In a previous web log, I explained the basics of Shibboleth as our central authentication- and authorisation infrastructure (AAI). I would like to continue by giving you an indication of the implications within our SAP environment.
In this web log I will explain how the latter is done within BSP using our e-recruitment application as an example.
When an applicant wants to use our e-recruitment application, he/she needs to request a userid/password in order to access and protect their own data. This userid/password resides outside the regular authentication system within the K.U.Leuven. This seems contradictive to what we want to achieve with Shibboleth, but there are good reasons for that:
Needless to say this isn’t the way to go. Therefore a separate user id/password for e-recruitment was required. Before Shibboleth, the flow looked like this.
That is all history now. When Shibboleth was introduced, authentication against LDAP (directly) or SAP was no longer allowed. Thus the flow looks like this now:
As you can see, not only the authentication mechanism has changed but also the sequence of actions has changed due to the new CUA.
How did we include Shibboleth authentication?
It’s really quite simple as such. An applicant clicks on the button to request a userid for e-recruitment and indicates that he/she is still an active student/employee. In the oninputprocessing we put the following code.
First we need to determine what the URL is of the e-recruitment application. We want to prevent hard coded URLs
CALL METHOD runtime->construct_bsp_url EXPORTING in_application = runtime->application_name in_application_ns = runtime->application_namespace IMPORTING out_local_url = url.
CONCATENATE url '/' 'email.htm' INTO url.
Some extra params needs to be provided, since we leave the e-recruitment applicant
CONCATENATE url '?extraparam=' extraparam INTO url.
Now we need to know the name of the server
sname = request->get_header_field( '~server_name' ).
Now we compose the Shibboleth authentication URL with the target e-recruitment page (e-mail) as param
CONCATENATE 'https://' sname '/subdir/Shib?target=https://' sname url INTO url.
And we call that page
navigation->goto_page( url ).
That’s it. When the applicant has been authenticated they don’t automatically see the e-mail page. We need to do some extra authorisation checks in the oninitialisation. As you may remember, Shibboleth only covers the identification and authentication. The authorisation is the responsibility of the application. Shibboleth will provide HTTP headers in order to help you.
We get the userid
application->userid = request->get_header_field( 'Shib-Person-uid' ).
type_user = request->get_header_field( 'Shib-EP-UnscopedAffiliation' ).
Depending on the type of user we need to check if the applicant has role X or Y. Why do we need to check this? If we take data over from their employee/student file we want to make sure that the user has enough permission to access the relevant application.<
IF type_user CS 'student'. CALL FUNCTION 'Z_some_auth_check_FM' EXPORTING uname = userid agr_name = 'role_for_students' IMPORTING valid = valid. ELSE. CALL FUNCTION 'Z_some_auth_check_FM' EXPORTING uname = userid agr_name = 'role_for_personnel' IMPORTING valid = valid. ENDIF. IF valid NE 'X'. navigation->goto_page('no_authorisation.htm' ). ENDIF.