Show TOC

Defining an Authentication SchemeLocate this document in the navigation structure

Use

You can define custom authentication schemes if your specific requirements are not covered by the shipped authentication schemes. You define authentication schemes in the authschemes.xml file.

Procedure

Open the authschemes.xml file for modifying as described in Changing the authschemes.xml File .

For more information about the authschemes.xml file, see User Management and Security Files .

Here is an example of the contents of this file:

<document>     <authschemes>         <!--  authschemes, the name of the node is used -->         <authscheme name="uidpwdlogon">             <authentication-template>                 ticket             </authentication-template>             <priority>20</priority>             <!-- the frontendtype TARGET_FORWARD = 0 -->             <!-- TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->             <frontendtype>2</frontendtype>             <!-- target object -->             <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>         </authscheme>                  <authscheme name="certlogon">             <authentication-template>                 client_cert             </authentication-template>             <priority>21</priority>             <frontendtype>2</frontendtype>             <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>         </authscheme>         …     </authschemes>     <!--  References for Authentication Schemes -->

<!--  this section must be after authschemes -->     <authscheme-refs>         <authscheme-ref name="default">             <authscheme>uidpwdlogon</authscheme>         </authscheme-ref>         <authscheme-ref name="UserAdminScheme">             <authscheme>uidpwdlogon</authscheme>         </authscheme-ref>     </authscheme-refs> </document>

To define an authentication scheme ( authscheme ), you need to provide the following information:

  • Authentication template (login module stack)
  • Priority
  • Front-end type
  • Front-end target

These are described in more detail below.

Authentication Template

In the<authentication-template> tag, you define which login module stack in the AS Java controls authentication. The login module stack of the AS Java defines the list of login modules and their control flags (Required, Requisite, Sufficient, Optional) and can be modified with the SAP NetWeaver Administrator (NWA). You do not define the login modules in the authschemes.xml file.

For more information about defining login module stacks in the SAP NetWeaver Administrator, see AS Java Authentication Infrastructure and Managing Login Modules .

Tip

For example, you have defined a login module stack called certlogon . You want to create an authentication scheme that uses this login module stack. To do this, you add the following to the authschemes.xml file.

<authscheme name="myauthscheme">       <!-- multiple login modules can be defined -->       <authentication-template>         certlogon       </authentication-template>       <priority>20</priority>       <!-- the frontendtype TARGET_FORWARD = 0 -->       <!-- TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->       <frontendtype>2</frontendtype>       <!-- target object -->       <frontendtarget>         com.mycompany.certlogonapp       </frontendtarget>   </authscheme>

Priority

The priority of an authentication must be a positive integer.

<priority>20</priority>

The higher the integer, the higher the priority of the authentication scheme. Each application is assigned an authentication scheme and only users that have logged on successfully with that authentication scheme or one with the same or a higher priority can access the application.

Priorities can be used systematically in a portal scenario where iViews have different authentication schemes.

Tip

For example, an authentication scheme that requires users to authenticate themselves using their user ID and password has a priority of 10. An authentication scheme that requires users to authenticate themselves using a client certificate has a priority of 20. If users have authenticated themselves in the portal with a client certificate (priority 20) and then try to access an iView that requires authentication with user ID and password (priority 10), they will not need to reauthenticate themselves.

We strongly recommend that if you have two or more authentication schemes that use the same login module stack, all of these authentication schemes have the same priority.

Front-end type

In the Enterprise Portal the front-end type must always be 2.

Front-end target

The front-end target defines which iView is to be launched when a user's session does not satisfy the required authentication scheme. Whereas the login module defines how the user is authenticated, the front-end target defines the user interaction that needs to take place to gather the required information.

In addition you may want to define a reference to an authentication scheme. For details, see Defining References to Authentication Schemes .

When you are finished editing authschemes.xml , save the file and proceed as described in Changing the authschemes.xml File .

Result

You have defined a custom authentication scheme and can assign it to iView templates or iViews. For details, see Assigning an Authentication Scheme to an iView .