I'm trying to call a BAPI from Non-SAP system using SAP JCo. It expects a user, password. Can a user/pwd can be created specifically for RFC destination or should we use actual SAP user id?
The authentication happens in SAP, thus, you must use SAP user and password to connect via jco connection string. Typically, you will need to request your SAP team to create a system user in SAP with the authorization to access BAPIs. Then, you would use jco to build the connection string or connection object with SAP server name, system number, client number, SAP system user name and password.
Related
I want to provide an authentication mechanism on Windows for a user on a cloud.
The credential provider mostly satisfies this requirement with the premise that the user is a local user, Microsoft account or a domain user of this PC.
But I also would like to get escalated privilege as the user, even the user is only on a cloud, not a domain user or Microsoft account.
As far as I know, Microsoft provide a mechanism, SSP(Security Support Provider), kerberos and NTLM implements it.
There are few documents describing about SSP, such as The Windows Negotiation Extension and Writing NegoEx SSPs
Futhermore, Spgetextendedinformationfn in my current implementation is called though.
But I cannot find any further information about what the data I should response to the LSA.
Is there any sample code about SSP, or I should try another way to achieve my goal?
Is it possible to manage the password by keycloak with federated users? I have users
federated from external database and currently also the password is being checked from the external database.
Is there a possibility to register a password in keycloak for the user just after that user is created in the external database and then federated to keycloak?
My motivation is having the built in password reset functionality of keycloak not building extra SPI code for this on federated users.
It is not really clear from your question, but since you have federated users from an external database, I assume you have implemented your custom UserStorageProvider. You are also validating passwords against your external database. So, I assume you have also implemented CredentialInputValidator interface. If you have not implemented CredentialInputUpdater, I would assume what you are trying to achieve should work out of the box.
If you have implemented CredentialInputUpdater, you could try to do the following:
Within you implementation of CredentialInputValidator.isvalid first check if the user has a local password configured, e.g. like this
keycloakSession.userCredentialManager().isConfiguredLocally(realm, user, credentialInput.getType())
If this is the case (returns true), simply have isValid return false. In this case Keycloak should use other CredentialInputValidators and check for the locally configured password.
If this is not the case (returns false), do the password check against your external database. Iff the password is valid, silently migrate the password to Keycloak's local credential store. This could look something similar to this:
CredentialProvider passwordProvider = keycloakSession.getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);
if (passwordProvider instanceof CredentialInputUpdater) {
((CredentialInputUpdater) passwordProvider).updateCredential(realm, user, credentialInput);
}
Within CredentialInputUpdater.updateCredential make sure to update the local store in addition to the password in your database.
Now your user's passwords will be stored in Keycloak's local database / credential store and the built in password reset functionality should work as expected.
Is there a possibility to register a passward in keycloak for the user
just after the user is created in external database and then federated
to keycloak?
From the Keycloak Documentation itself:
By default, Keycloak will import users from LDAP into the local
Keycloak user database. This copy of the user is either synchronized
on demand, or through a periodic background task. The single exception
to this is the synchronization of passwords. Passwords are never
imported. Their validation is always delegated to the LDAP server. The
benefits of this approach is that all Keycloak features will work as
any extra per-user data that is needed can be stored locally. The
downside of this approach is that each time that a specific user is
queried for the first time, a corresponding Keycloak database insert
is performed.
I have two questions :
1- Does the MobileFirst ver 7.1.0 provides encrypt functionality on the client side and decryption on the server side?
2- I need to pass username/pswd to the database through an adapter call. From client when I call adapter and pass these credentials it goes as a query string. How can I hide these while send it to server-side adapter?
Does every mobile user have his/her own username password for the database? If so this is not ideal design. The database credentials must be held in the adapter's xml and the user must be authenticated to MobileFirst using security tests and login & authentication modules.
If you still go by your original design, you can use Java adapters to accept credentials from the user through the payload of the call rather than query parameters. See https://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.dev.doc/devref/t_impl_java_adapter_JAXRS.html
Having done this, make all your calls over HTTPS for the traffic to be encrypted during transit.
I have some problems to understand the Login with a SAPUI5 App connected with the OData to a SAP-Server.
First of all, the idea is like a time recognition where i login with the user id or username and password. than i check if it is in the SAP backend system and if it is. i want to show only the records for the staff number.
I am doing it with filters? or there are some other ways?
It should be a basic authentication, when I open the app there is a popup where I need to enter my sap-system username and password, but how I can make this as a login page and how can I get the parameters (every username has a staff number)?
first of all I think you need to understand some basic concepts/architecture settings.
There are two possibilities deploying SAPUI5 apps:
hosted on your SAP NW GW onPremise (no matter if central hub or not)
hosted on SAP Cloud Plattform
Case A: deploying on SAP NW GW onPremise
in this case you could override the ICF classes to achieve custom login and logout explained here: https://blogs.sap.com/2016/11/25/sapui5-application-with-custom-login-and-logout-option/ | I will not explain this is further depth
Case B: hosting a SAPUI5 App on SAP Cloud Platform
in this case your need to understand the architecture to determine what you want
If your SAP Cloud Platform hosts the SAPUI5 application your can read data from an SAP Backend using SAP Cloud Platform Destination Services (which means a destination, using the SAP Cloud Connector to connect to your SAP System)
In your case: First of all, the idea is like a time recognition where i login with the user id or username and password.. than i check if it is in the sapbackend system and if it is.. i want to show ONLY the records for the staffnumber..
--> I would recommend the following: If the app is hosted on SAP CP you need an S-User to access it or a respective single sign on mechanism to replace s-user. You will not be able to replace the login from Cloud Platform with anything individual not breaking security terms. Then you need a SAP NW GW OData Service in your SAP Backend. You further need SAP Cloud Connector paired with your SAP System and with your SAP CP instance. Having both things in place requires creating a destination pointing to your OData Service. If you got these things in place you could easily select the destination when creating an SAPUI5 Application via templates.
Help Links:
SSO for SAP CP:
https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/
Destinations in SAP CP:
https://www.sap.com/developer/tutorials/hcp-create-destination.html
https://blogs.sap.com/2018/03/09/understanding-destination-types-available-in-sap-cloud-platform-mobile-service/
https://www.sap.com/developer/tutorials/teched-2016-3.html
Cloud Connector Setup:
https://www.sap.com/developer/tutorials/hcp-cloud-connector-setup.html
SAP NW GW OData Service
https://blogs.sap.com/2016/05/31/odata-service-development-with-sap-gateway-code-based-service-development/
Have fun
I am writing a software on java that connects to postgres db via jdbc. How can I create an authentication system so that user can connect to db with a predefined db role and create tables that will have a reference to this user?
You have to mention the username, authentication type, database name and the server IP from where you are connecting in the pg_hba.conf file of postgresql database cluster.
If you want the user to be authenticated from that ip automatically, mention the authentication type as trust, or ypu will have to create a .pgpass file mentioning the username and its credential in it.