Show TOC

Integrating Third-Party Login ModulesLocate this document in the navigation structure

Context

The result of successful authentication of a third-party login module compliant with Java Authentication and Authorization Service (JAAS) is a principal. Based on the principal name, the Application Server (AS) Java authentication framework tries to find the corresponding user in the User Management Engine (UME) of the system. If the principal name set by the third-party login module does not correspond to the user logon ID in the UME, you need to configure user mapping. You can do this by specifying properties for the policy configuration that applies to the third-party login module.

The following table summarizes the user mapping options:

Name

Possible Values

Description

UserMappingMode

LogonID

(Default) The system searches in the UME for a user with a logon ID that is equal to the principal name set by the third-party login module.

LogonAlias

The system searches in the UME for a user with a logon alias that is equal to the principal name set by the third-party login module. For users read from an ABAP data source, the logon alias may be different from their logon ID. For AS Java users, the logon alias is the same as the logon ID.

Email

The system searches in the UME for a user with an e-mail address that is equal to the principal name set by the third-party login module.

UserAttribute

The system searches in the UME for a user with a user attribute that is equal to the principal name set by the third-party login module. Specify the user attribute name and (optionally) namespace with the properties UserMappingAttribute and UserMappingAttributeNamespace .

AccountAttribute

The system searches in the UME for a user with an account attribute that is equal to the principal name set by the third-party login module. Specify the account attribute name and (optionally) namespace with the properties UserMappingAttribute and UserMappingAttributeNamespace .

VirtualUser

The system searches in the UME for a user with a logon ID that is equal to the principal name set by the third-party login module. If the system cannot find such a user, it creates a virtual user that exists temporarily for the current user session. The principal name is set as the logon ID of the virtual user.

UserMappingAttribute

<attribute name>

If UserMappingMode is set to UserAttribute or AccountAttribute , this option specifies the name of the user or the account attribute for the mapping.

UserMappingAttributeNamespace

<attribute namespace>

(Optional) If UserMappingMode is set to UserAttribute or AccountAttribute , this option specifies the attribute namespace in the UME. If it is not specified, the system uses the default UME namespace, which is com.sap.security.core.usermanagement .

VirtualUserDefaultGroups

<comma-separated list of groups (display names)>

(Optional) This property is used when the user mapping mode is VirtualUser . This property specifies the groups to be assigned to the virtual user when it is created.

VirtualUserDefaultRoles

<comma-separated list of roles (display names)>

(Optional) This property is used when the user mapping mode is VirtualUser . This property specifies the roles to be assigned to the virtual user when it is created.

You can also use a regular expression as a user mapping option. Use the following format:

Name

Possible Values

Description

UserMappingRegex

<regular expression>

You can use a regular expression to restrict the accepted principal names set by the third-party login module and/or to extract a substring from the principal name used afterwards for user mapping. To extract a substring, you need to define a group in the regular expression pattern. The extracted substring is the value of this group.

Example

The configured regular expression is (.+)\Q@company.de\E , and the principal name set by the third-party login module is john@company.de . The result of the regular expression evaluation is john , and this substring from the principal name is used for the configured user mapping.

Integrating the Login Module into an SSO Environment

If you want to use the third-party login module in an authentication stack for SSO with different SAP systems, enable the use of logon tickets among the systems. For more information, see Using Logon Tickets for Single Sign-On .

To enable the creation of logon tickets, set the create_ticket property of the login module to the value true .

Procedure

  1. In your Web browser, open SAP NetWeaver Administrator.
  2. Enter Start of the navigation path Configuration Next navigation step Authentication and Single Sign-On Next navigation step Authentication Next navigation step Components End of the navigation path.
  3. Edit an existing policy configuration or create a new one. For more information, see:
  4. In the Properties tab, add the required options for user mapping or creation of logon tickets. For more information, see Configuring Authentication Properties .

Example

We have a login module that returns logon IDs in the following format: <principal>@<domain> (for example, donnamoore@company.com). In the UME database, users do not have that type of logon ID. However, the logon IDs of users in the UME match the <principal> part of the returned ID (donnamoore). We can therefore map the returned logon ID to the logon ID in the UME database with the following set of properties:

Name

Value

UserMappingRegex

(.+)\Q@company.de\E

UserMappingMode

LogonID

create_ticket

true

This regular expression returns the user principal, which is mapped to the logon ID in the UME database. We also add the create_ticket option for convenience.