Date post: | 02-Apr-2015 |
Category: |
Documents |
Upload: | rengasamys |
View: | 828 times |
Download: | 4 times |
Authentication and Single Sign-On
Patrick HildenbrandNW PM Security, SAP AG
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 2
Agenda
Authentication and Identities
Authentication with SAP
in a Web Based Scenario
At the SAP GUI for Windows
Summary
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 3
Authentication Identifies a Subject
In computer security, authentication is the process by which a
computer, computer program, or another user
attempts to confirm that the
computer, computer program, or user
from whom the second party has received some communication is, or is not, the claimed first party.
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 4
Single Sign-On is a Specialized Form of Authentication
Single Sign-On (SSO) is a specialized form of authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.
Authenticateonly once
AccessAuthentication to:
Portal WebASLocal system
Internet
CRM
Other...
ERP
Intranet
Groupware
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 5
Why Use Single Sign-On?
Typical situationIn a complex system landscape an employee has many user IDs withdifferent passwords Different procedures for each system to roll-out, reset and change new / existing passwordsUsers find continuous password changing for many systems annoying
Solution: Single Sign-OnUsers only have to remember one password to gain access to everysystemAdministration costs and efforts are drastically reduced
ProblemsHigh administration cost and effortSecurity risk: Users write passwords down and store them where they can easily be found
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 6
What the User Wants …
Portal WebAS
ITS
Authenticateonce
Access Internet
CRM
Other...
ERP
Intranet
Groupware
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 7
What the Administrator Wants …
Central user managementSingle point of administrationAssign user rights in various applications with one keystrokeLock or delete users centrally
Central user repositoryAvoid redundant user informationEasy De-Provisioning
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 8
Agenda
Authentication and Identities
Authentication with SAP
in a Web Based Scenario
At the SAP GUI for Windows
Summary
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 9
Web-Based Authentication Methods
Anonymous/guest access
User ID / passwordForm-based *Basic authentication *
X.509 digital certificates
SAP Logon Tickets
External authentication methodsHTTP header variable authentication (not ABAP except for X.509 certificate information forwarding)
Enterprise Access Management - EAMSecurity Assertion Markup Language (SAML – only Java)Through Pluggable Authentication Services (PAS – only external ITS)Through Java Authentication and Authorization Services (JAAS – only Java)
Java SAP WebAS 640 Java or SAP Enterprise Portal 6 > SP3* Only authentication, not Single Sign-On
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 10
X.509 Client Certificates – SSO Process
Access
X.509 Client Certificate
Authentication occurs using SSL with mutual authentication
User possesses a public / private key pair and public-key certificate
SSL
SSL
SSL
Internet
CRM
Other...
ERP
Intranet
Groupware
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 11
Authentication and SSL with X.509 Certificates
Mutual authentication between Alice and the serverThe SSL – Process:
Alice
Public
Private
Public
Private
Client sends „Hello“-message to server
Server sends his certificate and asks for client cert.
Secret
sends his certificate , encrypted secret keyand list of supported crypto algorithms
Secret
Sends back confirmation
Session established …using symmetric encryption
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 12
X.509 Certificates
X.509 certificates are used for Secure Sockets Layer (SSL) based communications:
Internet standard for secure HTTP connectionsProvides for server, client or mutual authentication and encryptionUses both symmetric and public-key encryption for protection
X.509 certificates (“digital certificates”) can be used both for initial authentication and for successive Single Sign-On
Each certificate includes:Name CA nameValidity periodPublic key
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 13
Obtaining a X.509 Certificate
Digital certificates must be X.509v3 compliant
Various options possible:Using SAP Trust Center Service
For SAP users onlyFree of chargePortal server acts as Registration Authority (RA)
Setting up internal PKI systemBuy software from CA product vendor
Using external PKI systemContract with Trust Center Service
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 14
SAP Trust Center Service: Enrollment ProcessSAP Trust
CenterService
Log on using SAP user ID and password and initiate the SAP Passport request1
Specify naming convention and trigger key generation
2
WebBrowser
Portal Server
Log on using the SAP Passport6
Web browser generates key pair and sends the SAP Passport request
3
Send approved certificaterequest
4
Verifies naming conventionsand issues certificate
5
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 15
SAP Logon Tickets – SSO Process
Portal WebAS
ITS
Access
SAP Logon Ticket
Initiallogon
Internet
CRM
Other...
ERP
Intranet
Groupware
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 16
Example of an HTTP Request
GET /someresource HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, [ … ], */*Referer: https://some.host.domain/some/other/resourceAccept-Language: en,de;q=0.5Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Host: nw-portal.wdf.sap.corpConnection: Keep-AliveCookie: saplb_*=(J2EE6527200)6527250; PortalAlias=portal; MYSAPSSO2=AjExMDAgAA5wb3J0YWw6ZDAzMzA5OYgAE2Jhc2ljYXV0aGVudGljYXRpb24BAAdEMDMzMDk5AgADMDAwAwADTldUBAAMMjAwNTA5MDIwNjE0BQAEAAAACAoAB0QwMzMwOTn%2FAPUwgfIGCSqGSIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHBMIG%2BAgEBMBMwDjEMMAoGA1UEAxMDTldUAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNTA5MDIwNjE0NDRaMCMGCSqGSIb3DQEJBDEWBBQ28lOiAPAV2KfBJR18ElZxaNenHzAJBgcqhkjOOAQDBC8wLQIUIaaWKYY4%2BCT26P07coHVYP63eCkCFQCLt0ERDvDKCpog89q5n%2B5ahpQQCw%3D%3D; JSESSIONID=(J2EE6527300)ID6527350DB307014776305034697End; sap-ssolist=O3I9cHdkZjA5NjJfY3BwXzQ0
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 17
What is a SAP Logon Ticket
SAP Logon Ticket is represented as cookie in the Browser
Content of the SAP Logon Ticket is BASE64 encoded
SAP Logon Tickets contain:User ID(s)Authentication schemeValidity periodIssuing systemDigital signatureSAP Logon Tickets do NOT contain any passwords!
Problems?SAP Note 701205 (EP6.0: Single Sign-On using SAP Logon Tickets)SAP Note 654982 (URL requirements due to Internet standards )
SSOv2
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 18
SAP Logon Tickets – Prerequisites
PrerequisitesAt least same user IDs in connected backend systems (portal user ID can be different)In case portal user ID is different than backend user ID, you need to maintain a user mapping for the ”SAP Reference System”Trust configured
Public key certificate of issuing system is available in verifying system ( necessary for verification of digital signature)Trust access control lists maintained (ABAP: strustsso2)
SAP Reference System User MappingStandard user mapping functionalityPLUS: Retrieval of user ID from LDAP Directory Server
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 19
SSO to Non-SAP Components Using SAP Logon Tickets
3rd partyapplication
Portal WebAS
ITS
Access
SAP Logon Ticket
Ticket Verification LibrarySAPSSOEXT
Security product (SAPSECULIB)
Public address book(if not SAPSECULIB)
3
1
2
Access Control List
Workplace server <SID> <client>
4
5 Applicationuser ID
mySAP.com user ID
Initiallogon
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 20
Ticket Verification for Non-SAP Components
Web Server FilterSSO with SAP Logon Tickets to Web applicationsApplication needs to support authentication with an HTTP header variable
Web Server Filter with Delegation for Windows Server 2003SSO with SAP Logon Tickets to a Microsoft Web-based application
Java Ticket Verification LibrarySSO with SAP Logon Tickets to non-SAP Java applicationsDevelopment required
C Ticket Verification LibrarySSO with SAP Logon Tickets to non-SAP C applications Development required
Dynamic Link Library SAPSSOEXTSSO with SAP Logon Tickets to Java and C applications Available for most kernel platformsDevelopment required
Remark: Platform limitations may apply!
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 21
Multi Domain SSO
Recommendation:Use one DNS (sub-) domain for SSO purposes ( increased security!)E.g. portal.sso.company.com, its.sso.company.com, …Set UME property ”domainrelaxlevel” accordingly
Alternative: Configure SAP EP for multi domain SSOTicket sending instances required in every domainPortal sends SAP Logon Ticket content via client redirects to every ticket sending instance.Client will get as many cookies as domains (also see SAP Note 654982)Configuration details:
http://help.sap.com Netweaver '04 documentation Security User Authentication and Single Sign-On Authentication on the Portal Single Sign-On Single Sign-On with SAP Logon Tickets
EP6 SP2 only supported on per project basis, see SAP note 673824
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 22
HTTP Header Authentication – SSO Process
Access
Identity information within header variable
Initiallogon
Authentication Authority (intermediate)
Internet
CRM
Other...
ERP
Intranet
Groupware
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 23
Adding the User Name Header
The authentication takes place on the intermediate server
The intermediate adds identity information to the request data
The application servers get the identity information from the request data
GET /someresource HTTP/1.1
[ … ]
HTTP-USER: MyUser
GET /someresource HTTP/1.1
[ … ]
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 24
Integrated Windows Authentication
Initial authentication is done to the local system (Windows)
Two methods of Integrated Windows authentication possible
NTLMKerberos
Requirement: Applications need to run on an IIS
or authentication needs to be done on an intermediate IIS (using IIS Proxy module from SAP) available for SAP WebAS Java 6.40
Coming soon:SAP Consulting solution for Kerberos Authentication directly on WebAS 6.40 Java
please contact your local SAP consulting organization
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 25
Header Based Authentication Best Practices
Block risk of user impersonation!Be aware of Header Spoofing
Safeguard J2EE engine HTTP(S) ports from direct access by users
Prevent opportunity to bypass the proxy for J2EE engine access
Configure SSL with mutual authentication between the web server and the J2EE engine
See documentation on ‘Using SSL with an Intermediary Server’
SSL
Inter-mediate
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 26
Security Assertion Markup Language (SAML)
SAML is a protocol for encoding security related information (assertions) into XML and exchanging this information in a request/response fashion
SAML does not authenticate users – comparable to SAP Logon Ticket
SAML relies for message exchange on standard security protocols like SSL, TLS and uses XML signatures
SAML authorities produce “assertions” in response to client requests. An assertion can be either an authentication or an authorization assertion
Authentication assertion: piece of data that represents an act of authentication performed on a subject (user) by the authorityAuthorization assertion: piece of data that represents authorization permissions for a subject (user) on a resource
SAML can be used for authentication and authorization requests and assertions
SAML is an emerging OASIS standard
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 27
SAML – SSO Process
ERP
ESS
Intranet
Internet
...Authenticateonce Access
Initiallogon
1. Call transfer URL2. Redirect URL + artifact
Groupware
3. Access
Authentication Authority(Source Web Site)
5. Assertion
4. Pull assertion
6. Resource
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 28
Support of SAML in the SAP WebAS 640 Java
Only SAML client for authentication available at destination site is available
Support limitedOnly browser artifact scenario supportedDigital signatures for SOAP documents are ignoredNo support for additional “Condition” elementsThe received assertion may only contain one authentication statementThe authentication statement must contain the NameIdentifierAuthorizationDesicionStatement and AttributeStatement are ignored
Nevertheless SAML is strategic within SAP. In the future there will be further support for SAML.
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 29
Pluggable Authentication Service (PAS)
Requires the external (standalone) version of the Internet Transaction Server (ITS)
Provides the following authentication variants:Windows NT LAN Manager protocol (NTLM)Verifying user ID and password on the Windows domain controllerSSL and X.509 client certificatesArbitrary mechanism on the Web server or an intermediate that sets HTTP header variableLDAP bindArbitrary mechanisms provided by a partner product like
RadiusRSA SecureIDNetegrity Siteminder...
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 30
Pluggable Authentication Service: WGate
Windows NT LAN Manager (NTLM)
SSL and X.509 client certificates
Arbitrary mechanism on the Web server that sets HTTP header variable
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 31
Pluggable Authentication Service: AGate
Verifying user ID and password on the Windows domain controller
LDAP bind
Arbitrary mechanisms provided by a partner
User ID
User IDSAP
System User ID
SAP System User ID
User External ID Mapping Table (USREXTID)
Authentication(User ID and Password)
AGateWeb
serverWGate
ExternalAuth.Mech.
sapextauthAlice Alice
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 32
Pluggable Authentication - JAAS
Interface defined by Java Authentication and Authorization Service (JAAS) standard
As of JDK 1.4 integral part of J2SE
Access control based on user credentials
User-centric approach with two components:Authentication (-> login modules)Authorization
http://java.sun.com/products/jaas
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 33
JAAS Authentication
BrowserWindowBrowserWindow
J2EE
External security product
External security product
(optional)
JAAS uses login modules for authenticationLogin modules get user information via callbacksSAP proprietary handlers can be used to gather additional information:
HttpGetterCallback – used to obtain information from the request (header/cookies)HttpSetterCallback – used to attach information to the response
Standard information available is only User/Passphrase, all other information requires a Callback
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 34
Agenda
Authentication and Identities
Authentication with SAP
in a Web Based Scenario
At the SAP GUI for Windows
Summary
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 35
Single Sign-On for SAP GUI for Windows
SAP GUI for Windows
SAP GUI for Windows
External security product
External security product
Use SNC and external security productAuthentication takes place outside of SAP system
Use SAP-certified SNC productAlso available:
Windows NTLM (gssntlm.dll)Windows 2000 Kerberos (gsskrb5.dll)
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 36
Two Worlds: SAP GUI for Windows and Web
SAP GUI for HTMLSAP GUI for HTML
Web
SAP GUI for WindowsSAP GUI for Windows
TraditionalSecure Network Communications (SNC)
SNC partner productSNC: Microsoft NTLM or KerberosSAP Shortcut Method (SAP Logon Ticket)
X.509 client certificate
SAP Logon Ticket
Pluggable Authentication Service (PAS)Use external authentication mechanisms
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 37
SSO From Web to Traditional - ITS
Using logon tickets, ITS, and SAP ShortcutsLogon ticket is passed to SAP Shortcut using ITS service wngui
AGateWeb
serverWGate
sapextauth
Alice
https://host1.mycompany.com/scripts/wgate/wngui/!?~transaction=SU01
Alice
Start SAP Shortcut
SAPGUI for HTML
SAPGUI for HTML
SAPGUI for Windows
SAPGUI for Windows
Alice
Alice
R/3
Only supported on external ITS up to release 6.10 !
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 38
SSO From Web to Traditional – Enterprise Portal
Using logon tickets, Enterprise Portal and SAP ShortcutsLogon ticket is passed to SAP Shortcut using a portal iView
EP
Alice
https://host1.mycompany.com/irj/...
Alice
Start SAP Shortcut
BrowserWindowBrowserWindow
SAPGUI for Windows
SAPGUI for Windows
Alice
R/3
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 39
Prerequisites
1) Users have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems.
2) The user has an account in the active user store on the SAP J2EE Engine.
3) The end users Web browsers accept cookies. In Internet Explorer 5.0, accept session cookies for the local intranet zone.
4) Any Web servers or SAP Web AS servers (to include the SAP J2EE Engine) that are to accept the logon ticket as the authentication mechanism are located in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.
5) The clocks for the accepting systems are synchronized with the ticket-issuing system.
If you do not synchronize the clocks, then the accepting system may receive a logon ticket that is not yet valid, which causes an error.
6) The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket.
7) Systems that accept logon tickets must have access to the issuing server's public-key certificate so that they can verify the digital signature provided with the ticket.
8) The UMEs of the Portal and Web Dynpro systems are set up to authenticate users against the ABAP system.
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 40
SSO EP to ABAP Process Overview
Import Portal public key into WebAS ABAP
Configure trust from ABAP to EP
Set profile parameters of ABAP system to accept logon tickets
Restart SAP WebAS ABAP system
Create and configure iView for the target system
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 41
System Preparation
1. Export Portal Public Key using KeystoreGo to the keystore view in visual adminSelect TicketKeystoreChoose Download verify.der
2. Import public key into WebAS ABAPStart STRUSTSSO2Click on Import CertificateSpecify the location of the file verify.derSet the file format to DER coded and confirmIn the Trust Manager, choose Add to PSESave the new certificate list
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 42
IView Creation
1. Create an iView using the 'SAP Transaction iView' Template. In the Portal choose Content Administration -> Portal Content. In the Content Catalog on the left, right-click on the folder in which youwish to create the iView and choose 'New -> iView'.In the iView wizard, choose 'SAP Transaction iView', then 'Next'. Enter iView name etc, then choose Next. Choose 'SAP GUI for Windows', then Next. In the 'System' field, choose the system alias for the system object youcreated, enter a transaction code, then choose Next. And Finish.
2. Integrate the iView in a role and assign the role to your user.
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 43
Agenda
Authentication and Identities
Authentication with SAP
in a Web Based Scenario
At the SAP GUI for Windows
Summary
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 44
Communication in Integration Scenarios
ApplicationsWeb accessmanagement
products
SAP Enterprise
PortalUser Id
/ Password
SAP Logon Ticket
X.509 Certificate
WAM Token
SAML Artifact
NTLM
Kerberos
- Plug-In / Agent
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 45
Single Sign-On Possibilities
Authentication Type SSO to non-SAP Applications SSO to SAP Applications
User ID / Password EP User Mapping
Direct client connection
SAP Web Server Filter
SAP Ticket Verification LibraryNTLM/Kerberos via direct client
connection to IIS applications
Using EAM SSO Agent Software
Application specific
Application specific
X.509 Digital Certificates
EP User Mapping
Direct Client Connection
Certificate sent by EP ServerSAP Application configuration
NTLM/Kerberos via IIS (plus IISProxy) to WebAS Java 6.40 or SAP EP 6.0
Using WAM SSO Agent plus HTTP Header Authentication to WebAS Java 6.40 or SAP EP 6.0
WebAS Java 6.40
SAP Logon Tickets
Integrated Windows Authentication
EAM-Authentication
SAML
Other JAAS (Custom Authentication Modules)
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 46
Selecting SSO Possibilities for Applications …
PKIX.509 certs?
EAM in use?
IntegratedWindows
Auth.?
SAP Logontickets?
Use PKI
Use SAP Logon tickets
Use EAM Integration
Use Integrated Windows authentication
Use SAP EP User Mapping
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 47
Further Information
Public Web:www.sap.comSAP Developer Network: www.sdn.sap.com SAP NetWeaver Security
Related Workshops/Lectures at SAP TechEd 2004SCUR352 Leveraging External Authentication Based on Industry StandardsSCUR201 SAP Infrastructure SecuritySCUR102 User Management and Authorizations: OverviewSCUR351 User Management and Authorizations: The Details
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ADM960 Security in SAP System Environment
© SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 48
Copyright 2005 SAP AG. All Rights ReservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages