Configuring SAP's Enterprise Portal for iChain Authentication
Novell Cool Solutions: Feature
By Karsten Mueller-Corbach
Digg This -
Posted: 28 Aug 2003
The Enterprise Portal allows you to delegate user authentication to the Novell iChain product. Novell iChain is an identity-based security product that controls access to application, Web and network resources across technical and organizational boundaries. iChain separates security from individual applications and Web servers. This enables single-point, policy-based management of authentication and access privileges throughout the Net. iChain also optimizes eBusiness-application development by leveraging fine-grained security that transcends firewalls. As a result, businesses can simplify Net access and security management, based on users' identities. Businesses can also control the use of digital assets across the extended enterprise and get more?faster?from investments in eBusiness applications.
You may also want to integrate iChain if you wish to use authentication mechanisms that are not directly supported by SAP Portals Enterprise Portal, such as token cards. When used with the Enterprise Portal, authentication with iChain works as follows: iChain authenticates the portal user trough a central iChain Proxy server or proxy server farm and returns an authenticated user ID to the Portal Server as part of the HTTP header (Basic Authentication String). The Portal Server that is configured for LDAP authentication uses the returned user ID to log the user on to the portal and does not perform any additional authentication of the user. For security reasons it is necessary to deny access to the Enterprise Portal for everybody but the iChain proxy. An SAP logon ticket is still generated and stored in the user's browser to enable Single Sign-On in the portal.
You have installed the iChain Proxy Server and configured it against the corporate LDAP directory.
The users configured to be authenticated by the Novell iChain product must exist in the corporate LDAP directory defined in the Directory Server tab in the configuration tool (see:Defining Location of Central User Data Repository [Page 54]). This is because, even if iChain does not authenticate users against the corporate LDAP directory, the user data in the corporate LDAP directory is used by applications in the Enterprise Portal.
To set up the Enterprise Portal for authentication using Novell iChain, you must configure both the Enterprise Portal/IIS and iChain.
Configuring Novell iChain
- In the iChain GUI configure a new web accelerator for the URL of the Enterprise Portal.
- Define the web server and the accelerator address and port.
- Enable Authentication and activate Forward authentication information to web server.
- Apply all Changes
- With Console in the iChain Service Object, define a new protected resource.
- Define the URL as: server.company.com/*
- Choose the access to the resource as RESTRICTED or SECURE. (Don't forget to define iChain Rules if you configure as SECURE)
- For the protected resource configure the OLAC parameters to be: ICHAIN_UID maps to LDAP CN
- Apply the changes and refresh the iChain proxy.
For more detailed information on how to perform these steps, refer to the Novell iChain documentation. http://www.novell.com/documentation/lg/ichain21/index.html
Configuring the Enterprise Portal and IIS
- Log on to the Enterprise Portal as administrator.
- Choose System Configuration _ User Management Configuration _ Authentication Server.
- Leave User Authentication Type set to LDAP.
- Do not enable FORM LOGIN Authentication.
- In the IIS Internet Service Manager choose the properties of the default web site
- Under Directory Security choose the IP address and Domain restriction tab.
- Deny access for all Hosts except the Primary address of your iChain proxy server or the Primary addresses of the iChain proxy servers of an iChain proxy server farm.
- Apply all changes
- Restart IIS and the Java servlet engine, if necessary.
When users log on to the portal, the iChain authentication dialog appears and users enter their user ID and password. If a user's browser already contains a valid iChain session cookie (from another application the user used before he or she logged on to the portal), the user can log on to the portal without any authentication dialog.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com