1 Using Logon Tickets
用户获得的ticket做为暂时存在的cookie保存在用户的web浏览器中,cookie中保存了用户的信息,因此最好配置 Secure Sockets Layer (SSL) 连接。
能够把logon ticket标记为secure cookie,似的client端的浏览器只有在SSL连接中才发送cookie,通过把参数ume.logon.security.enforce_secure_cookie设置为True来实现,这个也是sap推荐设置的。
为了减少ticket被黑客拦截的风险,还可以把ticket的有效期缩短,默认的有效期为8个小时。
2 Using Logon Tickets with User Mapping
把portal的用户ID map到 SAP reference system中的abap用户ID,默认方式下,被匹配的用户ID被加密的保存在UME的数据库中。
也可以将portal的用户ID map 到LDAP directory中,但被匹配的用户ID的存放方式是不加密的,最好保证用户ID没有对LDAP directory的编辑权限。
3 Using User ID and Password with User Mapping When Single Sign-On with user ID and password is used, the user ID and password are sent across the network.
We strongly recommend that you protect the connections to the backend systems using HTTPS or SNC to prevent the user ID and password being read by an unauthorized user. We strongly recommend that you install the full version of the SAP Java Cryptographic Library if you use user mapping. This toolkit is required so that user mapping data can be stored in encrypted form. If the toolkit is not deployed, user mapping data is stored with weak encryption (base 64 encoding), which is not recommended for production systems.