Security in BPC Netweaver: LDAP integration and Single Sign On
It’s mostly classical Netweaver security that applies for BPC:
BPC uses the same user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, AD and LDAP integration can be supported. See SSO below.
BPC is able to operate in any single sign-on environment supported by SAP NetWeaver out of the box, meaning there are no limitations imposed by the application on the possible single sign-on configurations within an SAP landscape.
The supported mechanisms are as follows:
- Secure Network Communications (SNC)
- SAP Logon Tickets
- Client Certificates
- SAML 2.0
- SPNego with Kerberos (as of support package 10)
When a user connects to the BPC web client, SAP NetWeaver not only creates a web session but also generates an SSO (single sign-on) ticket (in the MYSAPSSO2 cookie). This ticket has a default validity of 8 hours. After session timeout, the web session correctly expires but the SSO ticket remains valid. If the user sends a new request after the session has expired, the system authenticates the user through SSO and creates a new session. From the user perspective, it appears that the session has not expired. In order to have correct session expiration, the administrator must limit the validity period of the SSO ticket (for example, to two minutes, which is the validity period of reentrance tickets). You set this using the kernel parameter login/ticket_expiration_time in the SAP NetWeaver default.pfl configuration file, for example, login/ticket_expiration_time=0:02.
The application uses the classic authorization concept provided by SAP NetWeaver. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, you can use the profile generator (transaction PFCG). However, the philosophy of the tool is to have business administrators maintain the role through the Web administration interface. There are 2 concepts:
Task profiles define what type of activities or tasks a user or a team of users can perform.
Data access profiles define the specific models and data within the models to which users have access.
In order to beneficiate from SSO, a user can launch the EPM Add-In from the BPC web client using the link provided in the web client home page. The only potential issue here is that a user has to go to the BPC web client first, even if they only want to use the EPM Add-In. It can be an issue for some customers who only want to deploy and use the EPM add-in.
However, direct access to EPM add-in can be also implemented: currently, EPM Add-In supports three basic types of authentication and in each case the credentials are all stored in BW:
- Basic / Forms based
Credentials are stored in BW
- X.509 Client Certificates
- X.509 certificates are stored in BW and mapped to BW users
- SAP Logon Tickets
Allows users to login to the EPM Add-In without entering credentials when launched from the web client.
Through a simple custom job, we can set up SSO for direct EPM add-in access. A custom web application can communicate with the BPC 10 web services for the client, obtain the reentrance ticket and pass it to the EPM Add-In.