Plan security for Duet Enterprise for SharePoint and SAP Server 2.0
Published: July 16, 2012
Summary: Learn how to plan for a secure deployment of Duet Enterprise 2.0.
Applies to: Duet Enterprise for Microsoft SharePoint and SAP Server 2.0
This article discusses how to plan for the secure deployment and operation of Duet Enterprise for Microsoft SharePoint and SAP Server 2.0.
This article discusses Duet Enterprise 2.0 security planning within the context of a SharePoint Server server farm. For a related discussion of Duet Enterprise security from inside the SAP environment, see the SAP Duet Enterprise Security Guide on the SAP Support Marketplace. (In the left pane of the SAP Support Portal, expand SAP Business Suite Applications, expand Duet Enterprise, expand Duet Enterprise 2.0, and then download the appropriate guide.)
Duet Enterprise security in SharePoint Server is built on the security capabilities of SharePoint Server 2013. Along with this article, we recommend that you review content that describes how to plan and implement general SharePoint Server security. For more information, see the security and authentication planning articles in Plan for SharePoint 2013.
In this article:
How authentication works in Duet Enterprise 2.0
In Duet Enterprise 2.0, business processes and data that are stored in the SAP system are surfaced in SharePoint Server 2013 websites and Outlook 2013. However, the user accounts that are used to access SharePoint Server 2013 and Outlook cannot be used to access the information in SAP directly. The Duet Enterprise 2.0 security architecture solves this issue by providing a single sign-on experience for users. The goal of this implementation is to map user identities in SharePoint Server 2013 to user accounts in the SAP system so that a user who logs on to the SharePoint Server 2013 website can have access to the external data that is stored in the SAP system without having to log on again in the SAP system.
The following information is helpful to understand before you look at the overall authentication process.
A user logs on to SharePoint by using the user’s SharePoint user identity. This can be either forms-based authentication or credentials stored in Active Directory Domain Services (AD DS), but is typically associated with a user account stored in AD DS.
The SAP environment cannot authenticate a user’s SharePoint identity. Therefore, a Duet Enterprise component installed on the SharePoint Server 2013 farm swaps the user’s Windows credentials for a user certificate that SAP NetWeaver can use to authenticate the user. This requires that when Duet Enterprise 2.0 was installed, the SAP administrator created a trust relationship with the DuetRoot Certificate (an X.509 certificate), which is stored in the SharePoint Secure Store Service.
Information in an SAP environment cannot be secured by using Windows credentials or SharePoint credentials (which in this case would be the user’s SharePoint identity). Information is secured in SAP by using SAP user accounts. When deploying Duet Enterprise 2.0, an SAP administrator creates a user mapping table in the SAP environment that maps each user’s Windows account to an SAP user account that identifies a particular user.
The following figure shows a high-level view of how authentication works in a Duet Enterprise 2.0 environment to provide users with a single sign-on experience. It shows the steps that occur when a SharePoint user accesses SAP information from a Duet Enterprise 2.0 site in SharePoint Server.
Figure: Duet Enterprise 2.0 authentication
The following list describes the steps shown in the preceding figure. This figure assumes that a SharePoint user has attempted to access SAP information that is surfaced in SharePoint Server.
A. A user logs on to a Duet Enterprise 2.0-enabled SharePoint website by using the user’s SharePoint user identity. Because the website contains an external list or Web Part that surfaces SAP data, the request is sent to the Business Connectivity Services runtime in the SharePoint farm.
B. The Business Connectivity Services runtime invokes the Duet Enterprise 2.0 OData Extension Provider.
C. The Duet Enterprise 2.0 OData Extension Provider gets the DuetRoot Certificate from the Secure Store.
D. The Duet Enterprise 2.0 OData Extension Provider uses the DuetRoot Certificate to create an X.500 user certificate and sends the certificate to the Business Connectivity Services runtime.
E. The Business Connectivity Services runtime sends the request with the user certificate to the SAP NetWeaver Gateway component of SAP NetWeaver in a request packet.
SAP NetWeaver with the SAP NetWeaver Gateway component installed is also known as SAP NetWeaver Gateway.
F. Because SAP NetWeaver trusts the DuetRoot Certificate that was used to create the user certificate, SAP NetWeaver can authenticate the user and look up the SAP user who is mapped to the SharePoint user who is identified by the certificate.
G. The SAP user account that is mapped to the SharePoint user is returned to SAP NetWeaver.
H. SAP NetWeaver uses the SAP user account to request access to the requested information in the SAP system and, if the user is authorized to access the information, the requested information is sent to SAP NetWeaver Gateway.
I. SAP NetWeaver Gateway sends the reply as a response packet to the Business Connectivity Services runtime on the on-premises SharePoint farm.
J. The Business Connectivity Services runtime passes the information to the SharePoint user. In this case, to the website on which the user has accessed.
The two-way connection between the SharePoint Server farm and SAP NetWeaver is secured by using two Secure Sockets Layer (SSL) certificates. One certificate is bound to a SharePoint web application and trusted by the SAP administrator. The other certificate is bound to SAP NetWeaver and trusted by the SharePoint administrator.
Using SAP roles to access SharePoint objects
In the enterprise, the tasks that a user performs usually are related to that user’s role. Because of this, the determining factor on whether a user should have some level of permissions to an object often is that user’s role itself. Therefore, roles are a useful way to assign permissions to objects such as list items, websites, and documents.
In SAP NetWeaver, users are assigned one or more roles, such as Sales Representative, Project Manager, Executive, and Human Resources Specialist. SAP roles can be broad, such as All Sales Managers, or narrow, such as Sales Managers Eastern Region. In Duet Enterprise 2.0, these SAP roles can be used to access objects in SharePoint Server. Any object to which permissions can be applied in SharePoint Server can be assigned permissions by using SAP roles. This includes objects directly related to Duet Enterprise 2.0, such as reports, external lists, and actions on external content types, and any general and securable SharePoint Server objects, such as websites or document libraries. Once a role is granted permissions to an object, any user who is assigned that role will then have permissions to use that object.
Users can only be assigned their roles in SAP NetWeaver. Duet Enterprise 2.0 uses the Duet Enterprise Profile Synchronization Timer Job feature to bring the user role assignments from the SAP system into the SharePoint user profile store. Duet Enterprise 2.0 also uses the Duet Enterprise Claims Provider to help manage the role-based permissions to securable objects in SharePoint Server.
You can think of role synchronization as a one-way street. Users’ roles that are defined in the SAP system are brought into the SharePoint user profile store. No properties in the SharePoint user profiles are sent from SharePoint back to SAP.
During role synchronization, the set of SAP users is imported into the SharePoint user profile store by using Business Connectivity Services. For each SAP user who has a related user profile in SharePoint, all of the SAP roles assigned to that user are listed in the user profile store. Role synchronization connects from SharePoint Server to an external system on the SAP side named the “SAPUsersService.” This external system sends the user-to-roles mappings to the SharePoint user profile store. Role synchronization is typically done as a post-deployment step at set intervals by using the Duet Enterprise Profile Synchronization Timer Job. You can specify how often to synchronize roles and how many users to import at a time.
After roles are synchronized with the SharePoint user profile store, users and administrators can grant access to SharePoint securable objects based on SAP roles. However, before this capability is available, a SharePoint farm administrator must activate the Duet Enterprise SAP Roles Claims Provider feature at the farm level which makes the claims provider available.
When a user’s role is changed in the SAP system, the change can take some time (up to 10 hours) to be propagated to the SharePoint system. This might temporarily prevent users from being authorized based on their new roles.