cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML2: Posibility to preset username in logon dialog

former_member322681
Discoverer

on ‎01-13-2016 12:35 PM

0 Kudos

Hello there,

I've got an SAML2 Authentication running (IDP = SAP Portal; SP = ABAP HCM) and everything works fine so far.

Now I've got the requirements that this kind of authentication must be used in an kiosk scenario too.

In this scenario only the password is provided for the corresponding employee, the user id is created automatically and must be preset in the logon dialog.

( In the next step an alternate logon dialog should be provided for this case with just the password field visible...)

I'm already able to get the user id, but I've got no possibility to fill in this ID in the logon dialog of my IDP.

I've tracked down the problem, but the only solution I've found so far on ABAP side is to enhance the generated redirect URL to the IDP with the parameter "j_username".

https://idp.server.com/saml2/idp/sso?SAMLRequest=...&j_username=john

Is it possible to define custom parameters for an IDP Redirect-Url or is the only solution to enhance / modify the corresponding class generating this URL?

I'm not very familiar with logon procedures, so other solution hints are welcome, too!

Many thanks in advance.

Greetings

Kai Fischer

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member182254
Active Participant
‎01-13-2016 8:13 PM
0 Kudos

Hello Kai,

Can you describe the scenario in more details? Do you mean by kiosk scenario a shared computer used my multiple users? How is the process triggered to generate user id, how is the password provided to the user, on which system is this done - Portal, AD, HCM?

Best regards,

Dimitar Mihaylov

Show replies
Show replies
former_member322681
Discoverer
‎01-14-2016 8:54 AM
0 Kudos

Hello Dimitar,

yes it's a shared computer used by multiple users with an special brower on it to wipe out personal stuff (Documents, Cookies...). The user on this system is identically for all employees.

The user id is generated for every employee by our admins via LDAP for every personal number. To identify the corresponding employee, I gain access to their time card via card reader and then I can read out the system user for this employee based on the stored personal number.

The initial password is given to them on postal way ...

The content of the time card is predefined, access credentials are not permitted.

Greetings

Kai

former_member182254
Active Participant
‎01-14-2016 3:22 PM
0 Kudos

Hello Kai,

One possibility would be the following:

1. Configure RFID-based authentication using Secure Login Server and Secure Login Client. As a result a short-lived X.509 certificate will be issued for the user.

2. Configure the Portal with two-factor authentication: first factor shall be the certificate issued at step 1 and second factor will be the password. In this case the user id will be preset and won't be possible to be changed.

Documentation:

1. RFID-based authentication -

2. Two-factor authentication with certificate and password - Risk-Based Authentication Login Module Options - One-Time Password Authentication - SAP Library

Regards,

Dimitar

former_member322681
Discoverer
‎01-19-2016 8:31 AM
0 Kudos

Hello Dimitar,

thanks for the links.

Your approach seems interessting and I have to go more deeper in the gory details in the near future to check out if we can manage this internally with the given resources 😉

Greetings

Kai

Ask a Question