Authentication and

Single Sign-On

Patrick Hildenbrand
NW PM Security, SAP AG
 Agenda

Authentication and Identities

Authentication with SAP

„ in a Web Based Scenario

„ At the SAP GUI for Windows

Summary

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 2

 Authentication Identifies a Subject

In computer security, authentication is the process by which a

computer, computer program, or another user

attempts to confirm that the

computer, computer program, or user

from whom the second party has received some communication is,
or is not, the claimed first party.

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 3

 Single Sign-On is a Specialized Form of Authentication

Single Sign-On (SSO) is a specialized form of authentication that

enables a user to authenticate once and gain access to the
resources of multiple software systems.

CRM
Intranet

Authentication to:
„ Portal Internet
ERP
„ WebAS
c e s s
„ Local system Ac

Groupware Other...
Authenticate
only once
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 4
 Why Use Single Sign-On?

Typical situation
„ In a complex system landscape an employee has many user IDs with
different passwords
„ Different procedures for each system to roll-out, reset and change
new / existing passwords
„ Users find continuous password changing for many systems annoying

Problems
„ High administration cost and effort
„ Security risk: Users write passwords down and store them
where they can easily be found

Solution: Single Sign-On

„ Users only have to remember one password to gain access to every
system
„ Administration costs and efforts are drastically reduced

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 5

 What the User Wants …

Portal
WebAS
CRM
ITS Intranet

Internet
Access ERP

Groupware Other...

Authenticate
once
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 6
 What the Administrator Wants …

Central user management

„ Single point of administration
„ Assign user rights in various applications with one keystroke
„ Lock or delete users centrally

Central user repository

„ Avoid redundant user information
„ Easy De-Provisioning

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 7

 Agenda

Authentication and Identities

Authentication with SAP

„ in a Web Based Scenario

„ At the SAP GUI for Windows

Summary

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 8

 Web-Based Authentication Methods

„ Anonymous/guest access
„ User ID / password
‹ Form-based *
‹ Basic authentication *

„ X.509 digital certificates

„ SAP Logon Tickets
„ External authentication methods
‹ HTTP header variable authentication
(not ABAP except for X.509 certificate information forwarding)
‹ Enterprise Access Management - EAM
‹ Security Assertion Markup Language (SAML – only Java)
‹ Through Pluggable Authentication Services (PAS – only external ITS)
‹ Through Java Authentication and Authorization Services
(JAAS – only Java)

Java SAP WebAS 640 Java or SAP Enterprise Portal 6 > SP3
* Only authentication, not Single Sign-On
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 9
 X.509 Client Certificates – SSO Process

„ Authentication occurs using SSL

with mutual authentication
CRM
„ User possesses a public / Intranet
private key pair and
public-key certificate

ERP Internet
SL
S
L
SS
Access
SSL
Groupware Other...

X.509 Client Certificate

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 10
 Authentication and SSL with X.509 Certificates

„ Mutual authentication between Alice and the server

„ The SSL – Process:

Client sends „Hello“-message to server

Server sends his certificate and asks for client cert.

sends his certificate , encrypted secret key

and list of supported crypto algorithms
Sends back confirmation

Alice Session established …using symmetric encryption

Private Private
Public Public
Secret Secret

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 11

 X.509 Certificates

„ X.509 certificates are used for

Secure Sockets Layer (SSL) based
communications:
‹ Internet standard for secure HTTP
connections
‹ Provides for server, client or mutual
authentication and encryption
‹ Uses both symmetric and public-key
encryption for protection
„ X.509 certificates (“digital
certificates”) can be used both
for initial authentication and for
successive Single Sign-On
„ Each certificate includes:
‹ Name
‹ CA name
‹ Validity period
‹ Public key
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 12
 Obtaining a X.509 Certificate

Digital certificates must be X.509v3 compliant

Various options possible:

„ Using SAP Trust Center Service
‹ For SAP users only
‹ Free of charge
‹ Portal server acts as Registration Authority (RA)

„ Setting up internal PKI system

‹ Buy software from CA product vendor

„ Using external PKI system

‹ Contract with Trust Center Service

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 13

 SAP Trust Center Service: Enrollment Process
SAP Trust
Center
Service

5 4
Verifies naming conventions Send approved certificate
and issues certificate request

Web
Browser
Log on using SAP user ID and password and
1 Portal
initiate the SAP Passport request
Server
2 Specify naming convention and trigger key
generation

3 Web browser generates key pair and

sends the SAP Passport request

6 Log on using the SAP Passport

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 14

 SAP Logon Tickets – SSO Process

Portal
WebAS CRM
Intranet
ITS

Initial ERP Internet

logon

Access

Groupware Other...

SAP Logon Ticket

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 15
 Example of an HTTP Request

GET /someresource HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, [ … ], */*
Referer: https://some.host.domain/some/other/resource
Accept-Language: en,de;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: nw-portal.wdf.sap.corp
Connection: Keep-Alive
Cookie: saplb_*=(J2EE6527200)6527250; PortalAlias=portal;
MYSAPSSO2=AjExMDAgAA5wb3J0YWw6ZDAzMzA5OYgAE2Jhc2ljYXV0aGVudGljYXRpb24
BAAdEMDMzMDk5AgADMDAwAwADTldUBAAMMjAwNTA5MDIwNjE0BQAEAAAACAoAB0Q
wMzMwOTn%2FAPUwgfIGCSqGSIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCw
YJKoZIhvcNAQcBMYHBMIG%2BAgEBMBMwDjEMMAoGA1UEAxMDTldUAgEAMAkGBSsO
AwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0
wNTA5MDIwNjE0NDRaMCMGCSqGSIb3DQEJBDEWBBQ28lOiAPAV2KfBJR18ElZxaNenHzA
JBgcqhkjOOAQDBC8wLQIUIaaWKYY4%2BCT26P07coHVYP63eCkCFQCLt0ERDvDKCpog8
9q5n%2B5ahpQQCw%3D%3D;
JSESSIONID=(J2EE6527300)ID6527350DB307014776305034697End; sap-
ssolist=O3I9cHdkZjA5NjJfY3BwXzQ0

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 16

 What is a SAP Logon Ticket

„ SAP Logon Ticket is represented as cookie in the Browser

„ Content of the SAP Logon Ticket is BASE64 encoded

„ SAP Logon Tickets contain:

‹ User ID(s)
SSOv2
‹ Authentication scheme
‹ Validity period
‹ Issuing system
‹ Digital signature
‹ SAP Logon Tickets do NOT contain any passwords!

„ Problems?
‹ SAP Note 701205 (EP6.0: Single Sign-On using SAP Logon Tickets)
‹ SAP Note 654982 (URL requirements due to Internet standards )

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 17

 SAP Logon Tickets – Prerequisites

Prerequisites
„ At least same user IDs in connected backend systems
(portal user ID can be different)
„ In case portal user ID is different than backend user ID, you need
to maintain a user mapping for the ”SAP Reference System”
„ Trust configured
‹ Public key certificate of issuing system is available in verifying system
(Æ necessary for verification of digital signature)
‹ Trust access control lists maintained (ABAP: strustsso2)

SAP Reference System User Mapping

„ Standard user mapping functionality
„ PLUS: Retrieval of user ID from LDAP Directory Server

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 18

 SSO to Non-SAP Components Using SAP Logon Tickets

Portal
mySAP.com
WebAS user ID

ITS 3rd party 5 Application

application user ID

Access 2 3 4
Initial
1
logon Ticket Verification Library Access Control List
SAPSSOEXT
Workplace server <SID>
Security product <client>
(SAPSECULIB)

Public address book

(if not SAPSECULIB)

SAP Logon Ticket

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 19
 Ticket Verification for Non-SAP Components

Web Server Filter

„ SSO with SAP Logon Tickets to Web applications
„ Application needs to support authentication with an HTTP header
variable
Web Server Filter with Delegation for Windows Server 2003
„ SSO with SAP Logon Tickets to a Microsoft Web-based application
Java Ticket Verification Library
„ SSO with SAP Logon Tickets to non-SAP Java applications
„ Development required
C Ticket Verification Library
„ SSO with SAP Logon Tickets to non-SAP C applications
„ Development required
Dynamic Link Library SAPSSOEXT
„ SSO with SAP Logon Tickets to Java and C applications
„ Available for most kernel platforms
„ Development required
Remark: Platform limitations may apply!
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 20
 Multi Domain SSO

Recommendation:
„ Use one DNS (sub-) domain for SSO purposes (Æ increased security!)
„ E.g. portal.sso.company.com, its.sso.company.com, …
„ Set UME property ”domainrelaxlevel” accordingly

Alternative: Configure SAP EP for multi domain SSO

„ Ticket sending instances required in every domain
„ Portal sends SAP Logon Ticket content via client redirects to every
ticket sending instance.
„ Client will get as many cookies as domains (also see SAP Note 654982)
„ Configuration details:
‹ http://help.sap.com J Netweaver '04 documentation J Security J User
Authentication and Single Sign-On J Authentication on the Portal J Single
Sign-On J Single Sign-On with SAP Logon Tickets
„ EP6 SP2 only supported on per project basis, see SAP note 673824

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 21

 HTTP Header Authentication – SSO Process
Authentication Authority
(intermediate)
CRM
Intranet

ERP Internet
Initial
Access
logon

Groupware Other...

Identity information within header variable

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 22
 Adding the User Name Header

„ The authentication takes place on the intermediate server

„ The intermediate adds identity information to the request data

„ The application servers get the identity information from the

request data

GET /someresource HTTP/1.1 GET /someresource HTTP/1.1

[…] […]

HTTP-USER: MyUser

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 23

 Integrated Windows Authentication

Initial authentication is done to the local system (Windows)

Two methods of Integrated Windows authentication

possible
„ NTLM
„ Kerberos

Requirement:
„ Applications need to run on an IIS
or
„ authentication needs to be done on an intermediate IIS (using IIS Proxy
module from SAP) Æ available for SAP WebAS Java 6.40

Coming soon:
SAP Consulting solution for Kerberos Authentication directly on WebAS 6.40 Java
J please contact your local SAP consulting organization

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 24

 Header Based Authentication Best Practices

„ Block risk of user impersonation!

‹ Be aware of Header Spoofing

„ Safeguard J2EE engine HTTP(S) ports from direct access by

users
‹ Prevent opportunity to bypass the proxy for J2EE engine access

„ Configure SSL with mutual authentication between the web server

and the J2EE engine
‹ See documentation on ‘Using SSL with an Intermediary Server’
Inter-
mediate

SSL

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 25

 Security Assertion Markup Language (SAML)

SAML is a protocol for encoding security related information (assertions)

into XML and exchanging this information in a request/response fashion

SAML does not authenticate users – comparable to SAP Logon Ticket

SAML relies for message exchange on standard security protocols like SSL,
TLS and uses XML signatures

SAML authorities produce “assertions” in response to client requests. An

assertion can be either an authentication or an authorization assertion
„ Authentication assertion: piece of data that represents an act of authentication
performed on a subject (user) by the authority
„ Authorization assertion: piece of data that represents authorization permissions
for a subject (user) on a resource

SAML can be used for authentication and authorization requests and

assertions

SAML is an emerging OASIS standard

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 26

 SAML – SSO Process
Authentication Authority
(Source Web Site) ERP
5. Assertion Intranet

4. Pull assertion

1. Call transfer URL ESS

Initial 2. Redirect URL + artifact Internet
logon

3. Access

6. Resource

Authenticate Groupware ...

once Access
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 27
 Support of SAML in the SAP WebAS 640 Java

Only SAML client for authentication available at destination

site is available

Support limited
„ Only browser artifact scenario supported
„ Digital signatures for SOAP documents are ignored
„ No support for additional “Condition” elements
„ The received assertion may only contain one authentication statement
„ The authentication statement must contain the NameIdentifier
„ AuthorizationDesicionStatement and AttributeStatement are ignored

Nevertheless SAML is strategic within SAP.

In the future there will be further support for SAML.

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 28

 Pluggable Authentication Service (PAS)

Requires the external (standalone) version of the Internet

Transaction Server (ITS)

Provides the following authentication variants:

„ Windows NT LAN Manager protocol (NTLM)
„ Verifying user ID and password on the Windows domain controller
„ SSL and X.509 client certificates
„ Arbitrary mechanism on the Web server or an intermediate that sets
HTTP header variable
„ LDAP bind
„ Arbitrary mechanisms provided by a partner product like
‹ Radius

‹ RSA SecureID
‹ Netegrity Siteminder
‹ ...

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 29

 Pluggable Authentication Service: WGate

Windows NT LAN Manager (NTLM)

SSL and X.509 client certificates

Arbitrary mechanism on the Web server that sets HTTP header

variable
User External ID Mapping
Table (USREXTID)

External SAP
User ID System
Auth.
Mech. User ID

Authentication
(User ID and Password) User ID
Web
server AGate
WGate
Alice sapextauth SAP
Alice System
User ID

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 30

 Pluggable Authentication Service: AGate

Verifying user ID and password on the Windows domain controller

LDAP bind

Arbitrary mechanisms provided by a partner

User External ID Mapping

Table (USREXTID)

External SAP
Auth. User ID System
Mech. User ID

Authentication
(User ID and Password)
User ID
Web
server AGate
WGate
Alice sapextauth SAP
Alice System
User ID

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 31

 Pluggable Authentication - JAAS

Interface defined by Java Authentication and Authorization Service

(JAAS) standard

As of JDK 1.4 integral part of J2SE

Access control based on user credentials

User-centric approach with two components:

„ Authentication (-> login modules)
„ Authorization

http://java.sun.com/products/jaas

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 32

 JAAS Authentication

J2EE

Browser
Browser
Window
Window

External External
security product security product
(optional)

JAAS uses login modules for authentication

„ Login modules get user information via callbacks
„ SAP proprietary handlers can be used to gather additional information:
‹ HttpGetterCallback – used to obtain information from the request (header/cookies)
‹ HttpSetterCallback – used to attach information to the response
„ Standard information available is only User/Passphrase, all other information
requires a Callback

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 33

 Agenda

Authentication and Identities

Authentication with SAP

„ in a Web Based Scenario

„ At the SAP GUI for Windows

Summary

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 34

 Single Sign-On for SAP GUI for Windows

SAP
SAP GUI
GUI for
for
Windows
Windows

External External
security product security product

Use SNC and external security product

„ Authentication takes place outside of SAP system
Use SAP-certified SNC product
Also available:
„ Windows NTLM (gssntlm.dll)
„ Windows 2000 Kerberos (gsskrb5.dll)

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 35

 Two Worlds: SAP GUI for Windows and Web

Traditional
Secure Network Communications (SNC)
„ SNC partner product
„ SNC: Microsoft NTLM or Kerberos
„ SAP Shortcut Method (SAP Logon Ticket)
SAP GUI for Windows

Web X.509 client certificate

SAP Logon Ticket

Pluggable Authentication Service (PAS)

Æ Use external authentication
mechanisms
SAP GUI for HTML
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 36
 SSO From Web to Traditional - ITS

„ Using logon tickets, ITS, and SAP Shortcuts

„ Logon ticket is passed to SAP Shortcut using ITS service wngui

SAPGUI
SAPGUI for
for
HTML
HTML
Web
server AGate R/3
WGate Alice Alice
sapextauth
https://host1.mycompany.com/scripts/wgate/wngui/!?~transaction=SU01

Start SAP
Alice Shortcut Alice

SAPGUI
SAPGUI for
for
Only supported on external ITS up to release 6.10 !
Windows
Windows
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 37
 SSO From Web to Traditional – Enterprise Portal

„ Using logon tickets, Enterprise Portal and SAP Shortcuts

„ Logon ticket is passed to SAP Shortcut using a portal iView

Browser
Browser
Window
Window
Alice
EP

https://host1.mycompany.com/irj/...

Start SAP
Alice Shortcut
Alice

R/3

SAPGUI
SAPGUI for
for
Windows
Windows
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 38
 Prerequisites

1) Users have the same user ID in all of the systems they access using the logon
ticket. Passwords do not have to be the same in all systems.
2) The user has an account in the active user store on the SAP J2EE Engine.
3) The end users Web browsers accept cookies. In Internet Explorer 5.0, accept
session cookies for the local intranet zone.
4) Any Web servers or SAP Web AS servers (to include the SAP J2EE Engine) that
are to accept the logon ticket as the authentication mechanism are located in the
same DNS domain as the issuing server. The logon ticket cannot be used for
authentication to servers outside of this domain.
5) The clocks for the accepting systems are synchronized with the ticket-issuing
system.
If you do not synchronize the clocks, then the accepting system may receive a logon
ticket that is not yet valid, which causes an error.
6) The issuing server must possess a public and private key pair and public-key
certificate so that it can digitally sign the logon ticket.
7) Systems that accept logon tickets must have access to the issuing server's public-
key certificate so that they can verify the digital signature provided with the ticket.
8) The UMEs of the Portal and Web Dynpro systems are set up to authenticate users
against the ABAP system.

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 39

 SSO EP to ABAP Process Overview

Import Portal public key into WebAS ABAP

Configure trust from ABAP to EP

Set profile parameters of ABAP system to accept logon tickets

Restart SAP WebAS ABAP system

Create and configure iView for the target system

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 40

 System Preparation

1. Export Portal Public Key using Keystore

„ Go to the keystore view in visual admin
„ Select TicketKeystore
„ Choose Download verify.der

2. Import public key into WebAS ABAP

„ Start STRUSTSSO2
„ Click on Import Certificate
„ Specify the location of the file verify.der
„ Set the file format to DER coded and confirm
„ In the Trust Manager, choose Add to PSE
„ Save the new certificate list

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 41

 IView Creation

1. Create an iView using the 'SAP Transaction iView' Template.

„ In the Portal choose Content Administration -> Portal Content.
„ In the Content Catalog on the left, right-click on the folder in which you
wish to create the iView and choose 'New -> iView'.
„ In the iView wizard, choose 'SAP Transaction iView', then 'Next'.
„ Enter iView name etc, then choose Next.
„ Choose 'SAP GUI for Windows', then Next.
„ In the 'System' field, choose the system alias for the system object you
created, enter a transaction code, then choose Next.
„ And Finish.

2. Integrate the iView in a role and assign the role to your user.

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 42

 Agenda

Authentication and Identities

Authentication with SAP

„ in a Web Based Scenario

„ At the SAP GUI for Windows

Summary

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 43

 Communication in Integration Scenarios

or
d Web access SAP Applications
management
w
P as
s
NT Enterprise
products
/ LM
s er
I d Portal
U
Ker
ber
os

o n T icket
L og
SAP

X.50
9 Certi
f ic ate

Art ifact
SAML

WAM
T oken

- Plug-In / Agent
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 44
 Single Sign-On Possibilities

Authentication Type SSO to non-SAP Applications SSO to SAP Applications

User ID / Password „EP User Mapping „EP User Mapping

X.509 Digital „Direct client connection „Direct Client Connection

Certificates
„Certificate sent by EP Server
SAP Logon Tickets „SAP Web Server Filter „SAP Application configuration

„SAP Ticket Verification Library

Integrated Windows „NTLM/Kerberos via direct client
Authentication connection to IIS applications
EAM-Authentication „Using EAM SSO Agent
Software
SAML „Application specific
„NTLM/Kerberos via IIS (plus
IISProxy) to WebAS Java 6.40 or
SAP EP 6.0
„Using WAM SSO Agent plus
HTTP Header Authentication to
WebAS Java 6.40 or SAP EP 6.0
„WebAS Java 6.40

Other „Application specific „JAAS (Custom Authentication

Modules)

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 45

 Selecting SSO Possibilities for Applications …

PKI
X.509 certs? Use PKI

Integrated
Windows Use Integrated Windows authentication
Auth.?

EAM in use? Use EAM Integration

SAP Logon
Use SAP Logon tickets
tickets?

Use SAP EP User Mapping

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 46

 Further Information

Î Public Web:
www.sap.com
SAP Developer Network: www.sdn.sap.com Î SAP NetWeaver Î Security

Î Related SAP Education Training Opportunities

http://www.sap.com/education/
ADM960 Security in SAP System Environment

Î Related Workshops/Lectures at SAP TechEd 2004

SCUR352 Leveraging External Authentication Based on Industry Standards
SCUR201 SAP Infrastructure Security
SCUR102 User Management and Authorizations: Overview
SCUR351 User Management and Authorizations: The Details

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 47

 Copyright 2005 SAP AG. All Rights Reserved
„ No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information
contained herein may be changed without prior notice.
„ Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
„ Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
„ IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,
Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other
countries.
„ Oracle is a registered trademark of Oracle Corporation.
„ UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
„ Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
„ HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
„ Java is a registered trademark of Sun Microsystems, Inc.
„ JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
„ MaxDB is a trademark of MySQL AB, Sweden.
„ SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned
are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may
vary.

„ The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose
without the express prior written permission of SAP AG.
„ This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended
strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product
strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
„ SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics,
links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited
to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
„ SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of
these materials. This limitation shall not apply in cases of intent or gross negligence.
„ The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of
hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web
pages

© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 48