Web applications running on the AS Java also enable you to authenticate users with SSO with header variables. AS Java uses the HeaderVariableLoginModule to support SSO with header variables.
To use header variables for authentication, you must adjust the login module stacks for those applications that use header variables to authenticate a user.
The login module HeaderVariableLoginModule exists in the active user store. To check that, do the following:
1. In the SAP NetWeaver Administrator go to Configuration Management → Security → Authentication.
2. In the Login Modules tab, check if the HeaderVariableLoginModule is available.
3. If the HeaderVariableLoginModule is not available, choose the Create button to add it. Enter the display name and the class name of the login module as follows:
a. In the Display Name field enter HeaderVariableLoginModule.
b. In the Class Name field enter com.sap.security.core.server.jaas.HeaderVariableLoginModule.
c. Choose Create.
Use the authentication management functions of the SAP NetWeaver Administrator to configure the authentication with header variables, as shown below. For more information, see Managing Authentication Policy.
...
1. Go to the Components tab.
2. In the List of Policy Configurations table, select the policy configurations for the applications to support header variable authentication.
a. In the Authentication Stacktable, add the login module HeaderVariableLoginModule to the login module stack for the policy configuration and configure its processing flag.
See the Examples section below for an example of which position in the login module stack the module should be added.
b. Set the option Header to the name of the header variable that contains the user ID. The default value is REMOTE_USER.
In the following example, authentication with user ID and password is used as a fallback authentication method in case authentication with header variables does not succeed.
Example of a Login Module Stack with Header Variable Authentication
Login Modules |
Flag |
Options |
EvaluateTicketLoginModule |
SUFFICIENT |
{ume.configuration.active=true} |
HeaderVariableLoginModule |
OPTIONAL |
{ume.configuration.active=true, Header=<header_name>} |
CreateTicketLoginModule |
SUFFICIENT |
{ume.configuration.active=true} |
BasicPasswordLoginModule |
REQUISITE |
{} |
CreateTicketLoginModule |
OPTIONAL |
{ume.configuration.active=true} |
...
Authentication for this login module stack proceeds as follows:
1. The EvaluateTicketLoginModule checks if the user has a logon ticket. If yes, the authentication succeeds and control returns to the application.
2. If the user does not have a logon ticket, the HeaderVariableLoginModule checks for a value (user ID) in the header variable <header_name>, where <header_name> is the header variable in which an authentication tool writes the authenticated user ID. If there is such a value, a logon ticket is issued for this user ID.
3. If there no such value in the header variable, the BasicPasswordLoginModule authenticates the user with user ID and password.
4. If this authentication is successful, the user is issued a logon ticket.