Configuring the UME when Using ADS Data Sources for Kerberos
Context
Use this procedure to configure the data source configuration file used by the user management engine (UME), to enable Single Sign-On (SSO) with Kerberos and an Active Directory Server (ADS). The configuration varies depending on the user resolution mode that the UME uses to resolve the user account in the ADS.
This procedure assumes the UME uses a single ADS data source. If the UME uses multiple ADS data sources, you change the UME configuration as described below for every ADS data source configured in the UME. If the data sources are not mutually trusted in a directory forest, you can create separate Kerberos configurations for each data source and have a separate logon URL for each ADS domain.
Procedure
-
Decide how you want to do user registration. The table below lists the available modes.
User Resolution Mode
When To Use
Kerberos Principal Name (KPN)-based
RecommendationWe recommend that you use this mode when the UME is configured to use an ADS data source.
You cannot use this mode with a non-ADS data source.
None
Use this mode only if the user's logon ID corresponds to the KPN. If the logon ID corresponds to the samaccountname attribute in the Active Directory, use either the simple or prefix-based user resolution mode.
Simple
Use simple mode only if the User Principal Name (UPN) is the same as the KPN.
Prefix-based
Use this mode to use multiple Kerberos realms.
-
Create and map any user attributes in the UME data source configuration file for ADS, as required by your user resolution mode.
For more information about the UME customization and the file download, see Customizing UME Data Source Configuration .
-
KPN-based
You do not need to customize the data source configuration file of the UME.
-
None
You do not need to customize the data source configuration file of the UME.
-
Simple
Make the following changes to the data source configuration file of the UME.
-
Define the attribute krb5principalname in the responsibleFor section.
-
Map the attribute krb5principalname to the physical attribute userprincipalname.
-
-
Prefix-based
Make the following changes to the data source configuration file of the UME.
-
Define the attributes kpnprefix , krb5principalname , and dn in the responsibleFor section.
-
Map kpnprefix to physical attribute samaccountname.
-
Map krb5principalname to the physical attribute userprincipalname.
-
Map dn to physical attribute distinguishedname.
-
-
-
Use the service user ID and password that you created on the ADS to connect the UME to the ADS data source.
For more information, see Configuring the UME to Use an LDAP Directory as Data Source .
Example
This example shows how to define attributes in the responsibleFor section of the data source configuration file.
<responsibleFor>
...
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname"
populateInitially="true"/>
...
</attributes>
</nameSpace>
</nameSpaces>
</principal>
...
<responsibleFor>
This example shows how to map the attributes to the corresponding physical attributes.
<attributeMapping>
<principals>
<principal type="account">
<nameSpaces>
...
</nameSpaces>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
...
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</principals>
</attributeMapping>