Skip to Content

In the Identity management of NetWeaver Application Server Java there are different user related information stored, like Logon ID, Last Name, First Name, E-mail Address etc. Since the logon IDs may not be user friendly, there is a need to enable authentication of the users with another unique identifier of the user, for example with their e-mail address.

This option is possible by adding the UserMappingMode=Email parameter to the BasicPasswordLoginModule. However, in this case authentication will only be possible if the user authenticates with their email address. What if administrators would like to keep the option open for the users to decide which value they enter in the User field of the logon screen?

This is the question I received a few times lately and inspired this blog post.

Configuration

As the login stack used for logging in to NetWeaver Administrator is the ticket stack, I am going to update this one in the blog.

In order to update the authentication stack you need to log in to NetWeaver Administrator and Navigate to Configuration >> Security >> Authentication and Single Sign-On. Select the ticket stack from the Policy Configuration Name secton and click on the Edit button.

In the Details of policy configuration “ticket” section the different buttons became active.

By default your ticket stack contains the below login modules with the corresponding flag:

Login module Flag
EvaluateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule REQUISITE
CreateTicketLoginModule OPTIONAL

 

1. Add login modules
You need to add another BasicPasswordLoginModule and CreateTicketLoginModule to the existing stack.

In the Login Modules section click on the Add button. In the grid a new <Select Login Module> entry is added.

Select the BasicPasswordLoginModule from the drop-down list. Then add the CreateTicketLoginModule the same way.

2. Add UserMappingMode to enable authentication with e-mail address
Select one of the BasicPasswordLoginModules and click on the Add button in the Options of login module “BasicPasswordLoginModule” section. Enter UserMappingMode in the Name field of the window that pops up and Email in the Value field as you can see on the below screen shot.

Click on Add to save the option. Note, that the name of the login module changes to com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule. This is normal.

3. Set the Login flags
The last step is to set the login module flags properly. These are displayed and can be modified on the right side of the Login Modules grid. Please set the below order:

Login Module Flag
EvaluateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule OPTIONAL
CreateTicketLoginModule SUFFICIENT
com.sap.engine.services.security.jaas.BasicPasswordLoginModule REQUISITE
CreateTicketLoginModule OPTIONAL

Now you should be able to login both with your Login ID and E-mail address stored in UME.

Understanding the Authentication Stack

Let’s see how the above authentication stack works. When you browse the NetWeaver Administrator site, first it will be checked, whether you have a valid logon ticket to the system. If you have a valid ticket, you are authenticated and the procedure completed.

If you cannot present a valid logon ticket, the login screen will be displayed. Now you can enter your LogonID or E-mail address. If you enter your LogonID and the appropiate password, you are authenticated, a logon ticket is generated for the next sessions and the logon procedure ends.

If the authentication is not successful, the system checks if these credentials are valid from E-mail address authentication perspective. If yes, the authentication is successfull logon ticket is generated for the next sessions and the logon procedure ends.

If the value entered in the User field is neither an existing LoginID nor an E-mail address stored in UME or the password is incorrect, you receive the invalid username or password error message as intended.

Please note! The E-mail address of the user should be stored in UME, otherwise the authentication procedure will not work.
Also depending on your authentication mechanism you may have additional Login Modules, like ClientCert or SPNego. It is not a problem, but the last four login modules should be the same as described above with the same flags.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply