Two-Factor Authentication with Virtual Users

In SAP Single Sing-On version 3.0 and higher, two-factor authentication can work with virtual users. If a user passes the first factor authentication against an external data source (for example LDAP), but does not exist in the UME database, a temporary virtual user is created for the duration of the application session in the following cases:

The user principal from the first factor login module is VirtualUserPrincipal. A new virtual user is then created and receives assignments for groups, roles and attributes as defined for the VirtualUserPrincipal.
The value of the login module option UserMappingMode is VirtualUser. A new virtual user is then created with no group, role or attribute assignments.

Note

The virtual user exists for the duration of the application sessions associated with that user (for example until the user logs out, or the session expires). If the user cancels the process after the first step, the virtual user exists until the session expires.