06-17-2011 11:02 AM
Hi .
We've setup our Portal to login by either client certs of basic authentication. The client cert is stored on a smart card device. On each access to the smartcard a user dialog prompts the user to enter the password of the smartcard.
Some users have several user IDs. Client certificate can IMHO only mapped to one user ID. First question: Is it possible to map a client cert to more than one user ID in UME?
2)
If the smartcard is in cardreader and the user opens the portal login page, portal always requests the client certificate (since it is present). If the user clicks cancel, then an error page is shown. The user should have the ability to login using basic authentication user/password, even the certificate is present. At the moment we need to advice the users to remove the smartcard before trying to login. What I am looking for is something like
https://portal.com/irj/login&j_authscheme=basicauthentication <- do not request client cert, prompt for userid password
https://portal.com/ijr/login/certlogonportlet <- requests client cert
Thanks for your help
Philipp
06-17-2011 12:22 PM
Hi,
Question 1 : I don't think it's possible to map a client cert to several user ids. IMHO, it would not make sense.
Question 2 : Check if your Portal login stack is correctly configured : this should be possible to acheive.
Regards,
Olivier
06-17-2011 10:22 PM
For the ABAP stack you can force the logon screen.
For Java stacks you would need to make it application specific.
I agree with Olivier - the use case for 1) is suspect.
If your problem is tht system admins are also ESS endusers (for example) then you can give them a different network zone to work from as admin with a different SSO ID. From a risk perspective it is the same... you should only give admin access to people whom you trust and accept being monitored.
Cheers,
Julius
06-20-2011 9:05 AM
Well, as for case 1, our customers use abab stack for several years. Many users access abap using smartcard with SNC connection. In ABAP stacks with SNC enabled, the user can choose the user / client at the login screen. A user can have several test users, all assigned to the certificate (snc string in su01). I think this should be possible in java stack aswell.
thanks, Philipp