on 04-03-2009 5:23 PM
Hi
We have implemented Windows integrated authentication - Spnego and UME is configured with Microsoft Active Diretory in our EP7 SP17.
However, due to security requirements for ESS/MSS, there is a requirement to disable this windows integrated authentication for the portal.
The disabling "windows integrated authentication" in the Internet Explorer is causing other issues for applications like Sharepoint etc and also this is not desired options, as the user can be reset the same.
My questions:
1) How to force users logon to Portal?
2) Is it possible to enforce logon when clicking on any tabs withinthe portal? e.g when I click on MSS it should ask for password
Would appreciate your views on this.
Regards
Chandu
Chandu,
Recently we had a similar requirement with WIA for SSO. We made it work by developing a custom login module and added to the login stack with REQUISITE flag. This custom login modules placed after SPNego module in the stack.
Thanks
Vinay P
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You could maybe setup another authscheme for the ESS/MSS iViews which had a higher level value and caused a new logon stack to be used.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Authschemes are only at View and page level. Creating a new one can be found here: http://help.sap.com/saphelp_nw70/helpdata/EN/d3/1dd4516c518645a59e5cff2628a5c1/frameset.htm
Hi Michael,
We could explore this solution, as we can change the authentication scheme for certain pages, which are sensitive.
I am going thru the information you suggested.
Our UME is configured with Active Directory. Do I need to create new authentication sheme to force users to supply user name and password? I changed the auth schema to uidpwdlogon, but it is not asking for username and password.
Regards
chandu
The best as Tobias said is a separate portal without kerberos. That way the user will need to enter a username/password.
Personally I would push back and find out what the perceived problem is. This issue comes up quote a lot and it comes mostly from confusion on the part of the business. As a portal user I want my liufe as simple as possible - making me re-enter credentials doesn't do that.
I fully agree with what you said.
We have recently gone live with ESS/MSS and feedback from the Manager is that Portal should have logon, as they don't lock their computer when they leave desk for few minutes. The desktop is locked after 30 minutes as per Windows config.
So, we are trying to ascertain what options we have to enforce logon and also logout/timeout portal, if the session is idle more than 5 minutes.
Regards
Chandu
So, I'd suggest to management that they enforce locking the Windows desktop after 5 minutes. If the problem is that some people walk away from their desk and don't lock their PC, then why upset all users? If I have to reaunthenticate to the portal every 5 minutes, then it makes me a lot less productive.
It sounds like management think that ESS/MSS are the only activities that a user does that need extra levels of security. This is dangerous thinking.
Hi,
I can only agree with this. SSO is THE advantage of portals over other solutions. And SSO to the portal is even more an advantage.
Michael is also right at where to look for the solution. If your users don't lock the computer, even 5 minutes idle time is too much. In 5 minutes (coffee break time) another user can do really, really bad things. Even considering forcing a new logon for ESS/MSS, what about E-Mails? File access? And 30 Minutes? Looks like the people working there are really honest or good at concealing security breaches ...
It should be better if you consider a new security policy. Teach the users to lock the computer when they leave. Forcing a new logon for acessing ESS/MSS won't really make it more user friendly or make the useres realize the benefits of ESS/MSS over the portal. It's also not the solution for the underlying security problem. It will make things even more worse.
br,
Tobias
I fully agree with you guys about SSO. But, have to go with the Management decisions.
As explained, we have configured our Portal with Windows integrated authentication and are looking to remove windows integrated authentication without affecting UME as LDAP?
Removing SPN with setspn -d would disable windows integrated authentication?
Regards
Chandu
Hi,
yes, removing the SPN will deactivate SSO for your portal. (Alternative and better solution: change your CIO)
To ensure that nobody will hijack the session after the user has left the computer unlocked, your users have at least to close the browser to prevent misuse of ESS/MSS.
Or you'll have to configure the session timeout of the portal to =< 5 Minutes.
br,
Tobias
Hi,
with session timeout I mean: the lifetime of a portal session.
When your currently security policy is set to a 30 minute limit for locking the session and you want to trim it down to 5 minutes mainly because of the ESS/MSS log-in requirement, you should also consider lowering the session timeout to a similiar value.
It doesn't make sense to set an automatic timeout of 5 minutes to the workstation, when the lockout is set to 8h in the portal.
A user can hijack the computer after 4 min 59 sec. When the timeout of the portal session is set to 8h, he can still access the ESS/MSS data. If the timeout of these is set to <5 minutes (consider the thinking time of ESS/MSS), the hijacker / hacker can't gain access to the ESS/MSS in the portal.
But this will only work when your users don't write their passworts down and pin them next to the computer.
BTW: smartcards and thin clients will resolve almost all of your security concerns. I think the portal also supports smartcard authentication (not sure).
br,
Tobias
Hi,
when SSO (Kerberos) is configured, everytime a user acesses the portal he will get logged in automatically.
To prevent this, you could install a separate portal for ESS/MSS. This portal will be running under a different FQDN, therefore SSO between Portal + Browser won't work. This portal instance also has to be confiured to not acceppt the Logon Ticket from the other portal.
If a seperate portal isn't feasible:
- the portal needs to be available under 2 FQDNS. 1 is configured for Kerberos SSO, the other one not, like: portal.company.com and mss.company.com
- when the user clicks on MSS/ESS, you'll have to implement a component that will remove the logon information from the browser (internally calling the logoff logic from the masthead).
- with clicking the link, the user will access MSS/ESS under the non-SSO-enabled FQDN (mss.company.com).
br,
Tobias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
8 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.