The AS Java enables resource adapter SSO for access to backend resources with caller principal mapping, Kerberos and authentication assertion tickets. The backend resources can be, for example databases or Enterprise Information System (EIS).
For caller principal mapping and Kerberos you can use the authentication types and mechanisms, specified by the JCA specification. In addition, the AS Java can use authentication assertion ticket to enable resource adapter SSO for access to the backend resource.
You specify the authentication types and authentication mechanisms in the deployment descriptors of the resource adapter during its development. There is no runtime configuration to enable SSO for resource adapters.
Caller Principal Mapping
The AS Java enables you to use the following authentication types to map the caller principal to the resource principal:
To authenticate resource adapter access to backend resource, you can choose between authentication with a username and password as defined by the Java Connector Architecture specification as most common.
In addition, the AS Java enables you to specify the use of authentication assertion tickets for SSO to the backend resource.
You configure the authentication type and the authentication mechanism for resource adapters during resource adapter development. You use the resource adapter deployment descriptors to configure the resource adapter authentication and SSO options. Based on the deployment descriptors, the AS Java automatically assigns relevant login modules to the resource adapter policy configuration and no runtime configuration is necessary.
In addition, to enable Single Sign-On with authentication assertion tickets, you choose the value SAPAssertionTicketor the corresponding object ID 22.214.171.124.4.1.6126.96.36.199.1. as a value for this tag.
The example below shows the relevant tags in the resource adapter deployment descriptor ( ra.xml ) for enabling the use of SSO with Authentication Assertion Tickets.
<authentication-mechanism> <authentication-mechanism-type> SAPAssertionTicket </authentication-mechanism-type> <credential-interface> javax.resource.spi.security.GenericCredential </credential-interface> </authentication-mechanism>