on 11-04-2014 11:16 AM
Hello Experts,
Need some help on how to force SAP Secure Login Client to use X.509 user certificate's 'Subject Alternative Name' attribute as a mapping field for SSO instead of using 'Subject Name' field as it does out of the box.
Problem description:
We have configured NW SSO 2.0 SP04 test solution on our ERP 6.04/NW7.01 ABAP system using SAP CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40 (Sep 25 2014) MT-safe. We are using X.509 user certificates generated by our own MSAD PKI.
Secure Login Client takes certificate's 'Subject Name' attribute field as a user's mapping field for establishing trust and allowing user to logon using SSO to SAP system, but the problem is that our 'Subject Name' contains Common Name attribute which is NON-unique and with special characters.
Having that in mind, SNC User mapping is hard to define and maintain.
Question: Is it possible to use X.509's 'Subject Alternative Name' attribute within Secure Login Client application? That field is unique for each user.
Regards,
Stanislaw Przytulski
Hello,
if you have non-unique SubjectNames in one PKI CA structure you have a problem, which should be solved on the PKI side.
But there is an option for GSS (ClientNameSource) which can be configured for Subject Alternative Names, as example the value "AltNameUPN" for the UPN subject alternative name.
The configuration files are part of the Secure Login Library package but the CommonCryptoLib will be delivered without them. Please check the Secure Login Library package under defaults.
best regards
Alexander Gimbel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Great, thanks a lot Alexander, worked like a charm, placed gss.xml within DIR_EXECUTABLE kernel directory and now ABAP system takes SNC User Name as a SAN field of x.509 cert. However things are different if I'm accessing content via webdynpro (sapgui4html), SSO is only working if the table view VUSREXTID, with External ID type DN, is populated still with certificate's Subject Name contents, placing SUN there breaks SSO.
Is there a way to use UPN (SUN) also for SSO via webdynpro?
Hi Stanislaw
As far as I know VUSREXTID is the only option for mapping certificates when on NW701.
Later releases allow for mapping of certificates against other attributes i.e. alternative name. This is what we use with certs issued by SAPSSO 2.0.
Rule-Based Certificate Mapping (Transaction CERTRULE)
https://help.sap.com/saphelp_nw74/helpdata/en/c8/30fd902dc8473b9e59db1576cc784b/frameset.htm
login/certificate_mapping_rulebased = 1
Not the answer your are after, but hope it helps.
Rgrds
Craig
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks a lot, Craig. I'm aware of CERTRULE tcode and it's functionality and sadly, as you've mentioned, NW701 is too low to get my hands on it... Rule-Based Certificate Mapping should be available as a BASIS component upgrade rather then bumping the whole EHP, but it's just me complaining.
Thanks ones again.
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.