Force logoff users who were logged in via Fiori launchpad - sap-fiori

We know that Fiori launchpad in frontend communicates with background by a stateless technology.
But now there is a demand that all users have to be logged off forcefully, no matter whether these users were logged in by SAP GUI or Fiori launchpad. When a report program is running in SAP GUI, all users have to be logged off.
Now what I know are:
Function module TH_DELETE_USER is useful for users who logged in by SAP GUI.
Those users who were logged in by Fiori launchpad can't logoff by this FM or SM04 without any error message.
Launchpad users can't be logged out by deleting security sessions in SM05.
Could anyone tell me whether there are methods which could invalidate launchpad user authentications?
ABAP methods are best, but other technologies are welcome too.

Related

How do you automatically look up Microsoft teams app tenant id

We have created a Microsoft Teams tab app with bot integration that we want to distribute to various organizations either manually or via an App Store. In summary,
We created Tabs App with Microsoft Bot using node.js botbuilder package.
We provided zip archive to another organization (another tenant Id).
Organization uploaded our app using Microsoft Teams Admin panel and approved permission in Permission tabs.
Question is how can we receive the tenant id from the organization we are deploying to without asking their admins to go to Azure Active Directory and look it up. Once provided, the graph api and the multi tenant bot does work fine. We are trying to avoid asking their admin to provide us the tenant id and want to retrieve it automatically upon the app being uploaded or on startup.
Thank you.
The best place to get the tenant id is from the access token you are provided by logging in to your app. Look for the 'tid' value.
I'm assuming you are talking about stream lining the company wide admin consent for your application.
What you can do is have a web site that a customer's admin can log into (using standard Microsoft OAuth interactive flow). You can then pull the Tenant ID from the access token and then run through the Microsoft consent process. Once consent process redirected back to your web site, you can do your own customer onboarding if required.

Graph Web application authentication single sign on

I saw some information about single sign on in combination with the azure ad. Does that mean I can create a web application that's using the graph api (Calendar , Contact) and using the single sign on for a pleasant user experience. I'm aware of the fact that the user should autorize the application to access his/her private data.
I have already looked on
https://azure.microsoft.com/en-us/documentation/articles/active-directory-sso-integrate-saas-apps/
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-appssoaccess-whatis/
Yes, you can register an application with Azure AD and use it to leverage the user's identity in the Microsoft cloud (for work and school accounts and for personal accounts) to support single sign-on. In addition that same application can then be authorized to access their data (mail, calendar, files, contacts, etc.) via the Microsoft Graph API.

Multiple Facebook Apps backed by same Spring Boot application

So I was following the below (classic) tutorial for spring boot with facebook:
https://spring.io/guides/tutorials/spring-boot-oauth2/
Everything is working fine, however I can't find documentation to help me implement my specific use case. So here it goes:
I'll have two facebook apps: one for the owner and another for the regular user
These two facebook apps will ask for different permissions (ex: for owner app it'll ask for permission to post in the fanpage and for the regular user it'll only for basic user info)
There will be two real application being one mobile (iOS and Android) and another browser based application (that's not really relevant)
REST API will be secured based on roles, meaning that the owner will have the OWNER role and the regular user will have the REGULAR_USER role, so that, for example, the regular user won't be able to call the API to post on the fanpage
Both applications will make it possible to login with or without facebook, because I need an users table to store more information and so
Eventually regular user can login as owner if he/she downloads the **owner* app
So, to summarize, I need:
Two facebook apps to be backed by same spring boot application
The ability to authorize an user with APP ID X and assign OWNER role and the ability to authorize an user with APP ID Y and assign role REGULAR_USER
To be able to configure (in the YML) two different facebook apps
The user to be able to merge existing account with facebook if he authorizes later on
I guess that's it. I'll edit later if I find more useful information to provide.
Thanks!
There is Dave Syer's project that shows how to set up an Authorization Server and multiple Resource Servers in the same app.
Similar question with solution: OAuth2 SSO for multiple resource servers with spring boot and jHipster

Single sign-on flow using ASP.NET MVC + Active Directory

I'm looking into creating a single-sign-on portal built in ASP.NET MVC. This single sign on portal should give users the option to sign in with their individual account (which should be verified against AD) or their Facebook/Twitter account. What I'm still in the dark about is if the application/authentication flow I came up with is actually feasible. This is how it should work:
User logs into the SSOP with his AD account (using a custom form where he enters these credentials). The SSOP verifies these credentials against AD and logs the user into the SSOP accordingly. The SSOP then offers the user to start any of the applications he has access to (based on his group memberships in AD). These applications are built by various third parties and are not all .NET based. Clicking one of these applications in the SSOP should log the user into this application using the credentials authenticated against AD that were used to enter the SSOP. I currently do not know how this should be done, e.g. by using claims or some sort of auth token? Obviously the receiving application should support whatever option we choose, which means we're looking for a best practice of some sorts.
The social login part of the SSOP should work somewhere along the following lines: The user logs in using his social account. The first time he does, he also has to enter his AD account credentials so we can link his social account to a specific AD account. Every subsequent time the user logs in with his social account the SSOP should log in the linked AD user. That way the SSOP always uses a valid AD account to authenticate to the applications it offers the user. This also makes it easier to administrate the user base since these are all stored in AD. The social login links and any other SSOP specific data is stored in a custom data store (MS SQL db).
I've been looking into the ThinkTecture IdentityServer, but have yet to figure out how it can be used in this scenario or if this scenario is even feasible.
So, the question basically is: is this authentication flow even possible or remotely best practice? If so, where to begin? And if not, what is?

Proper way to manage user session for OAuth2

We are using google oauth2 permitting users to use their existing google accounts to log in to our system.
After being authenticated what is the proper way to manage active user session in our app for ex.
Let's suppose the user has logged in to our system with google account A. Then user logs out/changes google account to account B but not within our app but rather from its gmail. Should we also log him out him from our app???
(which seems to me bizarre and impossible as soon as there should be google API to check that the given user at the given time is logged in to google services).
The only way which seems to me reasonable is to invalidate user session after given timeout and only then we could make user re-pass oauth2 authorization flow.
Thanks in advance for your help.
The access_token or id_token your acquire from the Google OAuth2 Login flow is not coupled with the login sessions in the various Google apps (gmail, plus, ....).
There's no way for your app to know that the the user logged out of his gmail. Your app shouldn't care.
If your web app makes it clear to the user what account has been used to login initially (by displaying a username/picture or other info retrieved from the Google User Info call you should be ok.
Most users will not try to link your web application session with a gmail session for example.

Resources