Skip to Content
Author's profile photo Tobias Lejczyk

Using UME groups in an authentication stack

The challenge

In some rare cases it is necessary to include the check for a user group in the authentication stack.

For example, in the enrollment of systems for the certificate lifecycle management, no authorizations are checked. The authentication suffices. But what if you don’t want to add second factors or certificates to the authentication stack, but rather want to use Usergroups to determine if a user is allowed to enroll a system?

The solution

Using the RiskBased Authentication Module of SAP SSO it is possible to include a check for a user group in the authentication stack.


  1. Create a policy script
  2. Create a Logon Stack with the RBA Module using the policy script
  3. Use the logon stack as authentication policy in the authentication profile

Create a policy script

  • Go to https://<host>:<port>/ssoadmin/scripts
  • Click on “Create”


  • Give the policy a name (by which it is later referenced) and a description and enter the script below


  • Finally release the policy script
Policy script
 * Policy for Logon Based on UME Groups
 * Only Users with Group "CertEnroll" are allowed to authenticate

 function onFirstStageLogin(config, context, result) {
 // Get the user information from the login
  var user = context.getLoginInfo().getUser();
  var logger = context.getLogger();
  // Set group to the technical name of the group. Use the property "checkGroup".
  var group = "GRUP.PRIVATE_DATASOURCE.un:" + config.getProperty("checkGroup");
 // If user is member of group skip the second factor, if not fail the logon.
  if (user.isMemberOfGroup(group, true)) {
  } else {
  logger.traceDebug("The user is not a part of the group CertEnroll");
  result.abortLogin("Access denied; contact the system administrator");

Create a Logon Stack with the RBA Module using the policy script

  • Go to the NWA


  • Go to “Configuration” -> “Authentication and Single Sign-On”


  • Add a new custom Logon Stack



  • Add the RBA Module to the Logon Stack



  • Add the following parameters
    tfa.first.factor.login.module = BasicPasswordLoginModule (or any other primary Authentication Module of your choice)
    policy = <Name of your policy script>
    checkGroup = <Name of the group to be checked>


Use the policy configuration in the authentication profile

  • Configure the authentication profile to use the configured logon stack as authentication policy



In this way you can use UME groups to allow or disallow authentication.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.