André Fischer ([email protected]) Project Manager CTSC Michael Sambeth ([email protected]) NetWeaver Practice Unit Enterprise Portal SAP Active Directory Integration – SSO and Usermanagement
Dec 29, 2015
André Fischer ([email protected])Project Manager CTSC
Michael Sambeth ([email protected])NetWeaver Practice Unit Enterprise Portal
SAP Active Directory Integration – SSO and Usermanagement
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 2
Agenda
Introduction
User Management
Single Sign On
Conclusion
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 3
Agenda
Introduction
User Management
Conclusion
Single Sign-on
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 4
What the user wants …
ERP CRM ESS Groupware
Intranet Workflow Internet ...
Portal
Logon
Access
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 5
What the administrator wants …
Central user managementSingle point of administrationAssign user rights in various applications with one keystrokeLock or Delete users centrally
Central user repositoryAvoid redundant user information
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 6
What are the prerequisites ?
Integrated Cross-Application User Management Central storage of user information
Group assignementBasic user dataApplication specific user data
Standard Access protocolInteroperability, Multi vendor and platform support
Solution: LDAPLDAP Directories serve as central repository for user master data.Access to this data is provided using the standardized Lightweight Directory Access Protocol (LDAP).Applications from multiple vendors and platforms can work as LDAP clients -> InteroperatibilityAuthentication
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 7
What are the prerequisites ?
Single Sign-On (SSO)User authenticates once against a security systemUser is afterwards automatically authenticated to access other systemsAuthentication against external applications is transparent for the userLogon-Procedure for initial authentication must be secure
SolutionSAP Logon Tickets
E.g. with SAP Enterprise Portal, SAP WebAS,...
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 8
… and how can it be realized in a Microsoft Environment !
SAPEnterprise Portal / Web AS can use LDAP Directories as User Repository (User Persistence Store)Enterprise Portal provides SSO to SAP and MS backend systems using SAP Logon TicketsSAP provides a Directory Interface for User Management via LDAP
mySAP HR can create / update users in LDAP Directories SAP user data can be synchronized with user data in LDAP Directories
Microsoft Active Directory Supports LDAPActive Directory is SAP certified (BC-USR-LDAP)Windows authentication can be used as external authentication for mySAP Enterprise Portal (SSO to EP)
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 9
ActiveDirectory
The big picture
Authentication
UME (Web AS Java)SAP Enterprise Portal
Use as userrepository
mySAPHR
Create andmodify users
Use as userrepository
UME(Web AS Java)
Java Application
WebDynpro CUA
Synchronizeuser data
mySAP Systems
User data
3rd party Applications
Microsoft basedapplications
SSOSSOSSO SSOSSOSSO
SSO
SAP ISAPI Filter
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 10
Agenda
User Management
Interduction
Conclusion
Single Sign-on
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 11
ActiveDirectory
User Management (step 1)
UME (Web AS Java)SAP Enterprise Portal
Use as userrepository
mySAPHR
Create andmodify users
Use as userrepository
UME(Web AS Java)
Java Application
WebDynpro CUA
Synchronizeuser data
mySAP Systems
User data
mySAP HRCreate modifyDirectory users
Active DirectoryAssign groups and password
SAP EP & SAP J2EEUse Directory as user repository forEP and JAVA users
CUACreate / Synchronize SAP ABAP users usingBC-LDAP-USR interface
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 12
mySAP HR LDAP interface
GoalCreate / modify users in the directory server automatically from employee data stored in mySAP HR
ReasonmySAP HR is master system for (basic) employee data
First nameLast nameEmployee numberManager….
Optimize Administration of usersReduction in operational costsCorrectness of dataSpeed of the process
RestrictionOnly export of data
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 13
User information in Active Directory
distinguishedName:
sn:
givenName:
employeeNumber:
sAMAccountName
userPrincipalName
…
mail:
memberOf:
…
CN=Andre Fischer, CN=Users, DC=MSCTSC, DC=SAP,DC=CORP;
Fischer
Andre
0123456
M0123456
…
CN=Users,DC=MSCTSC,DC=SAP,DC=CORP; CN=Domain Admins,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;CN=SAP Users,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;
Attributes that can be provided by mySAP HR
Attributes that are provided by Active Directory and Exchange Administration
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 14
Data export from mySAP HR using LDAP interface
Employee data:Personel numberFirst NameLast Name...
WebAS>= 6.10
Extraction
ActiveDirectory
SAP HR
SAP data field ->
LDAP attribute
Mapping
RFC LDAP
Create / update users
User attributesCnSngivenName...
LDAP
<=4.6C
>=4.7
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 15
Results of export using mySAP HR LDAP interface
=> New users are created as deactived accounts in Active Directory
=> Existing user accounts will be updated
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 16
ActiveDirectory
User Management (step 2)
UME (Web AS Java)SAP Enterprise Portal
Use as userrepository
mySAPHR
Create andmodify users
Use as userrepository
UME(Web AS Java)
Java Application
WebDynpro CUA
Synchronizeuser data
mySAP Systems
User data
mySAP HRCreate modifyDirectory users
Active DirectoryAssign groups and password
SAP EP & SAP J2EEUse Directory as user repository forEP and JAVA users
CUACreate / Synchronize SAP ABAP users usingBC-LDAP-USR interface
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 17
Active Directory - Useradministration
Activate account
Assign groups
Set / Reset password
Perform additional administrative tasks …
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 18
ActiveDirectory
User Management (step 3)
UME (Web AS Java)SAP Enterprise Portal
Use as userrepository
mySAPHR
Create andmodify users
Use as userrepository
UME(Web AS Java)
Java Application
WebDynpro CUA
Synchronizeuser data
mySAP Systems
User data
mySAP HRCreate modifyDirectory users
Active DirectoryAssign groups and password
SAP EP & SAP J2EEUse Directory as user repository forEP and JAVA users
CUACreate / Synchronize SAP ABAP users usingBC-LDAP-USR interface
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 19
Architecture: User Management Engine
Basic user data
Basic group data
User group assignment
User/group role assignment
User mapping (for SSO purposes)
User Roles (Metadata)
Content role assignment
User’s personalization data
PortalServer
PCD InstanceUM Instance
User Persistence StoreLDAP orPortal Database orSAP System
Portal Database
Store portal-specific data
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 20
UME: Active Directory as User Persistence Store
Portal Users are stored in the Directory
Active Directory groups can be assigned to Portal Roles
Portal specific information is stored in portal databasegroup <-> role assignmentUser <-> role assignement
Portal User Id = sAMAccountName (default)
Multiple domains are supported if an attribute is used as portaluser id that is unique in the complete forest (thesAMAccountName is only unique in a domain)
LDAP access of the portal to the directory should be secured bySSL
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 21
UME result
User can log on to SAP EP immediately
User isassigned to roles that areassigned to theuser or thegroups the userhas beenassigned to
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 22
ActiveDirectory
User Management (step 4)
UME (Web AS Java)SAP Enterprise Portal
Use as userrepository
mySAPHR
Create andmodify users
Use as userrepository
UME(Web AS Java)
Java Application
WebDynpro CUA
Synchronizeuser data
mySAP Systems
User data
mySAP HRCreate modifyDirectory users
Active DirectoryAssign groups and password
SAP EP & SAP J2EEUse Directory as user repository forEP and JAVA users
CUACreate / Synchronize SAP ABAP users usingBC-LDAP-USR interface
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 23
Overview SAP LDAP user synchronisation
SAP ABAP user management data can be synchronized with a LDAP directory with systems based on WebAS 6.10 or higher
SAP Systems with Release 4.5 and higher can be integrated into LDAP using CUA
LDAP directory interface provides mapping capabilities LDAP attributesand SAP data fields
SAP User synchronisation and distribution can be performed bybackground jobs
CUA on WebAS
Mandatory for 4.5 & 4.6 optional for 4.7 and higher
LDAP ALELDAP
4.7 and higher
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 24
SAP Application Server
Call Function‘LDAP_XXX‘
Work Process LDAPConnector
Function‘LDAP_XXX‘
Connection withLDAP Server
Domain Controller:Active Directory
RFC
LDAP
Executable LDAP_RFC shipped since Release 4.6A
Loads LDAP Library of operating system at runtime
LDAP Connector
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 25
SAP Application Server
Call Function‘LDAP_XXX‘
Work Process LDAPConnector
Function‘LDAP_XXX‘
Connection withLDAP Server
Domain Controller: Active Directory
RFC
LDAP
If operating system of SAP Application Serverdoes not provide a LDAP Library
LDAP connector runs as Service on Windows
LDAP Connector as Service on Windows
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 26
Result of SAP user LDAP synchronisation
User is created / updatedwith basic user datafrom LDAP directory
First NameLast NameeMailRoles (optional)…
Users are createdwithout password
Passwords are notneeded if SSO usingSAP Logon Tickets isusedNo security risk sinceusers cannot log on eithout using SSO via Enterprise portal usingan initial password
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 27
Q&A: Usermanagement with Microsoft Active Directory
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 28
Agenda
Single Sign-on
User Management
Conclusion
Introduction
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 29
What is Single Sign-on (SSO)?
Single Sign-onUser authenticates once against a securitysystemUser is afterwards automatically authenticated to other systems
AuthenticationInitial check of user credentials (for exampleusername/password)
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 30
Why using Single Sign-on ?
Typical situationIn a complex system landscape an employee has many user IDs with different passwords Different procedures for each system to roll-out, reset and change new/existing passwordsUsers find continuous password changing for many systems annoying
Solution: Single Sign-onUsers only have to remember one password to gain access to every systemAdministration costs and effort are drastically reduced
ProblemsHigh administration cost and effortSecurity risk: Users write passwords down and store them where they can easily be found
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 31
Authentication Methods – Initial Logon Procedure
Enterprise Portal 6.0 supports various authentication methodsUser ID / password
LDAP Directory (for example Active Directory)Portal DatabaseSAP System
X.509 digital certificatesThird-party authentication
Integrated windows authenticationSAP authentication (SAP Web AS or R/3)Others through JAAS interface (pluggable JAAS login modules, e.g. RSA)
SAP integrates into existing Active Directory landscapesInitial logon procedure to authenticate user can be delegated to Active Directory No additional costs since no 3rd party software is requiredAuthentication methods can also be used if portal runs on UNIXSAP provides necessary interfaces and tools
UME: LDAP Adapter for Active DirectoryISAPI Filter for IIS (IISProxy.dll)
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 32
Integrated Windows authentication –SSO Microsoft Windows Logon to Enterprise Portal
PrerequisitesSeparate Webserver: IIS withIISProxy.DLL filterBrowser: Microsoft Internet Explorer
Authentication of users is delegated to the operating system
Previous logon to Windows operating system can be reusedUser is not required to reenter his or her Windows authentication credentials
LimitationsMultiple domains are now supported*.In this case an attribute that is unique in all domains has to be used as portallogon id (for example userPrincipalName)Can only be used in Intranet scenarios
*Solution is available for EP 6.0 SP2 on project basis
** EP <=EP6.0 SP2 Patch4: NTLM header is used
ActiveDirectory
SAP Enterprise Portal
IIS
SAP ISAPI Filter
3.Checkcredentials
4.ISAPI Filter redirects HTTP requestEP checks HTTP Header variable REMOTE_USER**
2. Login
1.Auth.
5.SAP LogonTicket issued
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 33
Authentication Methods – User Id / Password (LDAP)
PrerequisitesUser Persistence Store: ActiveDirectory
Authentication of users is delegated to the operating system
User must enter his or her Windows authentication credentials
Typical scenariosExtranet scenariosIntranet scenarios where a second login using the same username / password should be use
ActiveDirectory
SAP Enterprise Portal
2. LDAP bindCheck credentials
1. Login
3.SAP LogonTicket issued
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 34
Overview – SSO from EP to backend systems
SAP EP provides SSO to backend systems using
SAP Logon TicketsAccount Aggregation
SAP Logon Tickets can beused for SSO to:
SAP ApplicationsWeb based applicationswith the SAP Web Server filterJAVA and C applicationsusing SAP‘s sharedlibraryMicrosoft Applicationsusing SSO2KerbMap Module *
3rd party Applications
SAP Enterprise Portal
SAP Web ServerFilter or
SharedLibrary
SSO22KerbMapModule
SAP Logon Ticket
Initial Logon orSSO
New
SAP Logon Ticket
* Active Directory 2003 required
SSOSSOSSO
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 35
SSO – Account Aggregation
Features:Account aggregation can be used if the external system does notsupport SAP logon tickets
System is maintained in portal system landscapePortal components connect to the external system with the user’s credentials (user ID and password), e.g. with SAP AppIntegrator
Credentials submitted via HTTP GET Query String or HTTP POST bodyUser mapping and credentials information are securely stored in the Portal Database
Drawbacks and Limitations:Redundant administration of credentialsStored credentials have to be changed if password changes in a backend syste
Administrative overheadSecurity update of MS IE http://user:[email protected]
Username and password must not be sent in a URL via the network
Conclusion:Seamless SSO technique such as SAP Logon Tickets is preferred
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 36
SSO – SAP Logon Tickets
Portal Server issues an SAP logon ticket to a user after successful initial authentication
SAP logon ticket is stored as per session cookie on the client browser
SAP logon ticket is used to authenticate user to applicationsUser gets access to multiple applications and servicesAfter initial logon no further user logons required
SAP logon tickets contains user name(s)
SAP Logon Ticket is signed using digital signatures
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 37
Verifying the SAP Logon Ticket
Backend System
Step 2:
Retrieval of the user ID which is stored in the SAP logon ticket.
=> No additional authentication necessary.
Step 1:
Verification of the digital signature provided with the SAP logon ticket.
=> Application needs access to issuing server’s public-key certificate
Portal Server’s public-key certificate
SAP Logon Ticket
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 38
SSO to SAP Backend Systems using SAP Logon Tickets
SAP User ID‘s must be equal in all SAP backend system
Portal UserID = SAP UserID in backend systemsLogon Ticket issued by the portal server contains the portal userIDonlyInitial portal authentication is sufficient
Portal UserID ≠ SAP UserID in backend systemsThe user has to logon once initially to the SAP Reference systemLogon Ticket issued by the portal server contains both, the portaluserID and SAP userID in backend systems
If SAP User ID‘s of a portal user are not equal in all SAP backend system SSO via account aggregation has to be used
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 39
SAP Reference System
Contains the SAP User ID‘s
Used for mapping between SAP Users and Portal Users in EP
SAP Users can be created / modified using LDAP directoryinterface
Users have only to logon once to the SAP reference system
SAP CUA system can be used as SAP Reference system
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 40
Portal
Initial
Logon
SSO
SAP LogonTicket
SAP LogonTicket
SAP LogonTicket
SAP LogonTicket
SSO to SAP components using SAP Logon Tickets
WebDynpro
BSP-Pages
SAPGUI for HTML
SAPGUI for Windows
WindowsWeb
WebAS
SAP
SAP
ITS
SAP
WebDynpro
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 41
Web Server Filter, Shared Library and Java classes
Web Server Filteravailable for several Web Servers (IIS, Apache, iPlanet)verifies SAP Logon Ticket and extracts portal user idAdds portal user id to http headerExample: Use by ASP applications
Shared LibraryDynamic Link Library for verifying SSO Tickets in third party SoftwareNative support of SSO using SAP Logon Tickets for applicationswritten in C, Visual BasicSAP provides C samples
Java ClassesJava Classes provided by SAPOperating System independentJavadoc on SDN contains JAVA samples
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 42
SSO to MS based backend systems innovation
Goal:Use of Kerberos for authentication on MS backend servers
Windows authentication (Kerberos) is the preferred authenticationmethod in Microsoft environments
Problem:Kerberos does not work well across the Internet (firewall config)Windows integrated authentication can only be used in intranetscenarios (firewall config, trusted domains)To perform Kerberos on a client’s behalf the server needs to have the client’s primary credentials (RFC 1510)
Client’s password ORClient’s ticket granting ticket (TGT) and the corresponding session key
But, Windows Server must NOT know the client’s password which would be a severe breach of trust
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 43
Solution: SSO22KerbMap Module
Kerberos Constrained Delegation with Protocol Transition
Authentication
Managability /Constraints
On behalfof a end user
Applicable whereKerberos would notWork natively, e.g. over the Internet
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 44
Microsoft has enhanced its implementation of the Kerberos protocol
Constrained delegation: Service may request a (constrained) Kerberos ticket on behalf of a user for specified services onlyProtocol transition: Client may be authenticated using othermethods than Kerberos
SAP has developed the SSO22KerbMap Module (ISAPI Filter) Protocol transition: Filter allows authentication using SAP LogonTicketsConstrained delegation: Filter can aquire Kerberos Tickets on behalf of user that is authenticated by a SAP Logon Ticket
Kerberos constrained delegation using protocol transition
IIS
Clients
ISAPIFIlter (SSO22KerbMapModule) IIS Back-end Server
Active Directory
Kerberos
Constrained
Delegation
SAP Logon TicketsIIS Back-end Server
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 45
SSO22KerbMap Module - Flowchart
ADS 2003
Windows Backend
ApplicationIISKerberos
Client(IE)
HTTP (S)
2
4
1
3+5
6
1. Client with (valid) SAP Logon Ticket2. Authentication to IIS. ISAPI Filter DLL checks validity of SAP Logon Ticket3. Identification: ISAPI Filter searches for a user in Active Directory with the user
id contained in SAP Logon Ticket. 4. Impersonation as user (LogonAsUser)5. Constrained Delegation managed by ADS6. Kerberos Authentication when connecting to backend service as fully
qualified Windows Domain User 7. Windows backend application/service accepts contrained kerberos ticket
Impersonation
Identification +Constraineddelegation
7
SAP Logon Ticket
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 46
Configuration of delegation in Active Directory
Sample configurationin ADS forOutlook Web Accesss
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 47
Microsoft Exchange Front-End and Back-End Server Architecture
Client –
Extranet
Global catalog server
Exchange
back-end servers
Client - Intranet
Firewall
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 48
Exchange
Frontend Server
Outlook Web Access using SSO22KerbMap Module
1
3 Impersonation
Kerberos ticketCheck SAP Logon Ticket
ActiveDirectory
Check if server is trusted for delegation
2
Exchange
Backend Server(s)
SSO
22K
erbM
apM
odul
eSSO
22K
erbM
apM
odul
e
passthrough
authentication
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 49
Outlook WebAccess for Exchange 2003
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 50
Portalized Outlook WebAccess
* German localization
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 51
Summary
Kerberos Constrained Delegation with Protocol Transition
Authentication to backend
ADS 2003
MicrosoftS4U2-KerberosExtensions
SAP Logon Ticketsfor Authentication on IIS web server
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 52
Agenda
Conclusion
User Management
Single Sign-on
Introduction
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 53
Conclusion
SAP Enterprise portal supports open standard LDAPintegrates into exisiting LDAP DirectoriesExisting groups can be used for role assignment
SAP Enterprise portal provides SSO using SAP Logon Tickets toSAP systemsMS based applications
SAP provides DLL to use integrated windows authentication as SSO to EP
SAP Enterprise Portal serves as an end-to-end SSO solution
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 54
Q&A: Single sign-on to Microsoft Systems
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 55
References
SSO2KerbMap Module Download & Dokumentation:SAP Software Distribution Center: http://service.sap.com/swdc -> Search and search for the string „sso22kerbmap“SAP Note 735639 “SSO2 To Kerberos Mapping Filter: Known issues”http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=DISPL_TXT&_NNUM=735639&_NLANG=E
SAP Application Integrator HowTo:http://service.sap.com/EP60howtoguides
Customizing MS Outlook Web Access:http://www.microsoft.com/technet/prodtechnol/exchange/2000/library/CUSTOWA.mspxhttp://www.msexchange.org/articles/Exchange_2003_Outlook_Web_Access_Themes.html
Microsoft 2003 Kerberos Constrained Delegation:http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspxhttp://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 56
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.
Copyright 2004 SAP AG. All Rights Reserved