Solved: Logon to SAP NetWeaver Portal using Certificates

andr_siegling · ‎01-25-2011

Hello,

I want to configure a Portal that allows users to log on using Certificates (e.g. as it is on SAP Service Marketplace). I was able to configure the portal in a way so that it checks for a certificate of the user and asks for a user/password if it is not available.

Unfortunately I do not fully understand, how I can use and configure the portal so that it creates the certificates for the users. I found that we have to set up a PKI to do this. Since we only have the portal that uses the certificates my question is as follows: What is the easiest way to generate the certificates for the users?

Thanks for any help and hints.

Best regards,

André

Edited by: André Siegling on Jan 25, 2011 5:01 PM

Former Member · ‎01-28-2011

as it is on SAP Service Marketplace

Is this an intranet facing portal or an internet facing portal?

How many (different) applications on the portal are required by the users?

Do these all have the same user store and which one is that?

Sorry for the questions, but they make a difference...

Cheers,

Julius

mvoros · ‎01-26-2011

Hi,

probably as you know, you need to create a certificate for each user which is signed by portal's certificate. Usually, company has already deployed PKI solution and it's just also used for SAP authentication. Setting up PKI is not a trivial thing and there are many solutions from many vendors. If you want to have a quick/dirty solution then I would try OpenSSL and some kind of script which would generate a valid certificate. The problem is how you want to handle cases like stolen certificate. Maybe what's your main motivation for using certificates?

Cheers

andr_siegling · ‎01-28-2011

Dear Martin,

thanks for you answer.

My main motivation is, that users do not have to enter the user/password combination. This shall ensure quick and easier to the portal. If Open SSL is quick and dirty, is there a better but not to complex product or solution? I do not want to crack that small nut with a sledgehammer.

Best regards,

André

mvoros · ‎01-28-2011

I don't know about any simple solutions but maybe somebody else does.

Anyway, it looks like you are looking for SSO solution. If your clients are connected to Windows domain then you can try to reuse this infrastructure. Check note 352295 which describes Microsoft SSO options. Basically, you can use domain controller as Kerberos KDC and use SPNego to authenticate user. Check also notes referenced in this note.

Cheers

Former Member · ‎01-28-2011

Hi,

I agree that using Spnego/Kerberos is much easier for users.

We do have an internal PKI and are currently distributing smart cards including a personal client certificate.

This works fine for SAP authentication (it is somewhat tricky when you end the SSL connection on the web dispatcher) but if the users don't have to type a user/password, they do have to insert their smart card in the card reader and type their PIN.

And they don't really make a difference between a password and a PIN !

Therefore we decided to use spnego/Kerberos.

In that case we got troubles with the unsupported (and forbidden in my company) web browsers (opera, firefox, safari, chrome) but it works perfectly withe the offcial web browser IE.

Regards,

Olivier

andr_siegling · ‎01-28-2011

Dear All,

thanks for your answers.

connected to Windows domain

No, the users are from different places do not use one Windows domain.

Is this an intranet facing portal or an internet facing portal?
How many (different) applications on the portal are required by the users?
Do these all have the same user store and which one is that?

The portal is accessed through the internet and is offered as external facing portal. We have one single Portal-"entrance" and are using several applications from different backend servers (e.g. Transaction- and URL-iViews). We have one userstore behind this portal, it is an ERP-ABAP-system.

Regards,

André

Former Member · ‎01-28-2011

The portal is accessed through the internet and is offered as external facing portal. We have one single Portal-"entrance" and are using several applications from different backend servers (e.g. Transaction- and URL-iViews). We have one userstore behind this portal, it is an ERP-ABAP-system.

Good that I asked...

It will certainly be worth your while to look into [SAML 2.0|http://www.sdn.sap.com/irj/sdn/security?rid=/library/uuid/30fe0e7b-b334-2d10-45b0-f35afb25a5bc] then as alternative and hold the horses back on your own PKI for the internet...

The options are well described in the document.

As you seem to not have many users for this scenario (?) and if I can assume that you are using UME roles from there to handle access to applications in the portal, then you could get away with a relatively low cost SAML compliant ID provider.

If it is however complex, then an IdM is the way to go for managing the access.

That would be my advise for the direction to go if you want to depart from passwords.

Cheers,

Julius

mvoros · ‎01-28-2011

>


>... as alternative and hold the horses back on your own PKI for the internet...  
>

You don't need to have PKI for the internet if you have an internet facing portal Look at service.sap.com. You can get a certificate and use it instead of typing username/password.

In this case I don't see how SAML could help. As far as I understand this case it's not really about SSO. Andre wants to simplify authentication. Here you have 2 options: reuse another authentication process (SSO) or use different authentication mechanism. The first one is not possible because it's an external portal so for example it can't reuse Windows domain authentication. Regarding second option I can think only about one way how to avoid entering username and password. That option is using certificates. It shouldn't be that hard to write a simple application which would use some external library such as OpenSSL to generate a certificate which user could import it into his browser. I am more worried about all those issues like stolen certificate and so on. Implementing own PKI is a risky business.

Cheers

Former Member · ‎01-28-2011

Look at service.sap.com

This authentication only works for S-users (as well as SAP employees) who are active accounts in SAP's AD. That works via the internet for SAP customers and employers (e.g. from each other's networks but their own devices) as well.

With a SAML IdP you have a lot more flexibility in choosing the source of the first authentication and managing complex access rights through to the backend.

But you are correct: if there are not too many users to manage and they are smart enough to periodically generate a client certificate and they are physically attached to their own personal devices, then a Certificate Authority or even Open SSL solution is another option.

I guess it would be usefull to know how many users there are and how the authentication through from the NW portal to the ABAP backend system is going to replaced. Also how much user context information is needed on the backend system still, if at all anymore.

I think we need more information here still before we can safely conclude that a client certificate is appropriate for an internet scenario.

I am more worried about all those issues like stolen certificate and so on.

From my SDN experiences it is more often a case of people loosing their certificates and user IDs than one of other people stealing them.. The vaste majority of the 2 million users are using passwords and those who are active seem to be happy with the password reset service --> also an option.

Cheers,

Julius

andr_siegling · ‎02-01-2011

Thanks a lot for you answers - I will at first try to implement something like OpenSSL and afterwards compare to SAML - then we will finally decide.

Regards,

André

Former Member · ‎01-28-2011

as it is on SAP Service Marketplace

Is this an intranet facing portal or an internet facing portal?

How many (different) applications on the portal are required by the users?

Do these all have the same user store and which one is that?

Sorry for the questions, but they make a difference...

Cheers,

Julius