Skip to Content
Technical Articles
Author's profile photo Carlos Roggan

SAP BTP: Security Glossary

Dear Community,
like I felt the need of collecting terms and abbreviations and their meanings in the huge and complex area of security, I feel like I should share the list with you, as you might have the same need.
It is like:
-> Read ABC anywhere
-> forgot the meaning (again)
-> look it up (again)
-> luckily bookmarked this helpful blog post in the SAP Community…

Below list is obviously far from being complete or professional or official.
Nor are the links officially approved, so use them at your own risk.
At the end, it is just my personal list which I’m sharing with you.
The terms are loosely grouped – as of my feeling, so better use CTRL+F for finding your search term.
Please don’t hesitate to contact me for improvements, suggestions and additions.

OIDC

OIDC
OpenID Connect:
A protocol.
Allows web applications (= relying parties) to authenticate users with an external server (= OpenID Connect Provider).
This server typically gets user information from an identity provider (IdP), which is a database of user credentials and attribute information.
OpenID Connect forwards to concrete IDP
OpenID Connect, 2014, is not the first standard for IdP, but the best (usability and simplicity), learned the lessons from past (SAML + OpenID)

RP
Relying Party: the client that requests an ID token

OP
OpenID Provider, OpenID Connect Provider:
Provides endpoints: authorization, token, UserInfo

OIDC tokens
Access token:
A string containing a unique secret token.
Access token has specific permissions and is used to get data from an API.
Expires soon, typically within 24 hours.
OAuth.
Access token only for oauth, not relevant for openid authentication request.
Required for UserInfo endpoint
Refresh token:
A string containing a unique secret token.
Refresh token enables its bearer to request and obtain new Access tokens.
These newly obtained access tokens have a subset of the permissions that the Refresh token has. The Refresh token never expires.
ID token:
Resembles the concept of an identity card, in a standard JWT format, signed by the OpenID Provider
requested via oauth protocol.
Response:
Base64-encoded JSON document.
The json document contains access token refresh token and ID token.
ID tokens are created and signed by OpenID Connect Providers (OP) and consumed, verified by web applications authenticating users.
The ID token contains information about how and when the user authenticated along with various attributes.
ID tokens are normally intended for sign-on, access tokens for calling protected APIs

Claims
user attributes. Properties about user,
e.g. email
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
See here for registered OIDC claims:
https://openid.net/specs/openid-connect-core-1_0.html#IDToken

OIDC Libs
Node.js Lib: https://www.npmjs.com/package/openid-client
docu: https://github.com/panva/node-openid-client/blob/main/docs/README.md

OIDC links
OpenID spec: https://openid.net/connect/
Authentication flow:
https://infosec.mozilla.org/guidelines/iam/openid_connect.html#detailed-oidc-authentication-flow
https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc
https://developers.onelogin.com/openid-connect/samples
https://codeburst.io/how-to-implement-openid-authentication-with-openid-client-and-passport-in-node-js-43d020121e87
https://codeburst.io/openid-connect-client-by-example-76caf6dae55e
https://medium.com/@goranlisak/how-to-implement-openid-connect-authentication-flow-inside-of-an-iframe-10cf6b155c49
https://connect2id.com/learn/openid-connect
OIDC<->SAML: https://github.wdf.sap.corp/d035752/oidcnodejs/blob/master/theory.md
OIDC client impl guide: https://openid.net/specs/openid-connect-basic-1_0.html

SAML

SAML
Security Assertion Markup Language
Is a protocol (Authentication) used for SSO
Typically used for scenarios where users in big companies have to use multiple applications.
Instead of entering users/passwords for each application, they login only once, and the login is reused for each application.
Known as Single Sign-On (SSO) login standard.
We use SAML as well for Principal Propagation.
In this context, we talk as well about Identity Federation.
SAML is used in browser-based scenarios.

Entitiy
The involved systems are called “Entities”: Identity Provider and Service Provider (SP).
SP
Service Provider is also called Relying Party (relies on proper authentication by IdP)
When login is required, the user has to do the authentication request at IdP.

IDP
The user authentication is handled by a central Identity Provider
The IdP issues a little document which contains the user-info (identity) and which is passed to each application.
Identity Provider is also called Asserting Party.
The IdP creates a little xml document, which is the authentication response and contains the user’s identity.

Assertion
This little xml document is also called SAML Bearer Assertion (because it is carried around, from app to app) or just token.
The token is stored in the user’s browser session and is sent to each application the user wants to access.
It is signed with X509 certificate.
The receiving Service Provider is able to verify the signature, because a trust relationship has been established between IdP and SP.
To establish the trust relationship, SAML supports metadata documents on both sides (IdP and SP)
Metadata contain e.g. the info about endpoints used for redirects etc.

ACS
The SP metadata contains the Assertion Consumer Service URL (ACS Endpoint).
SAML assertions are sent to this endpoint.

Advantage
Security is handled centrally, applications don’t need to store uses and passwords, users don’t need to enter pwd for each app.
SAML is open standard and provides flexibility.

Disadvantage
The little xml document is quite big and causes network overhead.
Main focus is authentication.
Authorization capabilities are rather poor.

Difference to OAuth
SAML2 can be used for both authentication and (limited) authorization.
OAuth2 is an authorization framework. Authentication is not in scope.
However, OAuth2 can be enhanced (with openID) and used for SSO as well.
OAuth2 uses JWT tokens which are smaller than the xml-based SAML assertions.

Different terms for similar concepts
Service Provider (SAML) corresponds to Resource Server (OAuth).
Identity Provider (SAML) corresponds to “Authorization Server” (OAuth).
Client: browser (SAML) corresponds to (mostly) web app clients in OAuth.

SAML links
https://developers.onelogin.com/saml
https://stackoverflow.com/questions/26901368/saml-adfs-node-js-implementation-guide/36897549#36897549
https://pages.github.tools.sap/kernelservices/tutorials/identity-service-saml-nodejs/  ,  http://www.passportjs.org/packages/passport-saml/
https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/fe3102ad92d94baa955ffa06b86d2cfa.html

OAuth

OAuth 2.0:
A framework for obtaining access tokens for protected resources

JWT

JWT
JSON Web Token
A piece of data
Designed to be compact

Structure
– Header
– Payload (JSON)
– Signature

JOSE
Javasceript Object Signing and Encryption
Framework to provide a method to securely transfer claims between parties.
The JOSE framework provides a collection of specifications to serve this purpose

JWS
JSON Web Signing
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature

JWE
JSON Web Encryption
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption

JWK
JSON Web Key
A JSON data structure that represents a cryptographic key.
Format, e.g. for provider’s public keys (RSA) spec:
https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41

JWKS
JSON web key set.
Used to store public JSON web keys

JKU
JWK Set URL
A URI that points to location where public keys are stored.
JSON array of JSON objects with keys.
Jku is a claim contained in a JWT token

Claims
Properties contained in the payload of JWT token
A statement that a subject makes about itself.

Claims list (standard)

aud
Audience
The receiver for which the token was issued.
Typically the clientid of the credentials section in env
exp
Expiration Time
iat
Issued at
iss
Issuer
jti
JWT ID
Unique identifier of the token
nbf
Not before
sub

Subject

Claims list (common)

alg
Algorithm to verify the signature of the token
cty
Content Type
kid
The key that was used to generate the signature of the token
crit
Critical
typ
Token Type

Claims list (more)

acr
Authentication Context Class Reference
amr
Authentication Methods References
azp
Authorized party – the party to which the Token was issued.
The OAuth ClientID of this party.
Optional claim, same as aud.
cnf
Confirmation, used in case of mTLS

See here for registered public claims:
https://www.iana.org/assignments/jwt/jwt.xhtml

Certificates

CA
Certification Authority

DSIG
Digital Signature

HSM
Hardware Security Module,
A hardware-based security device that generates, stores, and protects cryptographic keys

PSE
Import the certificate of the authorisation server into a Personal Security Environment (PSE) also known as a Certificate Collection.

PKI
Public key infrastructure. Helps to check if certificate and public key belong together. Requires another cert which is in the chain

X.509
Standard for content of certificate.
The most common format for public key certificates
https://en.wikipedia.org/wiki/X.509

PKCE
Proof Key for Code Exchange:
An extension to the Authorization Code Flow (OAuth) to be able to securely perform the OAuth exchange from public clients.
https://oauth.net/2/pkce/
https://www.oauth.com/oauth2-servers/pkce/
https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce

PKCS#12
Public Key Cryptography Standard #12

PEM
Originally “Privacy Enhanced Mail” is the most common format for X. 509 certificates (+ CSR etc.)
A text file with items in Base64 ASCII encoding, each with plain-text headers and footers
(e.g. —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–)
PEM is a container format for digital certificates and keys.
A file extension of a file that contains a bunch of certificate files.
File extensions can be .crt .pem .cer .key

DER
Distinguished Encoding Rules
A binary encoding for X.509 certificates and private keys.
No —BEGIN statements
Common in java
File extensions .der  .cer
Content looks like this:
310b 3009 0603 5504 0613 0255 5331 0e30

CSR
Certificate Signing Request
A block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate.
The certificate created with a CSR will only work with the private key that was generated with it

Certificate Content

CN
Common Name
L
Locality
OU
Organizational Unit
O
Organization
C
Country

Subject Field
contains CN.
Content of CN:
e.g. the primary hostname (domain name of the website)

DN
Distinguished name

TLS
Transport Layer Security
https://www.security-insider.de/was-ist-tls-transport-layer-security-a-673066/

mTLS
mutual Transport Layer Security, mutual TLS
Process  whereby, in addition to the normal TLS server authentication with a certificate, a client presents its X.509 certificate and proves possession of the corresponding private key to a server
Both server and client present their cert during TLS handshake
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
on top of normal oauth flow, enhanced security, utilizing client-certificate-based mTLS
Spec: https://tools.ietf.org/html/rfc8705
https://en.wikipedia.org/wiki/Mutual_authentication
Example in Node.js:
https://cloud.google.com/dialogflow/es/docs/fulfillment-mtls?hl=de

XFCC
X-Forwarded-Client-Cert, header, used to pass client certificate, in case of mTLS

Certificate tools

Decode Certificate
https://www.sslchecker.com/certdecoder
Generate Certificate
https://certificatetools.com/
Decode CSR:
https://certlogik.com/decoder/
https://redkestrel.co.uk/products/decoder/
Decode .p12
https://www.sslshopper.com/ssl-converter.html
extract p12 file to pem, whole file, not filtering key etc
https://www.sslshopper.com/certificate-decoder.html
Decode, convert:
https://www.httpcs.com/en/ssl-converter
Decode id_token and other:
https://oauth.tools/
Base 64:
https://www.base64decode.org/
AND of course:
Openssl
https://www.openssl.org/docs/manmaster/man1/openssl-x509.html    https://www.openssl.org/docs/man1.0.2/man1/pkcs12.html

 

IAS

IAS
Identity Authentication Service
Correct full name:SAP Cloud Identity Services – Identity Authentication
SAP Help:
SAP Cloud Identity Services – Identity Authentication
SAP Help landing page:
https://help.sap.com/viewer/product/IDENTITY_AUTHENTICATION
Identity service: JSON param docu
Video: Why IAS
IAS SAP Community
https://community.sap.com/topics/cloud-identity-services/identity-authentication
IAS SAP Community Parent
https://community.sap.com/topics/cloud-identity-services
Discovery Center
https://discovery-center.cloud.sap/#/serviceCatalog/identity-authentication?region=all

IPS
Identity Provisioning Service
Full name: SAP Cloud Identity Services – Identity Provisioning
The IPS server is used to copy users from a source system to a target, which can be scheduled to run e.g. on nightly basis.
For instance: “Please, each night do provision the users of Success Factors system to my IAS which is connected to my BTP account”.
This basic functionality is enriched with a ton of configuration options, e.g. mapping of user attributes of source to match the target system.
Furthermore, the IPS is intelligent enough to provision only the deltas of changed users, even if source system doesn’t support deltas.
SAP Help landing page: https://help.sap.com/docs/IDENTITY_PROVISIONING
IPS part of the SAP Cloud Identity Services offering, which includes:
Identity Authentication, Identity Provisioning, Identity Directory and Authorization Management services.

Autorization

XACML
eXtensible Access Control Markup Language
Authorization model is based on xacml
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

OPA
Open Policy Agent
https://www.openpolicyagent.org/
Open source policy decision engine which runs as a server next to the application (side car pattern)

DCL
Data Control Language
File extension: *.dcl

ADC
Authorization Decision Controller, the Policy Engine

PIP
Policy Information Point

PAP
Policy Administration Point, centralized

PRP
Policy Retrieval Point, centralized

PDP
Policy Decision Point, decentralized

ABP
Authorization Bundle Provider

ADC
Authorization Decision Controller
Is a OPA server and its deployment is done with CF multiple buildpack

CSL
Container Security Library
https://github.com/SAP/cloud-security-xsuaa-integration/

Other

IANA
Internet Assigned Numbers Authority

IAM 
Identity- and Access-Management

CIAM
Customer Identity and Access Management

FIdM
Federated Identity Management

SCI
SAP Cloud Identity

SCIM 
System for Cross-domain Identity Management
Standard for automating the exchange of user identity information between identity domains, or IT systems
A RESTful API for all necessary user management operations, managing resources (users, groups and custom schemas)
SCIM is used as communication protocol for User Role Assignment by IPS
SCIM Aims to simplify user provisioning and management in the cloud by defining two standards
A canonical user schema
A standardized schema and API for querying and managing user identities (attributes, etc.)
https://api.sap.com/api/IdDS_SCIM/overview
Spec: https://www.rfc-editor.org/rfc/rfc7644

SSTC
OASIS Security Services Technical Committee

SSO
Single Sign-On

SLO
Single Log-Out

PII
Personally identifiable information

Nonce
Number-only-used-once validation.

Service Broker

OSB 
Open Service Broker API
https://github.com/openservicebrokerapi/servicebroker/

SBF
Service Broker Framework

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah

      Great blog Carlos Roggan  explaining all the complete security standards for Authentication.. Thank you soo much

      Most of them know JWT but not JOSE, JWE, JWA, and JWK .. Glad you touched upon those.. 🙂

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Thank you so much Yogananda Muthaiah for the feedback!
      Glad to hear that it has been useful even for an expert like you ! 😉
      And good to see you're still active in the community, nice to see you again 😉

      Author's profile photo Wallace Henry
      Wallace Henry

      Thanks Carlos Roggan

      Grateful for this - it will be a great reference for me as the various groups/experts push the acronyms and as we continue to evolve the security items over time.
      One end to end type of question - any value to add IPS (Identity Provisioning Service) to the "Other" section?   I think IPS is referenced earlier in the list.  I know IPS is moving users around, but that's somewhat tied to user authorization and somewhere security.  Especially as SAP typically talks about IAS and IPS in pairs.

       

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Hello Wallace Henry , thank you for the feedback.
      I've added a section wrt IPS above, you're right to point it out.
      And you're right about moving users around, that's the main purpose, however with lots of complex options (as usual)