10-27-2010 3:29 PM
Hi,
I have recently configured SSO with Kerberos and SPNego for a portal system. And it's working fine. The LDAP configuration is pointing to a location on Active Directory. At this level, below, there are some more subfolders that indicates the usertype: for example there's a subfolder administrators and a subfolder production.
At this moment all users under folders administrators and production are able to logon to the portal by means of their useraccount on LDAP. Is there a possibility to filter on a specific group of users? Let's say, all users from the production folder are allowed to make use of SSO, but all users from folder adminstrators should get a logon screen.
I already did some testing by adding the login module "clientcertloginmodule" and tried to make use of the different rule-filter options but it's not working. I even wonder if it's possible. Has anyone experience or some tips?
thank you
10-28-2010 7:20 AM
Hello Danny
The kind of login module to be used affects directly the application, not the user. This means that, if webdynpro applications are configured to use the spnego login module, this will be the first authentication mechanism to be checked, independently of the user.
As far as I know, the solution would be to configure a "redirect" application for the users to logon into the portal (removing spnego login module from "ticket" login module stack). This way, most of users will use the "ticket" authentication mechanism (configured, for example, to use basic authentication), and then configure the "redirect" applications to use the spnego login module.
There are several threads which discuss this situation, for example:
Regards,
Désiré
10-28-2010 1:07 PM
10-28-2010 10:37 AM
Hi Danny
If you refer to the blog by Holger here
[New SPNego login module - just around the corner |http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567] [original link is broken] [original link is broken] [original link is broken];
where the SPNego add-on is discussed, in the comments below the blog someone asks a very similar question.
You could use the various 'user mapping' options available with the new SPNEGOLoginModule to restrict the number of users that can authenticate with SPNego or you could use a custom login module (an example is given in the blog comments) to check if users are members of a group who members are to be restricted
Hope this helps