In some rare cases it is necessary to include the check for a user group in the authentication stack.
For example, in the enrollment of systems for the certificate lifecycle management, no authorizations are checked. The authentication suffices. But what if you don’t want to add second factors or certificates to the authentication stack, but rather want to use Usergroups to determine if a user is allowed to enroll a system?
Using the RiskBased Authentication Module of SAP SSO it is possible to include a check for a user group in the authentication stack.
/**
* Policy for Logon Based on UME Groups
* Only Users with Group "CertEnroll" are allowed to authenticate
*/
function onFirstStageLogin(config, context, result) {
// Get the user information from the login
var user = context.getLoginInfo().getUser();
var logger = context.getLogger();
// Set group to the technical name of the group. Use the property "checkGroup".
var group = "GRUP.PRIVATE_DATASOURCE.un:" + config.getProperty("checkGroup");
// If user is member of group skip the second factor, if not fail the logon.
if (user.isMemberOfGroup(group, true)) {
result.doNotRequireSecondFactor();
} else {
logger.traceDebug("The user is not a part of the group CertEnroll");
result.abortLogin("Access denied; contact the system administrator");
}
}
https://<host>:<port>/nwa
In this way you can use UME groups to allow or disallow authentication.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
36 | |
25 | |
17 | |
13 | |
8 | |
7 | |
7 | |
6 | |
6 | |
6 |