01-25-2011 4:01 PM
Hello,
I want to configure a Portal that allows users to log on using Certificates (e.g. as it is on SAP Service Marketplace). I was able to configure the portal in a way so that it checks for a certificate of the user and asks for a user/password if it is not available.
Unfortunately I do not fully understand, how I can use and configure the portal so that it creates the certificates for the users. I found that we have to set up a PKI to do this. Since we only have the portal that uses the certificates my question is as follows: What is the easiest way to generate the certificates for the users?
Thanks for any help and hints.
Best regards,
André
Edited by: André Siegling on Jan 25, 2011 5:01 PM
01-28-2011 1:06 PM
as it is on SAP Service Marketplace
Is this an intranet facing portal or an internet facing portal?
How many (different) applications on the portal are required by the users?
Do these all have the same user store and which one is that?
Sorry for the questions, but they make a difference...
Cheers,
Julius
01-26-2011 12:54 AM
Hi,
probably as you know, you need to create a certificate for each user which is signed by portal's certificate. Usually, company has already deployed PKI solution and it's just also used for SAP authentication. Setting up PKI is not a trivial thing and there are many solutions from many vendors. If you want to have a quick/dirty solution then I would try OpenSSL and some kind of script which would generate a valid certificate. The problem is how you want to handle cases like stolen certificate. Maybe what's your main motivation for using certificates?
Cheers
01-28-2011 9:55 AM
Dear Martin,
thanks for you answer.
My main motivation is, that users do not have to enter the user/password combination. This shall ensure quick and easier to the portal. If Open SSL is quick and dirty, is there a better but not to complex product or solution? I do not want to crack that small nut with a sledgehammer.
Best regards,
André
01-28-2011 10:15 AM
I don't know about any simple solutions but maybe somebody else does.
Anyway, it looks like you are looking for SSO solution. If your clients are connected to Windows domain then you can try to reuse this infrastructure. Check note 352295 which describes Microsoft SSO options. Basically, you can use domain controller as Kerberos KDC and use SPNego to authenticate user. Check also notes referenced in this note.
Cheers
01-28-2011 10:31 AM
Hi,
I agree that using Spnego/Kerberos is much easier for users.
We do have an internal PKI and are currently distributing smart cards including a personal client certificate.
This works fine for SAP authentication (it is somewhat tricky when you end the SSL connection on the web dispatcher) but if the users don't have to type a user/password, they do have to insert their smart card in the card reader and type their PIN.
And they don't really make a difference between a password and a PIN !
Therefore we decided to use spnego/Kerberos.
In that case we got troubles with the unsupported (and forbidden in my company) web browsers (opera, firefox, safari, chrome) but it works perfectly withe the offcial web browser IE.
Regards,
Olivier
01-28-2011 3:45 PM
Dear All,
thanks for your answers.
connected to Windows domain
No, the users are from different places do not use one Windows domain.
Is this an intranet facing portal or an internet facing portal?
How many (different) applications on the portal are required by the users?
Do these all have the same user store and which one is that?
The portal is accessed through the internet and is offered as external facing portal. We have one single Portal-"entrance" and are using several applications from different backend servers (e.g. Transaction- and URL-iViews). We have one userstore behind this portal, it is an ERP-ABAP-system.
Regards,
André
01-28-2011 6:35 PM
The portal is accessed through the internet and is offered as external facing portal. We have one single Portal-"entrance" and are using several applications from different backend servers (e.g. Transaction- and URL-iViews). We have one userstore behind this portal, it is an ERP-ABAP-system.
Good that I asked...
It will certainly be worth your while to look into [SAML 2.0|http://www.sdn.sap.com/irj/sdn/security?rid=/library/uuid/30fe0e7b-b334-2d10-45b0-f35afb25a5bc] then as alternative and hold the horses back on your own PKI for the internet...
The options are well described in the document.
As you seem to not have many users for this scenario (?) and if I can assume that you are using UME roles from there to handle access to applications in the portal, then you could get away with a relatively low cost SAML compliant ID provider.
If it is however complex, then an IdM is the way to go for managing the access.
That would be my advise for the direction to go if you want to depart from passwords.
Cheers,
Julius
01-28-2011 8:09 PM
>
>... as alternative and hold the horses back on your own PKI for the internet...
>
You don't need to have PKI for the internet if you have an internet facing portal Look at service.sap.com. You can get a certificate and use it instead of typing username/password.
In this case I don't see how SAML could help. As far as I understand this case it's not really about SSO. Andre wants to simplify authentication. Here you have 2 options: reuse another authentication process (SSO) or use different authentication mechanism. The first one is not possible because it's an external portal so for example it can't reuse Windows domain authentication. Regarding second option I can think only about one way how to avoid entering username and password. That option is using certificates. It shouldn't be that hard to write a simple application which would use some external library such as OpenSSL to generate a certificate which user could import it into his browser. I am more worried about all those issues like stolen certificate and so on. Implementing own PKI is a risky business.
Cheers
01-28-2011 9:06 PM
Look at service.sap.com
This authentication only works for S-users (as well as SAP employees) who are active accounts in SAP's AD. That works via the internet for SAP customers and employers (e.g. from each other's networks but their own devices) as well.
With a SAML IdP you have a lot more flexibility in choosing the source of the first authentication and managing complex access rights through to the backend.
But you are correct: if there are not too many users to manage and they are smart enough to periodically generate a client certificate and they are physically attached to their own personal devices, then a Certificate Authority or even Open SSL solution is another option.
I guess it would be usefull to know how many users there are and how the authentication through from the NW portal to the ABAP backend system is going to replaced. Also how much user context information is needed on the backend system still, if at all anymore.
I think we need more information here still before we can safely conclude that a client certificate is appropriate for an internet scenario.
I am more worried about all those issues like stolen certificate and so on.
From my SDN experiences it is more often a case of people loosing their certificates and user IDs than one of other people stealing them.. The vaste majority of the 2 million users are using passwords and those who are active seem to be happy with the password reset service --> also an option.
Cheers,
Julius
02-01-2011 10:49 AM
Thanks a lot for you answers - I will at first try to implement something like OpenSSL and afterwards compare to SAML - then we will finally decide.
Regards,
André
01-28-2011 1:06 PM
as it is on SAP Service Marketplace
Is this an intranet facing portal or an internet facing portal?
How many (different) applications on the portal are required by the users?
Do these all have the same user store and which one is that?
Sorry for the questions, but they make a difference...
Cheers,
Julius