Solved: Header Variable Login Module used to authenticate ...

neeta_patel2 · ‎04-28-2010

HI,

We are using the header variable login module to get an sso ticket from java stack and then sending this ticket to abap to authenticate the user seamlessly to run an WD4A applaication w/o the user having to type in his/her credentials.

However, it appears that when this user id's password expires (say after 90 days) , the user is prompted (with a WAS screen) to change the ABAP password. Is this how its supposed to work or is this a bug?

So we have random occureneces of user using this capabilty seamlessly with odd occureneces of them being prompted to change their password when running the WD4A application.

There is nothing in the log files either.

Any ideas?anyone seen this?

Thanks, Neeta

Former Member · ‎04-28-2010

You can configure it, with options.

Ideally you should simply delete (deactivate button) the password if it is not to be used... but can also instruct the system to do this for you or give the user the option.

In transaction RZ11, take a look at parameter login/password_change_for_SSO and also discussions about it here on SDN (and the SAP notes which are prerequisites).

It has been around for a while, so try a search if you suspect that it might not be an original bug. If so, you should anyway open a customer message with SAP. You are however welcome to discuss the solutions here on SDN after you have researched them...

Cheers,

Julius

Former Member · ‎04-28-2010

You can configure it, with options.

Ideally you should simply delete (deactivate button) the password if it is not to be used... but can also instruct the system to do this for you or give the user the option.

In transaction RZ11, take a look at parameter login/password_change_for_SSO and also discussions about it here on SDN (and the SAP notes which are prerequisites).

It has been around for a while, so try a search if you suspect that it might not be an original bug. If so, you should anyway open a customer message with SAP. You are however welcome to discuss the solutions here on SDN after you have researched them...

Cheers,

Julius

neeta_patel2 · ‎04-29-2010

Hi Juliuis,

Thanks for your response..I did find some notes on this but did not find a solution of what to do if the user accesses the WD4A application via SSO tickets (header variable module, SSO tickets) & also logs in to SAP via the SAPGUI. In this case for the SSO ticket scenario, we do not want the change password pop-up?

Regards, Neeta

tim_alsop · ‎04-29-2010

Neeta,

If you use SNC for SAP GUI authentication, then the login/password_change_for_SSO will be useful for both SAP GUI logon and Web logon. I regularly find that companies consider SSO for GUI and then realise they need to consider Web, or vica-versa. it is hard if you only consider one of them, especially when the user store is same.

Thanks,

Tim

Former Member · ‎04-29-2010

A possible option to consider is the following combination:

login/password_change_for_SSO = 0 (no popup)

login/password_max_idle_initial = 3 days.

login/password_max_idle_productive = login/password_expiration_time + 30 days.

This means they will not be prompted when using SSO, as long as they remain active with the password and therefore run into the validity period to change it. If they are not using the password at all, and are "idle" for 30 days more than what the password would have requested a change for... then it is deleted and they need to contact the helpdesk for a new password if they even want to logon that way again.

As mentioned by Tim and one of the SAP notes which you have hopefully read already, you should first consider using SSO consistently and then simply deactivating the password at the time of creating the account already. Problem solved.

Cheers,

Julius

Header Variable Login Module used to authenticate with ABAP application