SAP NetWeaver Cloud Security Tutorial Single Sign-On and Identity Federation with SAP NetWeaver Single Sign-On

Single Sign-On and Identity Federation with SAP NetWeaver Single Sign-On

TABLE OF CONTENTS OVERVIEW... 3 PREREQUISITES AND REQUIREMENTS... 4 GETTING STARTED... 4 STEP 1: ESTABLISH TRUST TO SAP NETWEAVER CLOUD IN ITELO S CORPORATE IDP... 6 STEP 2: CREATE TEST USERS AND GROUPS IN THE CORPORATE USER DIRECTORY... 9 STEP 3: ESTABLISH TRUST TO ITELO S CORPORATE IDP IN SAP NETWEAVER CLOUD... 13 STEP 4: CONFIGURE IDENTITY FEDERATION IN ITELO S CORPORATE IDP... 15 STEP 5: CONFIGURE IDENTITY FEDERATION IN SAP NETWEAVER CLOUD... 19 STEP 6: TEST THE END-TO-END SCENARIO... 22 TROUBLESHOOTING TIPPS... 24 IdP Debug Logs... 24 SP Debug Logs... 24 User Agent SAML Message Trace... 25 REFERENCES... 26 2

This tutorial is part of a series on how to setup Single Sign-On (SSO) and Identity Federation between the SAP NetWeaver Cloud platform and existing identity and access management (IAM) systems. In this document, a complete end-to-end scenario for integrating SAP NetWeaver Cloud with SAP NetWeaver Single Sign-On will be implemented based on the Security Assertion Markup Language (SAML) 2.0 protocol. OVERVIEW Based on the enterprise scenario in the SAP NetWeaver Cloud SSO and Identity Federation whitepaper [ 1], the sample application for leave request management (xleave) running on the SAP NetWeaver Cloud platform acts as the SAML Service Provider (SP) that requires user authentication to obtain access to protected resources. As specified by the SAML protocol [ 2], the system responsible to verify the identity of authorized users is the Identity Provider (IdP). In this tutorial, the IdP is an existing system running onpremise in the corporate network. The IdP is connected to the corporate directory server which manages the accounts for all users that are allowed to access the SP in the Cloud. In this role, the IdP can verify the username and password entered by the user to login to the SAP NetWeaver Cloud application against the credentials stored in the corporate directory. Upon successful login, the IdP confirms the user s identities to the trusted SP in the Cloud, and the user is logged on without being asked again for the username and password. Figure 1 Federation Scenario Overview Figure 1 illustrates the setup based on the enterprise scenario in [ 1] of the fictitious company ITelO. In this tutorial, ITelO runs SAP NetWeaver Single Sign-On 1.0 [ 3]. For Identity Federation with SAML, SAP NetWeaver Single Sign-On offers a SAML 2.0 compliant Identity Provider, which uses the underlying User Management Engine (UME) as the user store. UME can be configured to either use its own persistency, or connect to an LDAP Directory as Data Source [ 4]. In the scenario setup, ITelO employees have an account in UME s local database which runs on SAP Sybase Adaptive Server Enterprise, and are assigned to UME roles. Using the SAML 2.0 protocol in the scenario, ITelO employees will be able to (single) sign-on to the xleave leave request application in the SAP NetWeaver Cloud using their corporate credentials. With Kerberos/SPNEGO in place for SSO in the ITelO corporate network, the user is actually only required to enter the domain username and password once in the morning when she logs on to ITelO s Kerberos Domain. Any subsequent logons including authentication at ADFS during a SAML-based sign-on to the SAP NetWeaver Cloud will happen completely transparently from the user s perspective. As SAP NetWeaver Cloud has no permanent user storage, SAP NetWeaver Single Sign-On must issue additional user profile data required by the xleave application in the Cloud. Along with the user name used to login at the IdP, attributes such as the employee s first name, last name and company employee id are 3

also added to the authentication statement (SAML Assertion) in the SAML Response sent back to the SP running on SAP NetWeaver Cloud. This also includes the employee s internal role assignments in UME which are required to authorize certain actions of the logged in user in the Cloud. To avoid complex and error-prone data synchronization and double maintenance of group or role assignments in the on-premise IAM system and the xleave application, permissions in the Cloud are calculated dynamically using the information obtained from the SAML Assertion that the IdP issues for each authenticated user. The NetWeaver Cloud account administrator can define a set of rules for mapping each authenticated user to roles used by the applications running on SAP NetWeaver Cloud. Such a rule, translated in human-readable form, could be something like this: "If a user authenticated by the trusted corporate IdP idp.itelo.corp has a SAML 2.0 assertion with the attribute role which contains the value Manager, assign this user to the group Managers on SAP NetWeaver Cloud", or "Any user authenticated by the trusted corporate IdP idp.itelo.corp will be assigned to the group iteloemployees" (assuming that IdP idp.itelo.corp only manages accounts from company ITelO). As described in [ 1], the xleave application defines two web roles in its web.xml file following standard Java EE conventions: Employee and Manager (see Figure 2). Figure 2 xleave web role definitions in web.xml Those roles will be mapped based on a role attribute in the SAML response which contains the current group assignment in UME of the logged-in employee. PREREQUISITES AND REQUIREMENTS To deploy the xleave application on the Cloud, you need a trial [ 7] or productive account on the SAP NetWeaver Cloud platform. For more information, see [ 8].You can download the complete source code from [ 6], import it as a project in Eclipse, and deploy from there using the SAP NetWeaver Cloud Eclipse tools. For more information about installing and configuring these tools, see [ 9]. Alternatively, the download also contains a WAR file of the application, which can be deployed with the SAP NetWeaver Cloud Console Client neo and the deploy command, e.g. neo deploy -s c:\xleave.war -a <your account name> -h netweaver.ondemand.com -u <your SCN user ID> -b xleave In addition, an instance of the SAP SAML 2.0 Identity Provider is required, which is part of SAP NetWeaver Single Sign-On 1.0 or higher. To successfully implement the scenario in this tutorial, the underlying SAP NetWeaver AS Java has to be on one of the following release levels: 7.2 SP8 or later 7.3 SP7 with SAP Note 1704179 7.3 SP8 or later versions. The DNS name of the IdP instance is idp.itelo.corp running on port 50001 (HTTPS). The operating system is SUSE Linux Enterprise Server 11 SP1. 4

GETTING STARTED Setting up the federation scenario comprises in total of six steps, which are explained in more detail in the following sections: 1. Establish trust to SAP NetWeaver Cloud in ITelO s corporate IdP 2. Create test users and groups in the corporate user directory 3. Establish trust to ITelO s corporate IdP in SAP NetWeaver Cloud 4. Configure identity federation in ITelO s corporate IdP 5. Configure identity federation in SAP NetWeaver Cloud 6. Test the end-to-end scenario 5

STEP 1: ESTABLISH TRUST TO SAP NETWEAVER CLOUD IN ITELO S CORPORATE IDP The first step in this tutorial is about adding a new Trusted Provider in SAP NetWeaver Single Sign-On for the xleave application on SAP NetWeaver Cloud. Before you can create the new Trusted (Service) Provider, the SAP NetWeaver Cloud account administrator must maintain the SP configuration for his account. After completing this step, SAP NetWeaver Single Sign-On will accept SAML Authentication Requests from the SAP NetWeaver Cloud platform. What to do What you will see Before establishing the trust relationship in SAP NetWeaver Single Sign-On to the xleave application, the Service Provider (SP) of your account in SAP NetWeaver Cloud must be configured. Open the Account Page at https://account.netweaver.ondemand.c om (or https://account.nwtrial.ondemand.com if you have a trial account) and log in as an administrator for your SAP NetWeaver Cloud account. Go to Trust Local Service Provider, click on the Edit button, and make the following changes: Configuration Type: Custom Local Provider Name: https://netweaver.ondemand.com/de mo Click on the Generate Key Pair button to create a new Signing Key and Certificate pair for your SP in the Cloud. Click on Save to store your new settings. To simplify the creation of the new Trusted Provider in SAP NetWeaver Single Sign-On, export the SP SAML metadata in SAP NetWeaver Cloud by clicking on the Get Metadata link and store the SAML 2.0 metadata file on the local file system. Open the SAP NetWeaver Administrator (NWA) in a Web Browser with URL https://idp.itelo.corp/nwa. Login with user Administrator and switch to the tab Configuration. On the Security page, select the link Authentication and Single Sign-On. 6

Select the tab SAML 2.0 and click on Trusted Providers to add a new trusted SP for SAP NetWeaver Cloud. From the menu of the Add button, select Upload Metadata File. In the first step of the New Trusted Service Provider wizard, click Browse and select the SAML2 metadata file you have just downloaded from SAP NetWeaver Cloud and stored locally. Confirm the new Trusted Service Provider name from the metadata import and click on Next. 7

Again, the SAP NetWeaver Cloud Service Provider signing certificate is already configured as it is also included in the imported SAML 2.0 Metadata file. Keep the preconfigured settings and click on Next. Also the SAML 2.0 Assertion Consumer Endpoint to where ITelO s Corporate IdP will send the SAML response to, is included in the SAML 2.0 Metadata. Thus, keep the preconfigured settings and click Next. Again, keep the preconfigured settings for the Single Log-Out Endpoints, and click Next As there are no Artifact Endpoints defined in the SAML 2.0 Metadata file of the SAP NetWeaver Cloud Service Provider, just continue with Next. To complete the wizard, click on Finish. Trust is now established to ITelO s Service Provider in the SAP NetWeaver Cloud. 8

STEP 2: CREATE TEST USERS AND GROUPS IN THE CORPORATE USER DIRECTORY Now it is time to create the users and groups for the scenario. Two users and two groups will be created in UME: - John Doe, who is a member of the group Employees - Jane Smith, who is a member of the group Managers What to do What you will see Click on the Home link and go to Configuration Security Identity Management Overview. First, a new user profile attribute for the employee id is added to the UME configuration. Click on Configuration and select the User Admin UI tab. In the field Administrator-Managed Custom Attributes, enter EmployeeID. Click on Save All Changes to apply the new attribute. Select Role from the Search Criteria dropdown box. Click on the Create Role button. In the Details section, enter Employee in Unique Name and click on Save to add the new role. Repeat the two previous steps and enter Manager as the Unique Name. 9

Switch back the Search Criteria to User. Click on Create User. In the Details section of the new user, enter the following data: Logon ID: jdoe Define/Confirm Password: init1234 Last Name: Doe First Name: John E-Mail Address: jdoe@itelo.com Next, select the Additional Information tab. Enter Sales in the Department field and select the Customized Information tab. Enter 12345 in the EmployeeID field and select the Assigned Roles tab. Enter Employee in the Search Criteria and click on Go. 10

In the search result list, select the Employee role and click on the Add button to assign the role to the user. Click on Save to create the new user. Click on Create User again to create the second user Jane Smith. In the Details section of the new user, enter the following data: Logon ID: jsmith Define/Confirm Password: init1234 Last Name: Smith First Name: Jane E-Mail Address: jsmith@itelo.com Next, select the Additional Information tab. Enter Sales in the Department field and select the Customized Information tab. Enter 98765 in the EmployeeID field and select the Assigned Roles tab. Enter Manager in the Search Criteria and click on Go. 11

In the search result list, select the Manager role and click on the Add button to assign the role to the user. Click on Save to create the new user. 12

STEP 3: ESTABLISH TRUST TO ITELO S CORPORATE IDP IN SAP NETWEAVER CLOUD Now the trust relationship must also be established into the opposite direction, i.e. the Cloud must also trust the corporate IdP in order to complete the end-to-end message flow defined by the SAML protocol. As a result of creating a trusted IdP in the SAP NetWeaver Cloud account, the SAML Response sent by ADFS will be accepted by the xleave application and can be used to login the user. What to do What you will see Go back to the SAP NetWeaver Cloud Account Page at https://account.netweaver.ondemand.c om (or https://account.nwtrial.ondemand.com if you have a trial account), or login again as an administrator for your SAP NetWeaver Cloud account. Select Trust Trusted Identity Provider and select the Add Trusted Identity Provider link. Enter the following data in the General tab for the new trusted IdP: Name: idp.itelo.corp Description: ITelO Corp. NetWeaver IDP Assertion Consumer Service: Assertion Consumer Service Single Sign-on URL: https://idp.itelo.corp:50001/saml2/idp/ sso Single Sign-on Binding: HTTP- Redirect Single Logout URL: https://idp.itelo.corp:50001/saml2/idp/ slo Note: The above URLs for Single Sign-on and Single Logout are based on the assumption that the SAP NetWeaver Single Sign-On server runs on a host with the DNS idp.itelo.corp and SSL port 50001. If your IP/DNS setup is different, the URLs need to change as well. Single Logout Binding: HTTP- Redirect Signature Algorithm: SHA-1 Signing Certificate: <please refer to the next step> User ID Source: subject 13

In SAP NetWeaver Administrator, go to tab Configuration and click on the link Certificates and Keys. In the list of Key Storage Views, select the one with name SAML2. Scroll down to the section Details of view SAML2. Select the entry with name SAML2Signing-cert and click on the Export Entry button. In the dialog box, select Base64 X.509 from the Select export format dropdown box, and click on the Download link to save the certificate. Click on Save & Close to create a new trusted IdP in your SAP NetWeaver Cloud account. With this step the basic trust configuration is complete, and the trust relationship is now established on both sides. Next, the federation settings to share and map user profile attributes will be configured. 14

STEP 4: CONFIGURE IDENTITY FEDERATION IN ITELO S CORPORATE IDP Based on the established trust relationship, SAP NetWeaver Single Sign-On must now be configured to issue the employee s user profile attributes required by xleave. These include the following data: First name Last name Employee ID Organization Unit (i.e. department name) Role (i.e. Employee or Manager ) What to do What you will see Go back to the SAP NetWeaver Administrator, and select Configuration Security Authentication and Single Sign-On. To issue the new employee id custom profile attribute, you first have to add it to the list of attributes the IdP can issue in an assertion. On the SAML 2.0 tab, select the Local Provider link and switch to the User Attributes tab. Click on Edit, then on Add. Enter the following data: Alias: Employee ID Name: EmployeeID Click on OK to add the new user attribute to the list of IdP profile attributes. Click on Save to save the IdP changes. Click on the Trusted Providers links and select the new Trusted Service Provider with name https://netweaver.ondemand.com/dem o from the list. Click on Edit. On the Identity Federation tab, click on the Add button to define the format of the user s ID in the SAML Response. 15

In the Name ID Format dialog, select Format Name Unspecified and Source Name Logon ID. Click on OK. Scroll down to the section Details of Name ID Format Unspecified and switch to the tab Profile Attributes. Click on the Add button to expose a new user profile attribute with the SAML Assertion. Enter fname for the SAML2 Attribute and select First Name from the User Attribute list. Click on OK to add the new User Profile Attribute. Repeat the two last steps for the following profile attributes (SAML2 Attribute User Attribute): lname Last Name orgid Department empid Employee ID Then switch to the Authorization Attributes tab to add the role profile attribute. Click on the Add button. In the new row, click with mouse pointer in the SAML2 Attribute input field and enter the name role. For the Type, select Role from the list. 16

Click on the Modify button to edit the Filter of the new authorizationbased attribute. In the search field, enter Employee and click on Go. In the result list, select the Employee role and click on Add to add it to the list of Selected Roles of the filter. Enter Manager in the search filed and click on Go. In the result list, select the Manager role and click on Add to add it to the list of Selected Roles of the filter. Click on OK to close the dialog. Click on Save to save the changes in the Service Provider s federation settings. 17

Click on Enable to activate the new Service Provider for the SAP NetWeaver Cloud account. 18

STEP 5: CONFIGURE IDENTITY FEDERATION IN SAP NETWEAVER CLOUD The previous step configured the issuance of the required user profile attributes by the ADFS IdP. Now those attributes have to be mapped to the attributes used by the xleave application. Special attention will be given to the role attribute, which is used to map the logged in user to a role defined by the xleave application. More information about federated authorizations and attribute mapping can be found in [ 1]. What to do What you will see Go to the SAP NetWeaver Cloud Account Page at https://account.netweaver.ondemand.c om (or https://account.nwtrial.ondemand.com if you have a trial account) and log in as an administrator for your SAP NetWeaver Cloud account. Click on Authorizations in the top-level navigation bar and switch to the Groups tab. In the field Group, enter Employees and click on Show Roles. Now a new role can be added to the new group Employees by clicking on the Assign button. In the new dialog box, select Application xleave and Role Employee. Click on Save to assign it to the group. Repeat the two steps by entering Managers in the Group field and press Show Roles again. 19

Now select the Manager role from xleave application and add it to the new group Managers by clicking on Save. With the new groups Employees and Managers being mapped to the according web roles in the xleave application, the federation settings can be configured. In Trust, select the Trusted Identity Provider tab and select the entry http://idp.itelo.corp/adfs/services/trust of the ADFS IdP to edit its settings. Switch to the Groups tab and click on the Add Assertion-Based Group link. Enter Employees in the Group field and define one Mapping Rule as follows: Assertion Attribute: role Rule Operation: equals Rule Value: Employee Every user with a role attribute containing the specified value will now be assigned to the group Employees in the Cloud, which contains the web role Employee from the xleave application. Repeat the previous step for the Managers group. Click on the Add Assertion-Based Group and enter Managers in the Group field. The mapping rule should be defined as follows: Assertion Attribute: role Rule Operation: equals Rule Value: Manager 20

Switch to the Attributes tab to define the mappings of the incoming SAML Assertion attributes to the user principal attributes used by the xleave application. Click on the Add Assertion-Based Attribute link. In the new empty row, enter fname for the Assertion Attribute, and map it to the Principal Attribute with name firstname (as referred to in the xleave application code). Repeat the step to add the remaining mappings (Assertion Attribute Principal Attribute): lname lastname orgid orgid empid userid Note: Mappings are CASE-SENSITIVE! To save your new federation settings, click on the Save & Close button. 21

STEP 6: TEST THE END-TO-END SCENARIO Now it s time to test the complete end-to-end scenario with the two test users John Doe and Jane Smith. John will create a new leave request which will be approved by his manager Jane. What to do What you will see Start a new web browser on a computer with connectivity to the corporate IdP. You can also use the SAP NetWeaver Single Sign-On host itself. In the address bar, enter the URL of the xleave application in the Cloud following the URL schema https://xleave<account name>.netweaver.ondemand.com/xl eave You will be redirected by the Cloud to the corporate IdP. Sign on to the IdP with John Doe s domain credentials User Name jdoe, Password init1234 on the SAP NetWeaver logon screen. Note that Intranet SSO (e.g. with SPNEGO) has been deactivated on the SAP NetWeaver AS for this test. Since this is user jdoe s first login, you have to change the initial password. Enter the old password again ( init1234 ) and enter abcd1234 for the new password. Click on Change to continue. Upon successful authentication at the IdP, you are logged in as user jdoe in the Cloud. All attributes from the corporate directory have been passed with the SAML Response to the xleave application (e.g. OrgUnit Sales or the first and last name). As user John Doe has been dynamically assigned to the web role Employee based on the content of his role attribute, he can create a new leave request by clicking on the New request button. 22

Enter some data for the new leave request and click on Send to save it. Click on the Logout button on the top right corner to logout. You have now globally logged out from the IdP and SP. Click on the here link to login again. This time, log in at the IdP with user name jsmith and password init1234. Again, you have to enter a new password. Use abcd1234 and click on Change to continue. Upon successful authentication at the IdP, Jane Smith is single signed-on to the xleave application and assigned to the Cloud role Manager. Since she also belongs to the same OrgUnit as John ( Sales ), Jane can approve or reject John s leave request. Click on Approve and logout from the xleave application. Congratulations! With the completion of this step the scenario has been tested successfully. 23

TROUBLESHOOTING TIPPS In complex security setups like this, just a single wrong configuration setting can break the interoperability between the IdP on-premise and the SP in the Cloud. Thus, it is important to know how to identify the root cause for the issue and where to start with a detailed error analysis. For SAML scenario, the potential places to look at are IdP debug logs SP debug logs SAML message flow trace at the User Agent (Web Browser) This section proposes different troubleshooting strategies according to those places. IdP Debug Logs The Security Troubleshooting Wizard in SAP NetWeaver AS Java is the ideal diagnostic tool for SAMLrelated troubleshooting. It can be turned on in the SAP NetWeaver Administrator web console following the navigation path Problem Management (or Troubleshooting, depending on your release level) Logs and Traces. Figure 3 Security Troubleshooting Wizard As shown in Figure 3, detailed diagnosis for SAML on the IdP can be configured by selecting the item SAML 2.0 (Debug) from the list of incidents. After that, click on the button Start Diagnostics to collect the debug traces, and execute the logon process. After completing the process, click on Stop Diagnostics. The HTML file containing the trace log can be downloaded as a ZIP archive or viewed in the browser. More information can also be found in SAP Note 1332726 [ 10] on Troubleshooting SAML 2.0 in AS Java. SP Debug Logs Increasing the debug log level for the xleave application in the Cloud can be done either with the SAP NetWeaver Cloud Command Client ( neo deploy with the log parameter severity <log_level>), or using the Account Page administration page. The command client will apply the same log level to all loggers, whereas in the Account Page also specific loggers can be configured. Clicking on the Logs link of the xleave entry in the table of the Applications tab opens the dialog shown in Figure 4. 24

Figure 4 Debug level configuration for SAML2 in SAP NetWeave r Cloud Enter saml2 as a filter string to and search for the logger with name com.sap.core.jpaas.security.saml2.sp in the results. This is a good place to start if for example everything seems to work fine on the IdP side, but the SAML Response is not processed correctly in the Cloud (e.g. xleave application throws HTTP 500 error). User Agent SAML Message Trace Having a closer look at the actual messages sent back and forth between the SP and IdP might also help to resolve interoperability issues in certain situations. Since the SAML protocol completely relies on the user s web browser to forward all messages between the Cloud and on-premise, a tool like SAML Tracer available as an Add-on for Mozilla Firefox can capture the complete communication flow and make it available for further analysis. Figure 5 SAML Tracer Add-on for Firefox in action 25

Figure 5 shows the tool in action with a sample trace taken during testing of the scenario. The SAML-related HTTP requests are marked with a SAML label in the message trace, and can be examined in more detail in the specific viewer (SAML tab). REFERENCES 1. Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud Whitepaper: http://scn.sap.com/docs/doc-32675 2. SAML 2.0 Specifications: http://saml.xml.org/saml-specifications 3. SAP NetWeaver Single Sign-On on SCN: http://scn.sap.com/community/netweaver-sso 4. SAP Documentation: Configuring the UME to Use an LDAP Directory as Data Source: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/12/7678123c96814bada2c8632d825443/frames et.htm 5. SAP NetWeaver Cloud Platform Documentation User Authentication: https://help.netweaver.ondemand.com/default.htm?enabling_id.html#concept_93ea4d93901d4e63 B7F6F447F14AD5D2_106 6. xleave Sample Application Download: http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/20d0cbce-3d48-3010-5c9b-8361771c9e6b 7. Get your free developer license for SAP NetWeaver Cloud in 5 minutes: http://scn.sap.com/docs/doc- 28197 8. SAP NetWeaver Cloud Account Types: https://help.netweaver.ondemand.com/default.htm?account_types.html 9. Setting up the Tools and SDK: https://help.netweaver.ondemand.com/default.htm?setting_up_tools.html#concept_9e86cb16f6494 799B5CF516B38B7503F_17 10. SAP Note Troubleshooting Wizard: https://service.sap.com/sap/support/notes/1332726 26

www.sap.com 2013 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.