Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

HeaderVariableLogonModule plus logon with alias

Former Member
0 Kudos

We are currently running SAP Biller Direct on standard ECC 6.0 with NW 7.0 AS JAVA, which from a security perspective works the same way as most SAP java web frontends, using configuration via the visual administrator. We are using the ABAP system as a user store rather than the java UME. We have the following requirements for users logging into Biller Direct:

1) Users must log in using our existing SSO solution (webseal)

2) User IDs may be long (e.g. michelle.wetzler.at.company.com)

In order to support the long user IDs in dev, we set LoginWithAlias=True in the BasicPasswordLoginModule. (Since we are using the ABAP user store and the technical ID has a max of something like 8 characters, we utilize the alias field in SU01 to store long IDs like michelle.wetzler.at.company.com).

We are now trying to setup SSO in dev. We have enabled the HeaderVariableLogonModule to interpret the logon from webseal. HeaderVariableLogonModule doesn't have an option for LogonWithAlias, so now our logins are only working for technical IDs (e.g. MWETZLER), and login with a long ID (alias) fails.

Below is the login module stack we have currently set. It only works for login using a technical ID. The way we were hoping it would work is this: if the Header Variable login failed (e.g. canu2019t login user michelle.wetzler.at.company.com since it doesnu2019t exist as an ABAP technical ID), the system would pass this ID to the Basic Password Login Module, where it would succeed (since michelle.wetzler.at.company.com is a valid alias in the backend).

Evaluate Ticket Login Module SUFFICIENT

Header Variable Login Module REQUISITE

Create Ticket Login Module SUFFICIENT

Basic Password Login Module REQUISITE LogonWithAlias=true

Create Ticket Login Module OPTIONAL

I am posting this to the forums in the hopes that someone with more experience with login module stacking might be able to point us in the right direction. Is it possible to stack the modules in this manner or do we need to create a custom headervariablelogonmodule that works with alias?

Reference: the various login modules that come with SAP:

http://help.sap.com/saphelp_nw70/helpdata/en/96/a75742b6081053e10000000a155106/content.htm

5 REPLIES 5

Former Member
0 Kudos

> Total Questions: 8 (7 unresolved)

Try the search. I'm going skiing.

tim_alsop
Active Contributor
0 Kudos

Michelle,

I helped a custoemr a few years ago with a similar problem - they were using WebSeal and the user names were long, so they wanted to map the long name onto a shorter name which matches the SAP user, so that an SSO2 ticket can be issued when the auth stack has completed. We found that the SAP supplied HTTP header login module was very basic and not flexible enough to do what we wanted, so we developed a new http header login module to solve the problem. Instead of using alias name, we decided to read a table which contains mapping information, mapping the external name (e.g. name in webseal) onto the SAP name. The table we used is the same table used for the same purpose on ABAP stack for SNC authentication - we chose to use this so that SNC auth and Web auth can both use the same mapping rules and the mapping can be administered in one place (e.g. in transactions like su01)

So, in summary - It should be possible to code a login module to use alias as you suggested, but the SAP supplied login module will not do what you want.

With reference to Julius response, I am wondering what skiing has to do with HTTP headers ?

Thanks,

Tim

Former Member
0 Kudos

Thanks Tim. We'll look into that option. Do you know how big of a development effort it is to create a custom logon module?

It seems like it wouldn't be too tough to add alias functionality to the header variable logon module, since it already exists in the basic logon module.

PS I think the skier was taking a stab at me for not closing my previous questions... I took some time to day to post my resolutions to those problems. So now I have: Total Questions: 8 (3 unresolved)

Former Member
0 Kudos

Thank you Michelle.

Creating a login module is not too tough, but there are some things to take care of such as session handling. I only have experience with external ITS's connecting to the ABAP system, so for Java systems with an ABAP UME it would be a notch trickier.

Indeed, not easily searchable and my initial response was too "snappy". Thanks for following up though.

Regarding use of the alias I would also consider looking at alternatives. Transaction SU05 is obsolete now and I am not sure what SAP's plans are for having used USR02-BNAME in thousands of tables. For a while there were conversion tools (see "System Landscape Optimization Services") and the IdM now offers advanced user mapping attributes and SAML 2.0 so the horrid event of renaming an ABAP user is not as necessary as it was before.

Whether this sends the alias into depreciation and obsolescence I don't know, but might be worth considering and digging into further before you rely on it.

Cheers,

Julius

tim_alsop
Active Contributor
0 Kudos

Michelle,

No, it isn't hard to write login modules, especially if your developer has written login modules before. Our developer took about 1/2 day to code the login module I mentioned earlier and then it was tested the same day and shipped to the customers.

Thanks

Tim