06-06-2013 1:58 PM
Hi All,
We have upgraded our GRC to GRC 10. Our SNC Product is unable to support SSO for Webdynpros. We are evaluating usage of X.509 certificates. In our organization PKI exists. Every user has one certificate but only for using Infrastructure services. In the test phase we have used these certificates and have been successful in establishing the SSO.
However we are not recommended to use this certificate for application authenication. Now this where the problem arises.
As this system is pure AS ABAP, we need to know if we could have client authentication (browsers) based on OID. The reason being OID will be unique to our application in our company's infrastructure, which will be created by our PKI team. But i am not able to configure in STRUST and/or CERTRULE a filter based on this OID.
On one of the blogs (link below) for AS JAVA this could be possible.
So wondering if we can achieve this or there is any other way to do so. We are not installing or do not have SAP's Secure Login Server nor Secure Client on client machines.
I welcome suggestions, tips and tricks to get this working only using the X.509 Certificate (SAML 2.0 & SPNEGO are currently out of scope).
Regards,
Abhijeet
06-06-2013 9:22 PM
Even if it was possible you shouldn't do that, certificates should identify persons not applications. Normal mapping is between the CN in the X.509 certificate and the SAP user name. The mapping has to be 1:1.
06-06-2013 9:22 PM
Even if it was possible you shouldn't do that, certificates should identify persons not applications. Normal mapping is between the CN in the X.509 certificate and the SAP user name. The mapping has to be 1:1.
06-07-2013 6:16 AM
Hi Samuli, Thank you for your response. We are aware of the risks of such a setup. The risk is low as the systems will be accessed within our network and if we dont map the email ids of the Aliases of the SAP user ids, the login would be restricted.
Also users with multiple ceritificates for with same CN forces the users to choose a certificate when the application will be invoked. This causes discomfort and confusion to the end users. Hence looking for such a solution as described.
06-07-2013 8:16 AM
Hi Abhijeet,
just to get it right, you intend to map all users having a certain OID to one user in ABAP?
Or do you intend to only allow X.509 based authentication for users haveing a specific OID in their certificate?
The first is not supported by ABAP. The second only in so far, as you could try to use the subject filter of the AS ABAP certificate mapping rules to only act on certificates with a matching OID. However I have not tried this yet.
BTW: this thread should be part of the security forum, as it is not related to the SAP NW SSO product (as explicitly stated by you).
Regards,
Patrick
06-10-2013 10:40 AM
Hi Patrick, Thank you for your response and the link.
The latter part of your mail question is the solution that we were looking at. Due to some internal support processes we would not evaluate this solution further.
As regards to changing the classification of this thread, i dont know how to do the same. But next time will classify further questions on this topic in the suggested sections.
Regards,
Abhijeet Bhagat
06-11-2013 7:35 AM