Solved: How to remove the SAP login screen

bruce2 · ‎11-25-2014

Hi Experts,

We have a requirement to configure our portal to authenticate with our institutional IdP. We have configured the portal as a service provider to accept SAML tickets from the IdP. The problem we are experiencing is that the IdP has a greater number of users than our portal user store. Therefore, a scenario we have noticed is that if a user (who exists in the IdP but not the portal) tries to log in, they will be prompted with the SAP login screen. We would like to remove this, perhaps by redirecting back to the IdP. We tried removing the Basic Authentication login module from the login stack but this did not resolve this issue.

We are using portal version 7.31 SPS 11 and the IdP is Shibboleth.

Could you help us?

Thanks.

martin_voros · ‎11-25-2014

Hi,

is this a good idea? What if your IdP is down and you need to perform some administration task, how will you log on? Anyway, I am not sure how you can remove the basic authentication but you could try to use custom login module. It could be setup with higher priority than basic auth. and it could also have failsafe mechanism included to do nothing if some URL parameter is provided. This would then switch back to basic auth.

Cheers

martin_voros · ‎11-25-2014

Hi,

is this a good idea? What if your IdP is down and you need to perform some administration task, how will you log on? Anyway, I am not sure how you can remove the basic authentication but you could try to use custom login module. It could be setup with higher priority than basic auth. and it could also have failsafe mechanism included to do nothing if some URL parameter is provided. This would then switch back to basic auth.

Cheers

Former Member · ‎11-26-2014

Hello

Removing BasicPasswordLogin Module will not help. Infact, if user is not available on Portal it cannot login even with username and password.

As far as redirecting user back to the IdP is concerned, you will have to customize SAMLLoginModule. There you will have to differentiate between situations when a userid is not present in Portal UME and when a user authentication fails for some other reason.

Cheers,
Tapan

bruce2 · ‎12-19-2014

Just a quick follow up.We have not completed this 100% to our satisfaction but we are making progress. Here is some documentation of what we have done so far.

At this point we managed where a user that does not exist will get the the Identity Provider page. Then if it is an unknown user in the iDP they get the Portal login page. The User and Password fields do not work on the login page. Even with a correct user and password one cannot go any further. Ideally they would not get the Portal login screen but get passed back to the Identity Provider page.

We did this by:

1. Create a custom template based on the ticket template.

2. Add SAML2LoginModule to the authentication stack. Remove the BasicPasswordLoginModule.

3. Include Forced Reauthentication

4. In Authentication and Single Sign-On we changed ticket to our custom template.

5. We edited the Authschemes.xml and changed the default value to our custom one.

In the custom Authschemes.xml we pointed the Portal login to our custom template (where the arrow points).

Instructions on editing the authschemes.xml can be found in SAP here.

http://help.sap.com/saphelp_nw73/helpdata/en/1a/3afd4e641b8f42ac07bb77fe30375b/content.htm