Hi Experts,

There are 2 SAP Java stack systems in our landscape. Following are the details about the system:

Java stack 1 : Secure Login Server and Identity Federation component (Domain A)

Secure Login server issues X.509 certificates to provide SSO to ABAP systems.

Identity Federation compoenent i.e Identity Provider to provide cross domain SSO

Java stack 2 : SAP IDM system (in a different domain & company). (Domain B)

I've configured Service Provider on Java stack 2 to trust Identity Provider of Java stack 1.

Requirement:

When a user from Domain A tries to access resources on Java stack 2  (Domain B) using https://<IP>:<port>/idm he should be redirected to Java stack 1 (Identity Federation component) for authentication.

If a user has valid X.509 certificate issued from Secure Login Server, he should be authenticated to Identity Federation in java stack 1 with out entering password and SAML2.0 assertion should be sent back to Java stack 2 . Then Java stack 2 will create a session for authenticated user.

Question:

1. I've configured Secure Login Server, Identity Provider and Service Provider as mentioned in the document. User has a valid X.509 certificate issued by Secure Login Server. But when the user tries to access resource on java stack 2, he is never redirected to Identity provider.Did I miss something in the config? It would be great if you can share the document on this. I've already done everything based on a wiki guide.

2.   Is it possible to use X.509 certificate to autheticate with Identity Provider?  Is this a  limitation with SAP Identity Provider product?

Please advice if I'm on the correct track.

Note:

IDM is just an example. I want to extend this design to to other Java stack systems which are out of our domain