Show TOC Entering content frame

Procedure documentation Defining an Authentication Scheme Locate the document in its SAP Library structure

Use

You can define custom authentication schemes if your specific requirements are not covered by the shipped authentication schemes. You define authentication schemes in the file Structure linkauthschemes.xml.

Procedure

Open the file Structure linkauthschemes.xml for modifying as described in Changing the authschemes.xml File.

Here is an example of the contents of this file:

<document>

    <authschemes>
        <!--  authschemes, the name of the node is used -->
        <authscheme name="uidpwdlogon">
            <authentication-template>
                ticket
            </authentication-template>
            <priority>20</priority>
            <!-- the frontendtype TARGET_FORWARD = 0 -->
            <!-- TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->
            <frontendtype>2</frontendtype>
            <!-- target object -->
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
        
        <authscheme name="certlogon">
            <authentication-template>
                client_cert
            </authentication-template>
            <priority>21</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
        …
    </authschemes>

    <!--  References for Authentication Schemes -->

    <!--  this section must be after authschemes -->

    <authscheme-refs>
        <authscheme-ref name="default">
            <authscheme>uidpwdlogon</authscheme>
        </authscheme-ref>

        <authscheme-ref name="UserAdminScheme">
            <authscheme>uidpwdlogon</authscheme>
        </authscheme-ref>
    </authscheme-refs>

</document>

To define an authentication scheme (authscheme), you need to provide the following information:

·        Authentication template (login module stack)

·        Priority

·        Frontend type

·        Frontend target

These are described in more detail below.

Authentication Template

In the <authentication-template> tag, you define which login module stack in the J2EE Engine controls authentication. The login module stack of the J2EE Engine defines the list of login modules and their control flags (Required, Requisite, Sufficient, Optional) and is defined in the J2EE Engine Visual Administrator. You do not define the login modules in the authschemes.xml file.

For more information on defining login module stacks in the Visual Administrator, see Authentication on J2EE Engine and Managing Login Modules.

Example

For example, you have defined a login module stack called certlogon in the Security Provider service in the Visual Administrator. You want to create an authentication scheme that uses this login module stack. To do this, you add the following excerpt to the authschemes.xmlfile.

  <authscheme name="myauthscheme">
      <!-- multiple login modules can be defined -->
      <authentication-template>
        certlogon
      </authentication-template>
      <priority>20</priority>
      <!-- the frontendtype TARGET_FORWARD = 0 -->
      <!-- TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->
      <frontendtype>2</frontendtype>
      <!-- target object -->
      <frontendtarget>
        com.mycompany.certlogonapp
      </frontendtarget>
  </authscheme>

Priority

The priority of an authentication must be a positive integer.

<priority>20</priority>

The higher the integer, the higher the priority of the authentication scheme. Each application is assigned an authentication scheme and only users that have logged on successfully with that authentication scheme or one with the same or a higher priority can access the application.

Priorities can be used systematically in a portal scenario, where iViews have different authentication schemes.

Example

For example, an authentication scheme that requires the user to authenticate using user ID and password has a priority of 10. An authentication scheme that requires the user to authenticate using a client certificate has a priority of 20. If a user has authenticated himself in the portal with a client certificate (priority 20) and then tries to access an iView that requires authentication with user ID and password (priority 10) he will not need to re-authenticate himself.

Recommendation

We strongly recommend that if you have two or more authentication schemes that use the same login module stack, all these authentication schemes must have the same priority.

Frontend type

In the Enterprise Portal the frontend type must always be 2.

Frontend target

The frontend target defines which iView is to be launched when a user’s session does not satisfy the required authentication scheme. Whereas the login module defines how the user is authenticated, the frontend target defines the user interaction that needs to take place to gather the required information.

In addition you may want to define a reference to an authentication scheme. For details, see Defining References to Authentication Schemes.

When you are finished editing authschemes.xml, save the file and proceed as described in Changing the authschemes.xml File.

Result

You have defined a custom authentication scheme and can assign it to iView templates or iViews. For details, see Assigning an Authentication Scheme to an iView.


 

Leaving content frame