Agenda: Secure Cloud Application Development Local Testing Testing in the Cloud Identity and AccessManagement in the Cloud Security Troubleshooting

1. Martin Raepple / Product Owner Identity and Access Management /
SAP HANA Cloud Product Team
SAP HANA Cloud – Virtual Bootcamp
Securing SAP HANA Cloud Applications

2. © 2012 SAP AG. All rights reserved. 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.

3. © 2012 SAP AG. All rights reserved. 3
Agenda
 Enabling Authentication
 Enforcing Authorizations
 Logout
 Protecting from
Common Web Attacks
 Configuring local
test user and roles
 Using the
local Test
Identity Provider
 Default Identity
Federation with SAP
ID Service
 Identity Federation
with the corporate
Identity Provider
 Role Assignments
 Demo
 Logging and
Tracing
 SAML
Debugging
Secure
Cloud Application
Development
Security
Troubleshooting
Local Testing
Testing in the
Cloud
Identity and Access
Management in
the Cloud

4. Secure Cloud Application
Development

5. © 2012 SAP AG. All rights reserved. 5
Enabling Authentication (1/4)
High-level Architecture
SAP HANA Cloud
Application Identity Provider
(IdP)
SAP HANA
Cloud
Delegate authentication
and identity management
+ Keep focused on the business logic
Delegation to a central service (IdP)
enables Single Sign-On (SSO)
between multiple Cloud applications
Mature and proven security standards
for integration with IdP
Three options:
• Local IdP in the SAP HANA Cloud
SDK  for Testing only!
• SAP ID Service  „out-of-the-box“
IdP in the Cloud
• Your own IdP (e.g. in the corporate
network)
+
+
Local User Store
Central User Store
+

6. © 2012 SAP AG. All rights reserved. 6
Enabling Authentication (2/4)
Declarative …
<login-config>
<auth-method>FORM</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</...>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrator</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>Administration users</...>
<role-name>Administrator</role-name>
</security-role>
web.xml: Supported Authentication Methods:
 FORM
 Delegates authentication to the SAP ID
Service or another IdP according to the
Security Assertion Markup Language
(SAML) 2.0 protocol
 BASIC
 HTTP "basic" authentication scheme
according to RFC 2617. Web browsers
prompt users to enter a user name and
password. The actual authentication is
still delegated to the SAP ID service or
to a SCIM*-compliant IdP
* http://tools.ietf.org/html/draft-ietf-scim-api-01

7. © 2012 SAP AG. All rights reserved. 7
Enabling Authentication (3/4)
… and Programmatic
String user = request.getRemoteUser();
if (user != null) {
response.getWriter().println("Hello, " + user);
} else {
LoginContext loginContext;
try {
loginContext = LoginContextFactory.createLoginContext("FORM");
loginContext.login();
response.getWriter().println("Hello, " +
request.getRemoteUser());
} catch (LoginException e) {
e.printStackTrace();
}
}

8. © 2012 SAP AG. All rights reserved. 8
Enabling Authentication (4/4)
Excursus: SAML-based Single Sign-On (SSO)
1. User accesses protected web resource
on SP
2. SP sends SAML Authentication Request
via HTTP redirect to trusted IdP
3. IdP authenticates the user
(if not done already)
4. Upon successful authentication, IdP sends
SAML Response (which includes the SAML
Assertion) to the SAML Service Pro via
HTTP POST
User
3
1
2
4
SAML Request
SAML Response
1
2
3
4
Identity Provider
(IdP)
SAP HANA Cloud
Application
SAP HANA
Cloud
Trust

9. © 2012 SAP AG. All rights reserved. 9
Enforcing Authorizations
protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
PrintWriter out = response.getWriter();
if(!request.isUserInRole("Administrator")){
response.sendError(403, "Logged in user does not
have role Administrator");
return;
} else {
out.println("Hello administrator");
}
}

10. © 2012 SAP AG. All rights reserved. 10
Programmatic Logout
public class LogoutServlet extends HttpServlet {...
LoginContext loginContext = null;
if (request.getRemoteUser() != null) {
try {
loginContext = LoginContextFactory.createLoginContext();
loginContext.logout();
} catch (LoginException e) {
response.getWriter().println("Logout failed. Reason: " +
e.getMessage());
}
} else {
response.getWriter().println("You have successfully logged
out.");
}
}

11. © 2012 SAP AG. All rights reserved. 11
Protecting from Common Web Attacks
Cross-Site Scripting (XSS) Attack
The two most important countermeasures to prevent
XSS attacks are to:
Constrain input
Encode output
SAP HANA Cloud XSS Output Encoding Library
String encodedFirstname = null;
IXSSEncoder xssEncoder = XSSEncoder.getInstance();
try {
encodedFirstname =
xssEncoder.encodeHTML(firstName).toString();
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
out.println("<br>Hello, " + encodedFirstname);
Attacker
Vulnerable Cloud
Application
Infects
with
malicious
script
1
Downloads
page with
malicious
script
2
Victim
3
executes script
in the context
of the Victim’s
session

12. © 2012 SAP AG. All rights reserved. 12
Protecting from Common Web Attacks
Cross-Site Request Forgery (XSRF) Attack
Attack depends on the predictability of the
request URL to the vulnerable Application
A countermeasure to prevent XSRF attacks is
to generate and add a token or nonce per
request which is checked on the server-side
SAP HANA Cloud provides protection based on
Apache Tomcat's CSRF Prevention Filter.
web.xml:
<filter>
<filter-name>CsrfFilter</filter-name>
<filter-class>
org.apache.catalina.filters.CsrfPreventionFilter
</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/home</param-value>
</init-param>
</filter>
Attacker‘s
Web-Site
<img src="http:
//www.webapp.com/
transferMoney?
account=hacker&
amount=1000">
1
Victim‘s
Web Browser
Vulnerable
Application
www.webapp.com
2
JSESSIONID=abc123
http://www.webapp.
com/transferMoney?
account=hacker&
amount=1000

13. Local Testing

14. © 2012 SAP AG. All rights reserved. 14
Configuring Test Users and Managing Roles on the Local Server
SAP HANA Cloud Eclipse Tools: Servers view  Local Server  Users tab.
Local Test
Users
Assigned Roles
to the selected
User in the local
Server
User Attribute
and Values
Local Server
<local_server_dir>/config_master/
com.sap.security.um.provider.neo.local/
neousers.json
SAP HANA Cloud
Application

15. Testing in the Cloud

16. © 2012 SAP AG. All rights reserved. 16
Using the local Test Identity Provider
neousers.json
Local Server
SAP HANA Cloud
local Test Identity
Provider
SAP HANA Cloud
Application
Trust
SAP HANA
Cloud
 The local test IdP is packaged within the
SAP HANA Cloud SDK. When you start the
local server, it will start as well.
 Define local test IdP users and their
attributes
 Configuring the service provider of your
account in SAP HANA Cloud
 Configuring trust on SAP HANA Cloud to
the local Test IdP
 Configuring trust on the local Test IdP
to SAP HANA Cloud
 Access your application deployed on
the SAP HANA Cloud and test it against
the local test IdP and its defined users and
attributes.
1
1
2
2
3
3
4
4

17. Identity and Access
Management in the Cloud

18. © 2012 SAP AG. All rights reserved. 18
 SAP ID Service User ID
 Validated E-Mail Address
 First Name, Last Name,
Display Name
Default Identity Federation with SAP ID Service
SAP HANA Cloud
Application
SAP
ID Service
SAP HANA
Cloud
+ By default, SAP HANA Cloud
applications delegates authentication
and identity management to SAP ID
Service. No further configuration for the
Trust Relationship is required.
SAP ID Service is a public, SAML 2.0-
compliant Identity Provider in the
Cloud. It manages ~4.2 Million Users
(e.g. for the SAP Community Network)
With SAP ID Server, users can benefit
from SSO to other SAP On-Demand
solutions and web sites
+
 SAP Public Web Sites
(SAP.com, SMP)
 SAP Business ByDesign
 SAP JAM
 …
Cloud
Trust + SSO
~4.2 Million Users
+

19. © 2012 SAP AG. All rights reserved. 19
Identity Federation with the corporate Identity Provider
Corporate
IdP
Employees
CorporateNetwork
SAP HANA Cloud
Application
SAP HANA
Cloud
Trust + SSO
Trust
+ SSO
+ SAP HANA Cloud applications can
delegate authentication and identity
management to an existing Corporate
IdP that can for example authenticate
your company's employees.
Trust must be configured similar to the
local Test IdP scenario:
 Configuring the service provider of your
account in SAP HANA Cloud
 Configuring trust on SAP HANA Cloud
to the Corporate IdP
 Configuring trust on the Corporate IdP
to SAP HANA Cloud
+
 (Corporate-wide unique) User ID
 any User Profile Attribute from the
Corp. User Directory

20. © 2012 SAP AG. All rights reserved. 20
Role Assignments in the Cloud
Employees in
Department Sales
+ Roles allow you to control the access
to application resources in SAP HANA
Cloud
In the Cloud, you can assign Groups or
individual users to a role
Groups are collections of roles that
allow the definition of business-level
functions within your account. They are
similar to the actual business roles
existing in an organization
SAP HANA
Cloud
Group Sales
+
+
jdoe@acme.com
Role Administrator
Roles:
CRM User
Account Owner

21. DEMO
SSO and Identity Federation with a corporate Identity Provider (IdP)

22. Troubleshooting

23. © 2012 SAP AG. All rights reserved. 23
Network Protocol Analyzer
• Wireshark
• Fiddler
• SAML Tracer (Firefox Add-In)

24. © 2012 SAP AG. All rights reserved. 24
SAP HANA Cloud Logs
com.sap.core.jpaas.security.saml2.sp

25. Online Q&A

26. © 2012 SAP AG. All rights reserved. 26
Questions & Answers
Q: Is there anything specific for securing REST services?
A: Right now, REST clients calling services exposed by the same application from within the UI (e.g. SAP UI JavaScript
using an OData Model) can re-use an already established logon session (e.g. via SAML2) of the user at the UI.
Applications exposing (REST) services and no UI can use HTTP Basic Authentication via SSL at the moment to protect
those services. For those scenarios we plan to support the Open Authorization Framwork (OAuth) in the SAP HANA
Cloud Platform which helps to avoid storing the username and password in the Client application.
Q: So once a user is authenticated in the browser, the browser based UI could use REST services?
A: Yes!

27. © 2012 SAP AG. All rights reserved. 27
SAP Hana Cloud Virtual Bootcamp Sessions
Schedule
Next upcoming bootcamp session
 6th Virtual Bootcamp: Working with the HANA Cloud portal
Overview of the features, capabilities and installation procedure
Details and schedule will be provided soon.
At the end of each session, we will give some time for Q&A.
Remarks:
■ The Virtual Bootcamp sessions are scheduled for the developers of our Hana Cloud Applications partners
and the community interested in our Hana Cloud Applications partner program.
■ The sessions will be recorded and provided to our Hana Cloud Partner community.

28. Thank You!
Contact information:
Martin Raepple
SAP HANA Cloud
martin.raepple@sap.com