cancel
Showing results for 
Search instead for 
Did you mean: 

Anonymous Portal with Personalization and SSO

Former Member
0 Kudos

My customer would like to serve portal content without forcing the user to log in. I understand that you can serve anonymous content through the EP. My question is:

- If a user has previously logged in to the portal at some time in the past (and then they closed the browser, went home for the night, etc), is it possible to serve personalized content to them without having to log in? The example I would like to emulate is that of Amazon.com. Amazon places a persisten cookie on my computer so that whenever I go back to Amazon.com I see "Jack's Store". The only time I have to login again is when I want to do something that requires security such as "checking out". The problem is that our portal allows for single sign on to other applications. So, while it's perfectly acceptable for someone to browse to our portal and see things like project news (personalized) - I still want them to have to authenticate if they click on the single sign-on links if they haven't given their password in the last hour. Is this possible?

Accepted Solutions (1)

Accepted Solutions (1)

detlev_beutner
Active Contributor
0 Kudos

Hi Jack,

first, welcome on SDN!

About your question: Generally, this is possible. You would have to implement the persistent cookies and the whole functionality by your own, there is no standard support for this within EP, but that's just Java developing.

And to restrict access to the content you have to logged in for, you will have to set the authentication scheme appropriate, ie not to anonymous.

The last question you will have to decide is how the user is forced to log in. If you just offer links within DetNav with AuthScheme set to default, clicking on this will open the login screen at the place where the iView is expected. If that's OK for you - nothing to do in addition. If not, get a clear picture of what behaviour you would expect (and probably you will have to lay hands on code to achieve your aim...).

Hope it helps

Detlev

PS: Pleas consider rewarding points on SDN if an answer is helpful. Thanks in advance!

Former Member
0 Kudos

Does that mean that if I implement my own custom persistant session mechanism that the user is essentially logged in all of the time? If so, would I be able to read the user's security authorizations so that I could display content based on their roles?

detlev_beutner
Active Contributor
0 Kudos

Hi Jack,

> that the user is essentially logged in all of the time?

No, definitely not, and that's the same (I hope) how Amazon works - you are not logged in! There are just the persistent cookies on your client used to determine which content will be shown, but the server only assumes that the client is used by user xyz. For functionality where authentication is required, the user first must log in (before, the server could read the expected user from the cookie, but the user object (spoken in UME terms) is not authenticated).

> would I be able to read the user's security

> authorizations so that I could display content based

> on their roles?

Yes and no. PCD content which need authentication won't show up before the user logs in again (and after that, an authenticated user object exists), but for sure you can ask programatically if a user has the right a.b.c. on object d.e.f....

Hope it helps

Detlev

Former Member
0 Kudos

So it looks like I can do what I need to do provided that I am willing to maintain some custom code. One last question - do you think future EP upgrades would cause problems for me if I committed to building my own session handling capabilities?

Thanks!

detlev_beutner
Active Contributor
0 Kudos

Hi Jack,

> do you think future EP upgrades would cause problems

> for me if I committed to building

> my own session handling capabilities?

Normally not, this custom code won't touch EP APIs which are subject to change. But you will see what you'll use, and as more dependent you are on SAP APIs, the more care you should take...

> my own session handling capabilities?

Just one technical remark: Using persistent cookies does not mean "session handling" in the pure technical sense. The Java (SAP) session (or PortalComponentSession or whatever) is killed after some (short) time, but you'll use the persistent cookie to access user personalized data. This again you may associate with the session.

Hope it helps

Detlev

Answers (0)