Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Filter AD information from Kerberos logonticket

Former Member

‎10-27-2010 3:29 PM

0 Kudos

Hi,

I have recently configured SSO with Kerberos and SPNego for a portal system. And it's working fine. The LDAP configuration is pointing to a location on Active Directory. At this level, below, there are some more subfolders that indicates the usertype: for example there's a subfolder administrators and a subfolder production.

At this moment all users under folders administrators and production are able to logon to the portal by means of their useraccount on LDAP. Is there a possibility to filter on a specific group of users? Let's say, all users from the production folder are allowed to make use of SSO, but all users from folder adminstrators should get a logon screen.

I already did some testing by adding the login module "clientcertloginmodule" and tried to make use of the different rule-filter options but it's not working. I even wonder if it's possible. Has anyone experience or some tips?

thank you

3 REPLIES 3

desiree_matas
Contributor

‎10-28-2010 7:20 AM

0 Kudos

Hello Danny

The kind of login module to be used affects directly the application, not the user. This means that, if webdynpro applications are configured to use the spnego login module, this will be the first authentication mechanism to be checked, independently of the user.

As far as I know, the solution would be to configure a "redirect" application for the users to logon into the portal (removing spnego login module from "ticket" login module stack). This way, most of users will use the "ticket" authentication mechanism (configured, for example, to use basic authentication), and then configure the "redirect" applications to use the spnego login module.

There are several threads which discuss this situation, for example:

/message/5811023#5811023

Regards,

Désiré

tim_alsop
Active Contributor
In response to desiree_matas

‎10-28-2010 1:07 PM

0 Kudos 
> There are several threads which discuss this situation, for example:
> /message/5811023#5811023 
> 
> Regards,
> Désirée

I have just updated the above mentiond thread to describe another way to fix this issue.

former_member432219
Active Participant

‎10-28-2010 10:37 AM

0 Kudos

Hi Danny

If you refer to the blog by Holger here

[New SPNego login module - just around the corner |http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567] [original link is broken] [original link is broken] [original link is broken];

where the SPNego add-on is discussed, in the comments below the blog someone asks a very similar question.

You could use the various 'user mapping' options available with the new SPNEGOLoginModule to restrict the number of users that can authenticate with SPNego or you could use a custom login module (an example is given in the blog comments) to check if users are members of a group who members are to be restricted

Hope this helps