Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Auto-register" user by SSO client certificate?

former_member182148
Explorer

‎01-11-2012 8:02 AM

0 Kudos

Hi,

we are running an application in WebDynpro ABAP on NW 7.31.

The applicaton shall be usable by everyone in the company with minimal effort. Everyone has a client certificate installed in their browsers and we want to do pretty much SSO using the X509 certificates.

But as far as I understand, this works only, once a user account has been created with the correct information (OU, CN etc. specified). Is there any way, we can get around this and to avoid the manual user creation process? Ideally, we want every user to visit our site and to be logged in on the first time already.

Licensing is not an issue and security is also secondary... it is just essential to be as low effort as possible for the end-user to get into our application and to still be somehow "distinguishable" (not completely anonymous). It would be also sufficient if the application runs under a generic user account, but somehow we would need to understand the user ID from the certificate. In other programming languages / web servers this should not be very complex, but I just don't find a way in AS ABAP.

Regards,

Bruno

8 REPLIES 8

Former Member

‎01-11-2012 12:24 PM

0 Kudos

Hi,

Here is just an idea from what I did for a somewhat similar requirement.

Hundred of users had to call a BSP application in an R/3 4.7 system. It was not possible to create a SAP R/3 account for these people but we wanted to control who was allowed to access the BSP and we wanted to know who used the BSP.

Here is my workaround.

The SAP BSP application runs with a generic user configured in SICF.

There is a SAP Web Dispatcher in front of SAP R/3 for HTTP load balancing.

We installed IIS web servers doing NTLM authentication and we programmed a small ASP application.

The URL for the application is answered by the IIS ASP application.

The IIS servers use NTLM to authenticate the windows user and check if this users is part of the Windows group authorised to run tha application.

The IIS application calls a special login BSP on R/3 which sends a specific uncrypted cookie.

The IIS application sends a redirect to the user browser and the cookie.

The URL from the redirect calls the BSP application with the windows user as a parameter and sends the cookie to the BSP application.

The BSP application checks the cookie and if it is OK, displays the application for the user.

The SAP web dispatcher filters the access to the login BSP with the IP addresses of the IIS servers.

The SAP web dispatcher creates a special HTTP log file which contains the Windows user of the BSP application.

This workaround is kind of tricky but has been running successfully productively for 5 years with 500 users.

Hope this helps.

Olivier

Former Member
In response to Former Member

‎01-11-2012 12:28 PM

0 Kudos

In your case, it might be possible to run the application with a generic abap user but to extract the user from the X.509 certificate and to genrate a http log file containing the user.

Olivier

former_member182148
Explorer
In response to Former Member

‎01-11-2012 3:33 PM

0 Kudos

Hi Olivier,

that would be a perfect solution for me, I wonder how I can get to the X509 certificate though from ABAP coding.

Regards,

Bruno

Former Member
In response to Former Member

‎01-11-2012 5:14 PM

0 Kudos

Hi Bruno,

I've never worked on the subject but I would try in this way :

Use a SAP Web Dispatcher in front of the ABAP system and use it to terminate the SSL connection.

Use the web dispatcher parameter icm/HTTPS/client_certificate_header_name

to send the client certificate in a header field.

Then set an HTTP log file on the ABAP ICM using the LOGFORMAT option with the parameter

%i Name of a request header field, e.g. %{user-agent}i

Check [http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/442541e0804bb8e10000000a42189b/frameset.htm] for details.

Good luck because I don't know if my idea is good...

Regards,

Olivier

Former Member

‎01-11-2012 6:44 PM

0 Kudos

In this case all you want is authenticated access with generic authorizations. Why not use a self-registration scenario? (see the documentation on FM BAPI_USER_CREATE1).

If the user does not exist, then the user ID is created and assigned a generic reference user with limited access to use the application, or sufficient to request more correct access.

Licensing is not an issue and security is also secondary...

Or make a public anonymous service out of it?

Cheers,

Julius

former_member182148
Explorer
In response to Former Member

‎01-11-2012 8:19 PM

0 Kudos

Hi Julius,

thanks for the input. I thought a little more about the issue today and think that I was a little on the wrong track.

Probably it is better to have the user account either auto created via LDAP sync or some kind of simple self registration, like you mentioned. Basically I just need to get a user account into the system, that will be mapped to the user's client certificate. My goal is to make use of the client certificate, so to reduce the complexity for end users to register. Still some experiments necessary, but I have already good hints

Regards,

Bruno

Former Member
In response to Former Member

‎01-11-2012 8:26 PM

0 Kudos

Out of curiosity, how many users do you have?

Also, have you considered SAML instead?

Cheers,

Julius

former_member182148
Explorer
In response to Former Member

‎01-11-2012 8:32 PM

0 Kudos

Potentially thousands... And some less, if it is complex to register

About SAML: No I didn't and actually I do not have any clue what exactly this is or does. But will read now about it Thanks