her team are on vacation that day. To allow her to do so, the leave request application searches for employees from her team by using the UM API. This results in a call to the SAP SSO system where the information about the organizational structure is available. Denise finds that there are sufficient employees for the day and approves the request. Finally, Michael is notified about his manager’s approval.
To test this scenario, you can install the Android 4 application (.apk file) and the respective certificate (.p12 file) from the following page: http://wiki.sdn.sap.com/wiki/x/nYPzEg.