Show TOC Start of Content Area

Function documentation Configuring the UME  Locate the document in its SAP Library structure

Use

Depending on the data source it uses, the UME of the AS Java can be configured to use several modes to resolve the user from the Kerberos Principal Name (KPN).

You can use this topic to perform the necessary configuration changes that allow the UME to populate the user identity information from the KPN.

Integration

Upon successful authentication, the AS Java uses the UME to retrieve the user identity information and, respectively, assign access permissions. After Kerberos authentication has succeeded, however, the AS Java receives the KPN of the user. The resolution mode you set in the SPNego wizard is used for resolving the AS Java user.

The KPN is not necessarily an attribute of the user in the UME. In addition, the KPN may not be an attribute of the user account in the KDC user directory. For example, if you use an Active Directory Server for a UME data source, the KPN may not be an attribute of the Active Directory user accounts. Therefore, configuring the UME can involve editing the UME data source configuration xml files to create additional user attributes. For more information, see Customizing a UME Data Source Configuration.

Features

The UME can use the following resolution modes to determine the user account from the KPN:

      none - for this mode, the user’s logon ID attribute in the UME must be identical to the Kerberos Principal Name (KPN) attribute in ADS.

Caution

When the UME is configured to use ADS data source, do not use this resolution mode if the logon ID attribute corresponds to the samaccountname attribute in the Active Directory.

      simple - When you use this mode you can specify which UME user attribute matches the KPN. This can be any existing UME attribute or a new one. We recommend that you create a new attribute named krb5principalname, which corresponds to the KPN.

      prefixbased - For this mode, the UME searches for a user based only on the KPN prefix. The algorithm works as follows:

...

                            a.      Kerberos authentication yields a KPN, for example johndoe@IT.CUSTOMER.DE.

                            b.      SPNegoLoginModule splits the KPN into the parts johndoe and IT.CUSTOMER.DE and performs a search in UME for a user with uniquename=johndoe. If the search result is unique, then it is returned as a logon user id to the UME.

                            c.      If the result is not unique, SPNegoLoginModule uses the user's attribute distinguishedName to exclude from the search those who are not in the domain IT.CUSTOMER.DE.

Activities

The UME data sources use different formats for specifying user attributes. Therefore, the required configuration for the UME data source configuration file depends on the data source you use.

For more information about configuring the UME, see the following topics:

      Configuring the UME when Using ADS Data Sources for Kerberos Authentication

When you use an Active Directory Server (ADS) for a data source in UME, you can use different modes for resolving the user account ID from the KPN. In this topic, you can see how to choose a specific user resolution mode and the required configuration changes to the UME data source configuration file for ADS data sources.

      Configuring the UME when Using non-ADS Data Sources for Kerberos Authentication

Provides details about the required UME data source configuration file, when using non-ADS data sources in UME.

 

 

End of Content Area