Skip to Content

This blog describes the enhanced features for the login modules and the policy configurations in Application Server (AS) Java and gives a link to a Wiki page that shows some good practical examples.

The login modules allow administrators to define how the user will log into the system. It can be done through a username or password by using the BasicPasswordLoginModule or through a certificate by using the ClientCertLoginModule. In these login module configurations the administrator can specify what part of the certificate or what identifier the system must use for locating the user in its database.

In the policy configuration properties, by setting a regular expression filter the administrators can define which users are allowed to log into the system, and what part of the identifier the system to use for further processing. Furthermore, by setting a property for creating tickets the administrators can allow users to log into AS ABAP systems.

More Information

http://wiki.sdn.sap.com/wiki/x/C4BPEQ

User Documentation

I am looking forward to getting any feedback from you. Please give me your opinion of how this blog looks and how to improve it. Don’t forget to look at the linked Wiki page that will help you understand the main principles. Do you find the scenarios interesting? Feel free to add any comments or questions.

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Siddharth Jain

    Hi Nikola,

    Very Informative and good Wiki,But i have couple of questions, i hope you will clarify:

    1)In case of UME ABAP will the first scenario work and SSO will remain intact with Backend system when user will logon to Portal through email.

    2)What are the configurations for setting the Custom Policy Configuration and will the server restart required.

    Thanks,

    Siddharth

    (0) 
    1. Nikola Simeonov Post author

      Hi Siddharth,

      1) Yes, in the case of UME ABAP the first scenario with the BasicPasswordLoginModule will work. In that case we will use a user mapping mode Email, not LogonAlias. That is why the users must maintain such an e-mail in the system. Also, in that case the portal won’t use the active directory, but directly the AS ABAP system to check for the password. The SSO will also remain intact.

      2) You do all the module configurations under the section Options of login module “BasicPasswordLoginModule” as you keep the option UserMappingMode to be Email. For the create ticket functionality, you can use CreateTicketLoginModule or set the property create_ticket to true under the Properties tab. You do not need a server restart.

      Thanks!

      Sincerely,

      Nikola

      (0) 
      1. Siddharth Jain

        Thanks Nikola for the prompt response,

        Can the 1st approach is configured for policy configuration of type web ie; for Custom Portal logon ear file,Can the 2 logon modules be put to achieve the goal.

        Thanks,

        Siddharth

        (0) 
        1. Nikola Simeonov Post author

          Hi Siddharth,

          Yes, you can use the type Web. If you use BasicPasswordLoginModule and CreateTicketLoginModule, then you only have to be careful with the flags. You have to put flags that will allow the system to evaluate both login modules. For example, you can use a REQUISITE flag for the first one, and a REUQIRED flag for the second login module. For more informatoin, see Policy Configurations and Authentication Stacks.

          (0) 
          1. Siddharth Jain

            Hi Nikola,

            I tried putting the UserMappingMode = Email option in the BasicPasswordLoginModule in Portal7.3 to enable email login.

            But unfortunatly its not working Portal is configure to use ABAP store,

            I tried all the possible values like email,Email even the ABAP technical fieldname

            SMTP_ADDR but no luck authentication is failing.

            Email is mantained for User.

            Any inputs will be very helpful.

            Thanks,

            Siddharth

            (0) 
                1. Nikola Simeonov Post author

                  Hi Siddharth,

                  These features have been implemented recently. You have to use NW SP 7 or a later SP to be able to run the scenario. I will update the blog as soon as I get the information about the releases it is available in.

                  Thanks!

                  Sincerely,

                  Nikola

                  (0) 
  2. Tobias Hofmann

    The wiki is good, the blog … not so. Maybe as document would make more sense, or give the official SAP Help links to add a little bit more to the blog.

    (0) 
  3. yatin Phad

    Hello Nikola,

    How can we use basic password login module with SNC ?

    How do we map UME logon ID with connected SAP ID ?

    Regards,

    Yatin Phad

    (0) 
    1. Donka Dimitrova

      Hello Yatin,

      When you are using SNC Client encryption only, you do not need to do any mappings because your users will use their U/P for authentication. You need to do mappings only if you implement SSO, where a Kerberos token or an X.509 client certificate is used for the authentication to the AS ABAP system and then the AS ABAP system needs to know how to map the user coming from the Kerberos token/X.509 client certificate with an existing AS ABAP UME user.

      See more details about the SNC Client encryption only here:

      How SNC Client Encryption Works – SAP NetWeaver by Key Capability – SAP Library

      Please, also consider the SAP Note 1684886 License conditions of SNC Client Encryption.

      Regards,

      Donka Dimitrova

      (0) 
      1. yatin Phad

        Hello Donka,

        Absolutely correct, I am looking for using SSO under which user mapping for ABAP system with incoming x.509 client certificate.

        With basic password login module, i am not able to find how this can be done?

        Any light over this ? or  how this can be achieved with other login module methods.

        Regards,

        Yatin Phad

        (0) 

Leave a Reply