Implementing a Federated Portal Network

Organizations can implement a federated portal network using the SAP NetWeaver platform to share content between portals.

A federated portal network allows organizations with distributed portal installations, both SAP and non-SAP, to provide a single portal access point per user to portal information, services and applications distributed on portals throughout the entire organizational network. This implementation allows existing content and configurations to be utilized, and to minimize necessary administration efforts.

This topic discusses issues you need to consider and plan for in order to secure the portals in your federated portal network.

General Security-Related Tasks

You should first treat each portal in the network as a standalone portal unit. Therefore, before any portal in the network begins to share its content or use shared content, you must first secure it as an independent unit.

Each NetWeaver portal must comply with the recommendations and guidelines documented in the Portal Security Guide. All non-SAP portals must be installed, configured and secured according to the documentation supplied by their vendor.

Once each portal is secure, you can begin exposing and consuming content between portals in the federation. The following sections describe the additional security recommendations and guidelines for producer and consumer portals in a federated portal network.

Security-Related Information and Tasks for Producers

All users in the federated portal network should be registered in the same user base. Therefore, permissions you define for content in a portal strictly control access to that content across the network (see Portal Permissions). By assigning portal permissions to your content, you determine specifically which content you want to expose and to which remote portals (see Exposing Content to Consumers). For example:

?     On a consumer portal, only those administrators explicitly granted permission by an administrator on the producer portal can manage remote content.

?     Only end users explicitly granted read permission by an administrator on the producer portal can execute remote applications.

Note that you can expose iViews to non-SAP portals that are WSRP compliant. However, since WSRP does not currently support cross-platform user authentication, you may expose iViews by assigning them to anonymous users, such as the Anonymous Usersgroup (see Setting Permissions to Producer iViews for non-SAP Consumers).

The following factors and guidelines contribute to ensuring the security of consumer portals in the federation:

?     In order to designate remote users on the consumer as authenticated users on your portal, you must establish trust with the consumer portal. See Setting Up Trust Between You and Consumers.

?     To prevent unwanted consumers from registering with your portal:

0     Set a registration password. See Configuring Your Registration Password.

0     Do not distribute the password publicly.

0     Change the password frequently.

0     Do not publicly distribute the path to your WSDL file.

?     In the View My Consumers screen on the portal, periodically monitor the consumers using your portal as a content producer. See Viewing Your Consumers.

?     You can remove unwanted, invalid, or suspicious consumers that have registered with your portal. See Removing Consumers.

Alternatively, you can temporarily block consumers until you decide to remove them permanently. See Enabling/Disabling Access to Registered Consumers.

?     If you are using SAP logon tickets to authenticate users with any back-end systems connected to the producer portal, you need to set up trust between your portal and any back-end system providing data for the portal and applications running in it. For information on setting up trust between SAP NetWeaver Portal and a SAP system, see Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine.

?     Alternative forms of authentication besides SAP logon tickets can be used to authenticate users between the client's browser and consumer portal, and the client's browser and secure back-end systems. For more information, see Single Sign-On.

Security-Related Information and Tasks for Consumers

The following factors and guidelines contribute towards securing consumer portals in the federation:

?     Registering your portal as a consumer on a producer portal is unidirectional: The producer cannot act as a consumer and automatically use your own content. Instead, the producer must register itself as a consumer on your portal in order to use your exposed content.

?     In order to designate users on the consumer as authenticated users on the producer portal, you must established trust with the producer. See Setting Up Trust Between You and Producers.

?     To control the actions that other administrator on the consumers can perform in relation to a producer portal, the system administrator on the consumer can assign administrator permissions to producer objects. See Assigning Administrator Permissions to Producer Objects.

?     You can remove producer portals that you no longer use. See Removing Producers.

?     In the View My Producers screen on the portal, you can temporarily block your portal's access to remote content on producers that you have registered with. See Enabling/Disabling Access to Registered Producers.

?     To control end-user execution of remote content through your consumer portal, assign end-user permission to a producer object and localized content. See Assigning End-User Permission to Producer Objects and Content.

?     If you are using SAP logon tickets to authenticate users with any secure back-end system, you need to set up trust between your portal and the remote back-end system. For information on setting up trust between SAP NetWeaver Portal and a SAP system, see Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine.