Start of Content Area

Procedure documentation Using Header Variables  Locate the document in its SAP Library structure

Use

Web applications running on the AS Java also enable you to authenticate users with SSO with header variables. AS Java uses the HeaderVariableLoginModule to support SSO with header variables.

To use header variables for authentication, you must adjust the login module stacks for those applications that use header variables to authenticate a user.

Prerequisites

The login module HeaderVariableLoginModule exists in the active user store. To check that, do the following:

       1.      In the SAP NetWeaver Administrator go to Configuration Management Security Authentication.

       2.      In the Login Modules tab, check if the HeaderVariableLoginModule is available.

       3.      If the HeaderVariableLoginModule is not available, choose the Create button to add it. Enter the display name and the class name of the login module as follows:

                            a.      In the Display Name field enter HeaderVariableLoginModule.

                            b.      In the Class Name field enter com.sap.security.core.server.jaas.HeaderVariableLoginModule.

                            c.      Choose Create.

Procedure

Use the authentication management functions of the SAP NetWeaver Administrator to configure the authentication with header variables, as shown below. For more information, see Managing Authentication Policy.

...

       1.      Go to the Components tab.

       2.      In the List of Policy Configurations table, select the policy configurations for the applications to support header variable authentication.

                            a.      In the Authentication Stacktable, add the login module HeaderVariableLoginModule to the login module stack for the policy configuration and configure its processing flag.

See the Examples section below for an example of which position in the login module stack the module should be added.

                            b.      Set the option Header to the name of the header variable that contains the user ID. The default value is REMOTE_USER.

Example

In the following example, authentication with user ID and password is used as a fallback authentication method in case authentication with header variables does not succeed.

Example of a Login Module Stack with Header Variable Authentication

Login Modules

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

HeaderVariableLoginModule

OPTIONAL

{ume.configuration.active=true, Header=<header_name>}

CreateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

BasicPasswordLoginModule

REQUISITE

{}

CreateTicketLoginModule

OPTIONAL

{ume.configuration.active=true}

...

Authentication for this login module stack proceeds as follows:

       1.      The EvaluateTicketLoginModule checks if the user has a logon ticket. If yes, the authentication succeeds and control returns to the application.

       2.      If the user does not have a logon ticket, the HeaderVariableLoginModule checks for a value (user ID) in the header variable <header_name>, where <header_name> is the header variable in which an authentication tool writes the authenticated user ID. If there is such a value, a logon ticket is issued for this user ID.

       3.      If there no such value in the header variable, the BasicPasswordLoginModule authenticates the user with user ID and password.

       4.      If this authentication is successful, the user is issued a logon ticket.

 

 

End of Content Area