Stacking LoginModules in SSO Configurations

Use loginmodule stacking to enable role-based authorization for MBOs and data change notification (DCN).

Stacking LDAPLoginModule, LDAPAttributer, and SAPSSOTokenLoginModule to enable role-based authorization with SSO

Neither the SAPSSOTokenLoginModule or the CertificateAuthenticationLoginModule login modules extract role information. If MBOs and MBO operations have roles assigned, stack login modules to get roles for the user, using one of these methods:
  1. If SAP is configured to use LDAP/Active Directory as JAAS providers within its Java stack for granting an SSO2 token, configure a stacked LDAPLoginModule pointing to the same LDAP/Active Directory to separately authenticate and retrieve roles. This method assumes the user name and password credentials are authenticated by those modules as well.
  2. Rely on the "csi-userrole" provider.

See Configuring an LDAP Authentication Module in Sybase Control Center online help.

Stacking modules to enable DCN with SSO

Stack multiple LoginModules with an appropriate set of controlFlag settings to enable DCN in the same SSO enabled package. All DCN operations require the "DCNUser" logical role in the named security configuration (role mapping applies). An additional LoginModule with authorization is required that can assign a physical role. The stacking of modules authenticates DCN users, and grants them the DCN role. Ordering of modules and control flag settings in the security configuration can vary. For example:
  1. The SAPSSOTokenLoginModule is first in the list with the control flag set to "sufficient". If authentication succeeds, none of the other Login Modules are called unless their control flags are set to "Required".
  2. A Login Module for DCN users that is also "sufficient", and is paired with a module that retrieves roles.
See Stacking Multiple Security Providers .