Configuring the UME (SAP-Bibliothek - Configuring Authentication and Single Sign-On)

Configuring the UME

Use

Depending on the data source it uses, the UME of the AS Java can be configured to use several modes to resolve the user from the Kerberos Principal Name (KPN).

You can use this topic to perform the necessary configuration changes that allow the UME to populate the user identity information from the KPN.

Integration

Upon successful authentication, the AS Java uses the UME to retrieve the user identity information and, respectively, assign access permissions. After Kerberos authentication has succeeded, however, the AS Java receives the KPN of the user. The resolution mode you set in the SPNego wizard is used for resolving the AS Java user.

The KPN is not necessarily an attribute of the user in the UME. In addition, the KPN may not be an attribute of the user account in the KDC user directory. For example, if you use an Active Directory Server for a UME data source, the KPN may not be an attribute of the Active Directory user accounts. Therefore, configuring the UME can involve editing the UME data source configuration xml files to create additional user attributes. For more information, see Customizing a UME Data Source Configuration.

Features

The following resolution modes can be used to determine the user account from the KPN:

● none - for this mode, the user’s logon ID attribute in the UME must be identical to the Kerberos Principal Name (KPN) attribute in ADS.

Achtung

When the UME is configured to use ADS data source, do not use this resolution mode if the logon ID attribute corresponds to the samaccountname attribute in the Active Directory.

● simple – When you use this mode you can specify which UME user attribute matches the KPN. This can be any existing UME attribute or a new one. We recommend that you create a new attribute named krb5principalname, which corresponds to the KPN.

● prefixbased - For this mode, the UME searches for a user based on the KPN prefix. The algorithm works as follows:

...

a. Kerberos authentication yields a KPN, for example johndoe@IT.CUSTOMER.DE.

b. SPNegoLoginModule splits the KPN into the parts johndoe and IT.CUSTOMER.DE and performs a search in the UME for a user with uniquename=johndoe. If the search result is unique, then it is returned as a logon user id to the UME.

c. If the result is not unique, SPNegoLoginModule uses the user's attribute distinguishedName to exclude from the search those who are not in the domain IT.CUSTOMER.DE.

● kpnbased – For this mode, the UME searches for a user based on the full KPN. The KPN is split into two parts – principal and realm. For example, if the KPN is johndoe@IT.CUSTOMER.DE, the system searches for a user account where the principal attribute is johndoe and the realm attribute is IT.CUSTOMER.DE. We recommend that you use this resolution mode when the UME is configured to use an ADS data source.

Achtung

This mode cannot be used if the UME is configured to use a non-ADS data source.

Activities

The UME data sources use different formats for specifying user attributes. Therefore, the required configuration for the UME data source configuration file depends on the data source you use.

For more information about configuring the UME, see the following topics:

● Configuring the UME when Using ADS Data Sources for Kerberos Authentication

When you use an Active Directory Server (ADS) for a data source in UME, you can use different modes for resolving the user account ID from the KPN. In this topic, you can see how to choose a specific user resolution mode and the required configuration changes to the UME data source configuration file for ADS data sources.

● Configuring the UME when Using non-ADS Data Sources for Kerberos Authentication

Provides details about the required UME data source configuration file when you use non-ADS data sources in the UME.