Using Single Sign-On with Resource
Adapters
Definition
The J2EE Engine provides an additional authentication mechanism type supported by the connector container: SAP Assertion Ticket of type com.sap.security.core.server.jaas.SAPAuthenticationAssertionTicketCredential.
The SAP Assertion Ticket is fully compatible with the SAP Logon Ticket.
Use
The authentication mechanism type is specified in the deployment descriptor (ra.xml) of the resource adapter. The tag name is <authentication-mechanism-type>. In order to provide Single Sign-On with the resource adapter, the value might be SAPAssertionTicket or the corresponding object ID 1.3.6.1.4.1.694.2.1.3.1.
Structure
There are four authentication types according the JCA architecture in the context of the authentication mechanism type that is specified for the resource adapter:
Authentication Options
Option |
Description |
Caller Impersonation |
The subject, which is passed to the resource adapter, must be a clone of the caller's subject containing the principal and its credentials. In this case, no new credentials are created independently of the <authentication-mechanism-type> that is configured in the deployment descriptor. Only the already existing credentials in the cloned subject are forwarded. |
Credentials Mapping |
The name of the resource principal is the same as the caller principal. Only the credentials must be replaced. The type of credential that needs to be created depends on the <authentication-mechanism-type> that is configured in the deployment descriptor. |
Principal Mapping |
With this option, the resource principal is determined by the settings in the resource adapter's configuration, which holds the mappings from the caller principals to the resource principals. The type of credential that needs to be created depends on the <authentication-mechanism-type> that is configured in the deployment descriptor. |
Configured Identity |
With this option, the resource principal is determined by the fixed settings in the resource adapter's configuration. This means, that for all caller principals, the same resource principal is created according to these settings. The type of credential that needs to be created depends on the <authentication-mechanism-type> that is configured in the deployment descriptor. |
Example
<authentication-mechanism> <authentication-mechanism-type> SAPAssertionTicket </authentication-mechanism-type> <credential-interface> javax.resource.spi.security.GenericCredential </credential-interface> </authentication-mechanism> |