2007年6月24日
#
Use
When you use SAP logon tickets for Single Sign-On to SAP Systems, users must have the same user IDs in all SAP Systems that are configured to use SAP logon tickets. If the SAP user IDs are different to the portal user IDs, you must define an SAP reference system. Users then map their portal user ID to the user ID in the SAP reference system. The mapped user ID is included in the SAP logon ticket and enables Single Sign-On using logon tickets to all SAP Systems in which the user has the same user ID. Prerequisites Users have the same ID in all SAP component systems that are configured to use logon tickets for Single Sign-On. Passwords do not have to be identical.
Procedure
Define a system object for the reference system ...
1. If the system you wish to use as SAP reference system has not yet been defined as a system in the portal, define it as described inCreating Systems.
2. Ensure that a system alias has been defined for the system. If it does not have a system alias, it will not appear in the user mapping tool. SeeMaintaining a System Alias List.
3. Set the user mapping properties. You must always set a value for the property User Mapping Type. For details, seeSystem Properties for User Mapping. Define the reference system in the user management configuration tool
4. In the user management configuration tool, choose Security Settings. For more information on the user management configuration tool, seeUser Management Configuration Tool.
5. In SAP Reference System, choose the system alias of the above system.
6. Restart the Java application server.
Result
When users start the user mapping function, one of the component systems that they can select is the SAP reference system. They can map their portal user ID to their user ID in this reference system. The user mapping function connects to the SAP reference system using the user ID and password to verify that the password entered by the user is correct. The next time the user logs on to the portal, the portal generates an SAP logon ticket for the user that contains both his or her portal user ID and mapped user ID.
1 Using Logon Tickets
用户获得的ticket做为暂时存在的cookie保存在用户的web浏览器中,cookie中保存了用户的信息,因此最好配置 Secure Sockets Layer (SSL) 连接。
能够把logon ticket标记为secure cookie,似的client端的浏览器只有在SSL连接中才发送cookie,通过把参数ume.logon.security.enforce_secure_cookie设置为True来实现,这个也是sap推荐设置的。
为了减少ticket被黑客拦截的风险,还可以把ticket的有效期缩短,默认的有效期为8个小时。
2 Using Logon Tickets with User Mapping
把portal的用户ID map到 SAP reference system中的abap用户ID,默认方式下,被匹配的用户ID被加密的保存在UME的数据库中。
也可以将portal的用户ID map 到LDAP directory中,但被匹配的用户ID的存放方式是不加密的,最好保证用户ID没有对LDAP directory的编辑权限。
3 Using User ID and Password with User Mapping When Single Sign-On with user ID and password is used, the user ID and password are sent across the network.
We strongly recommend that you protect the connections to the backend systems using HTTPS or SNC to prevent the user ID and password being read by an unauthorized user. We strongly recommend that you install the full version of the SAP Java Cryptographic Library if you use user mapping. This toolkit is required so that user mapping data can be stored in encrypted form. If the toolkit is not deployed, user mapping data is stored with weak encryption (base 64 encoding), which is not recommended for production systems.
Applications running on J2EE Engine have two options for authenticating users:
· Declarative authentication (also known as container-based authentication): The Web container (in this case, the J2EE Engine) handles authentication. A component running on the J2EE Engine declares its protected resources and its desired authentication mechanism in its deployment descriptor. When a protected resource of this component is accessed, the container in which the component runs triggers authentication.
· Programmatic authentication (also known as UME authentication): Components running on the J2EE Engine authenticate directly against the User Management Engine (UME) using the UME API. The component explicitly triggers authentication and then the authentication process is controlled by the authentication framework.
Web Dynpro applications and portal iViews always use programmatic (UME) authentication. J2EE Web applications can use either declarative or programmatic authentication depending on which the developer decides to use.
Both declarative and programmatic authentication use login modules and login module stacks as their underlying technology. Applications that use declarative authentication define which login module stack they use in their deployment descriptor. Programmatic authentication additionally introduces the concept of authentication schemes. Applications that use programmatic authentication are associated with an authentication scheme. The authentication scheme in turn references a login module stack.
Configuring user mapping between the portal and BSP systems exposes a security risk where the user ID and password is exposed in the HTTP header. You have the following options to eliminate this risk:
● Reconfigure the systems to use single sign-on with logon tickets. This requires that users have the same user ID in the portal as well as in the BSP systems.
● Upgrade the portal system to NetWeaver 2004s SPS 7 or later and upgrade the BSP system as described in SAP Note 904249. This enables both systems to support HTTP POST in combination with SSL.
Authorizations are enforced in User Management Engine (UME) using permissions, actions, and roles。
permission通常在java code中定义;
actions通常是在xml文件或是java code中定义的permissions的集合。
role通常是一组actions的集合。通过用户获得的roles就可以确定用户的权限。
UME actions被定义在UMErole.xml中,有如下UME actions:
UME.Manage_All:UME中所有的用户管理权限。
UME.Manage_All_User_Passwords:使一个用户能够修改其他用户的密码,同时该用户也能够查看其他用户的profile。
UME.AclSuperUser:只适用于portal,在portal中拥有此action,将获得PCD的owner权限,因此该action只应该赋予super administrator。
UME.Manage_Users:能够管理同一个company(delegated user administrators中的概念)中的所有用户。
UME.Manage_Groups:能够管理同一个company中的所有组。
UME.Manage_Roles:跟EP不相关,能够管理UME role,能给用户或组赋予任何UME role,所以拥有了它就等于自己是super administrator。
UME.Manage_Role_Assignments:在同一个company中能够给用户(但不能给组)添加roles,这些roles应该被定义为能够assigned。
UME.Manage_All_Companies:只是UME actions的一个扩展,如一个用户拥有了UME.Manage_All_Companies 和UME.Manage_Users,那么他就能够管理所有的用户。
UME.Batch_Admin:能够import和export同一个company中的用户和组。
UME.Manage_My_Profile:使非管理员用户能够编辑自己的profile。
UME.Manage_My_Password:使非管理员用户能够修改自己的登陆密码,但UME参数ume.logon.security_policy.password_change_allowed必须设置为TRUE。
UME.Manage_User_Passwords:可以修改同一个company中的其他用户的密码。
UME.Read_All:能够查看所有的用户、组和roles的profile。
UME.Read_Basic:仅限内部用户使用。
UME.Read_My_Profile:使非管理员用户能够查看自己的profile。
UME.Selfregister_User:预留以后使用。
The user administration tools for the AS-Java allow both offline and runtime user administration.
User administration tools :Visual Administrator、UME User Administration console、Shell Console Administrator、Config Tool。
其中Config Tool直接对数据库进行操作,操作的内容要在j2ee engine重起后才能生效。