Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using UME groups in an authentication stack

Tobias_Lejczyk
Advisor
Advisor
‎09-05-2016 6:45 AM

The challenge

In some rare cases it is necessary to include the check for a user group in the authentication stack.

For example, in the enrollment of systems for the certificate lifecycle management, no authorizations are checked. The authentication suffices. But what if you don’t want to add second factors or certificates to the authentication stack, but rather want to use Usergroups to determine if a user is allowed to enroll a system?

The solution

Using the RiskBased Authentication Module of SAP SSO it is possible to include a check for a user group in the authentication stack.

Implementation

  1. Create a policy script
  2. Create a Logon Stack with the RBA Module using the policy script
  3. Use the logon stack as authentication policy in the authentication profile

Create a policy script

  • Go to https://<host>:<port>/ssoadmin/scripts
  • Click on "Create"

  • Give the policy a name (by which it is later referenced) and a description and enter the script below

  • Finally release the policy script
Policy script
 /**

 * Policy for Logon Based on UME Groups

 * Only Users with Group "CertEnroll" are allowed to authenticate

 */



 function onFirstStageLogin(config, context, result) {

 // Get the user information from the login

  var user = context.getLoginInfo().getUser();

  var logger = context.getLogger();

  // Set group to the technical name of the group. Use the property "checkGroup".

  var group = "GRUP.PRIVATE_DATASOURCE.un:" + config.getProperty("checkGroup");

 // If user is member of group skip the second factor, if not fail the logon.

  if (user.isMemberOfGroup(group, true)) {

  result.doNotRequireSecondFactor();

  } else {

  logger.traceDebug("The user is not a part of the group CertEnroll");

  result.abortLogin("Access denied; contact the system administrator");

  }

Create a Logon Stack with the RBA Module using the policy script

  • Go to the NWA

https://<host>:<port>/nwa

  • Go to “Configuration” -> “Authentication and Single Sign-On”

  • Add a new custom Logon Stack

  • Add the RBA Module to the Logon Stack

  • Add the following parameters
    tfa.first.factor.login.module = BasicPasswordLoginModule (or any other primary Authentication Module of your choice)
    policy = <Name of your policy script>
    checkGroup = <Name of the group to be checked>

Use the policy configuration in the authentication profile

  • Configure the authentication profile to use the configured logon stack as authentication policy

Result

In this way you can use UME groups to allow or disallow authentication.

Labels in this area
Popular Blog Posts