cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Single Sign-On using OTP with external passcode validation and LDAP (Virtual Users)

nelis
Active Contributor
0 Kudos
171

Good day,

Before I go down the road of writing a policy script to use for the scenario of OTP external passcode validation with LDAP virtual users I thought I'd first check here if someone has already done this and can give some pointers ?

My aim is to allow Finance users the option to use OTP with passcode authentication using e.g. Google Authenticator and the first factor would be authenticating to an internal LDAP(AD) server. These users are not included in the UME i.e. they are virtual users. After successful authentication a x.509 certificate will be used for access. The use of certificates with LDAP authentication I have already implemented and is working well. I just want to add OTP now without having to specifically create OTP users in the UME.

Is what I am trying to do even possible ?

If this can be confirmed that it has been done then I'm happy to at least attempt developing my own policy script.

Thanks & regards,

Nelis

Accepted Solutions (0)

Answers (1)

Answers (1)

Colt
Active Contributor
0 Kudos

Hello Nelis,

In SAP Single Sing-On version 3.0 and higher, two-factor authentication can work with virtual users. If a user passes the first factor authentication against an external data source (for example LDAP), but does not exist in the UME database, a temporary virtual user is created for the duration of the application session in the following cases:

  • ● The user principal from the first factor login module is VirtualUserPrincipal. A new virtual user is then created and receives assignments for groups, roles and attributes as defined for the VirtualUserPrincipal.
  • ● The value of the login module option UserMappingMode is VirtualUser. A new virtual user is then created with no group, role or attribute assignments.

You are welcome

Cheers Carsten