The challenge

In some rare cases it is necessary to include the check for a user group in the authentication stack.

For example, in the enrollment of systems for the certificate lifecycle management, no authorizations are checked. The authentication suffices. But what if you don’t want to add second factors or certificates to the authentication stack, but rather want to use Usergroups to determine if a user is allowed to enroll a system?

The solution

Using the RiskBased Authentication Module of SAP SSO it is possible to include a check for a user group in the authentication stack.

Implementation

  1. Create a policy script
  2. Create a Logon Stack with the RBA Module using the policy script
  3. Use the logon stack as authentication policy in the authentication profile

Create a policy script

  • Go to https://<host>:<port>/ssoadmin/scripts
  • Click on “Create”

UME_GROUPS_1.jpg

  • Give the policy a name (by which it is later referenced) and a description and enter the script below

UME_GROUPS_2.jpg

  • Finally release the policy script
    UME_GROUPS_3.jpg
Policy script
 /**
 * Policy for Logon Based on UME Groups
 * Only Users with Group "CertEnroll" are allowed to authenticate
 */

 function onFirstStageLogin(config, context, result) {
 // Get the user information from the login
  var user = context.getLoginInfo().getUser();
  var logger = context.getLogger();
  // Set group to the technical name of the group. Use the property "checkGroup".
  var group = "GRUP.PRIVATE_DATASOURCE.un:" + config.getProperty("checkGroup");
 // If user is member of group skip the second factor, if not fail the logon.
  if (user.isMemberOfGroup(group, true)) {
  result.doNotRequireSecondFactor();
  } else {
  logger.traceDebug("The user is not a part of the group CertEnroll");
  result.abortLogin("Access denied; contact the system administrator");
  }
 }  

Create a Logon Stack with the RBA Module using the policy script

  • Go to the NWA

https://<host>:<port>/nwa

  • Go to “Configuration” -> “Authentication and Single Sign-On”

UME_GROUPS_4.jpg

  • Add a new custom Logon Stack

UME_GROUPS_5.jpg

UME_GROUPS_6.jpg

  • Add the RBA Module to the Logon Stack

UME_GROUPS_7.jpg

UME_GROUPS_8.jpg

  • Add the following parameters
    tfa.first.factor.login.module = BasicPasswordLoginModule (or any other primary Authentication Module of your choice)
    policy = <Name of your policy script>
    checkGroup = <Name of the group to be checked>

UME_GROUPS_9.jpg

Use the policy configuration in the authentication profile

  • Configure the authentication profile to use the configured logon stack as authentication policy

UME_GROUPS_10.jpg

Result

In this way you can use UME groups to allow or disallow authentication.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply