The security guide aims to provide you with an overview of the security architecture of the ONE platform. It describes the different modes of authentication that can be used and gives an overview of how to setup and administer users on the platform.
Overview of the platform
The following diagram gives you an overview of the Sitrion ONE platform. A device-specific application is available in the respective AppStore of the mobile platform (like the Apple AppStore, Google Play etc.).
This application connects to the Sitrion Cloud platform that is hosted on the Windows Azure offering from Microsoft. Each customer of Sitrion ONE is provisioned as a tenant in the system.
The customer can access the cloud environment through the website one.sitrion.com.
All users that have been configured with administrative rights for their respective company are able to log on to this address where they can then setup and configure the environment. The specific details and settings for customization will be described later in this document.
The cloud tenant communicates with the Sitrion ONE hub component, a windows service that needs to be installed inside the customer’s network. It needs to be able to connect to the internet and it will automatically create a tunnel using the Microsoft Service Bus technology. More details on the hub service component can be found in the section “Communication between Cloud and Company Network”.
Sitrion ONE does not store any backend credentials like SAP or SharePoint on the client device or in the cloud environment. No runtime data is stored on the device. Access to the back end systems happens in real time without any offline capabilities.
Communication between Phone and Cloud
The clients (phones, tablets and Windows PCs) connect to the Sitrion API via a REST interface. All communication is secured using SSL certificates. Upon an incoming request to the API, a check is performed to see if the request contains a valid security token that was issued by the Sitrion tenant of the Azure Access Control Service. In case either there isn’t a token present or the received token is invalid (e.g. due to timeout), the client will be redirected to a logon page.
Communication between Cloud and Company Network
The Sitrion cloud environment, hosted on Microsoft Azure, communicates via a secure connection with the hub service component that is part of Sitrion ONE. The hub service is the only component that needs to be installed inside of the customer’s network. This component is provided by Sitrion in form of an MSI file that needs to be installed on a machine (real or virtual) that can access the internet and also all backend systems that you want to enable for mobile consumption (SAP systems, Microsoft SharePoint, ...). The hub service is implemented as a Windows service that will be set by the installer to automatically start.
The user account that hosts the service may need to be adjusted depending on your SSO needs. Further information can be found in the Communication between Hub and SAP” and “Communication between Hub and SharePoint” sections at the end of this document.
The hub service uses a SQL database configuration.
Should the hub service fail to connect to the cloud environment, consult the following documentation provided by Microsoft. It describes additional measures, like opening a set of ports in the firewall (Hosting behind a Firewall with the Service Bus - http://msdn.microsoft.com/en-us/library/azure/ee706729).
The given ports for the Hub are also described in the Prerequisites of the Hub.
Sitrion ONE offers two distinct security modes – Sitrion Security mode and Active Directory Integration mode. A customer can only use one mode, and changing the security mode needs a considerable amount of work. Therefore, the security mode is a strategic decision that should be made before adding any considerable amount of users to the platform. The security modes are described in detail in the following
Connection from the Hub Service to SAP (RFC)
The hub service uses the RFC protocol to talk to SAP. The connection can be secured using an SNC library like SAP Crypto. When using Sitrion Authentication Mode, a user has to enter his SAP credentials for each of the SAP systems that are targeted by all applications that he has access to. He can enter these credentials on his device and they will be securely transferred to the hub service where they will be encrypted and linked with the Sitrion user account.
When using Active Directory Authentication Mode, a SAP system can be configured to use SSO via SNC. You have to create a trust relationship between the SAP system and the machine where the hub service is installed. When a request is made against SAP, the user’s Windows identity that is part of the security token will be passed to SAP where the user needs to be mapped to a SAP user.
Connection from the Hub Service to SharePoint
The connection to SharePoint from the hub is made using the SharePoint client API and the web services that SharePoint provides. When using Sitrion Authentication Mode, a user has to enter his Windows credentials for the SharePoint system on his device. These credentials will be securely transferred to the hub service where they will be encrypted and linked with the Sitrion user account. When a request is made against SharePoint, the user will be impersonated using the stored credentials. This way, the SharePoint security is enforced and the user can only access data that he has been granted access to.
When using Active Directory Authentication Mode, a SharePoint system in Sitrion ONE can be configured to use Single Sign On. When a request is made against SharePoint, the user’s identity that is part of the security token will be used to impersonate the user and execute the call. If the hub service is installed on the same machine that hosts the SharePoint, no further configuration is required.
In case the hub service is installed on a different machine in the same Active Directory domain, the hub service needs to be run under a service user account (a domain account) that has been granted Kerberos delegation rights. Please look at the Kerberos/Active Directory documentation from Microsoft for further information.