cancel
Showing results for 
Search instead for 
Did you mean: 

SSO (MSAD PKI) X.509 certificate attributes for user mapping in Secure Login Client

0 Kudos

Hello Experts,

Need some help on how to force SAP Secure Login Client to use X.509 user certificate's 'Subject Alternative Name' attribute as a mapping field for SSO instead of using 'Subject Name' field as it does out of the box.

Problem description:

We have configured NW SSO 2.0 SP04 test solution on our ERP 6.04/NW7.01 ABAP system using SAP CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40 (Sep 25 2014) MT-safe. We are using X.509 user certificates generated by our own MSAD PKI.

Secure Login Client takes certificate's 'Subject Name' attribute field as a user's mapping field for establishing trust and allowing user to logon using SSO to SAP system, but the problem is that our 'Subject Name' contains Common Name attribute which is NON-unique and with special characters.

Having that in mind, SNC User mapping is hard to define and maintain.

Question: Is it possible to use X.509's 'Subject Alternative Name' attribute within Secure Login Client application? That field is unique for each user.

Regards,

Stanislaw Przytulski

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello,

if you have non-unique SubjectNames in one PKI CA structure you have a problem, which should be solved on the PKI side.

But there is an option for GSS (ClientNameSource) which can be configured for Subject Alternative Names, as example the value "AltNameUPN" for the UPN subject alternative name.

The configuration files are part of the Secure Login Library package but the CommonCryptoLib will be delivered without them. Please check the Secure Login Library package under defaults.


best regards

Alexander Gimbel

0 Kudos

Great, thanks a lot Alexander, worked like a charm, placed gss.xml within DIR_EXECUTABLE kernel directory and now ABAP system takes SNC User Name as a SAN field of x.509 cert. However things are different if I'm accessing content via webdynpro (sapgui4html), SSO is only working if the table view VUSREXTID, with External ID type DN, is populated still with certificate's Subject Name contents, placing SUN there breaks SSO.

Is there a way to use UPN (SUN) also for SSO via webdynpro?

0 Kudos

Anyone? The above question is still valid and issue complicates unnecessary sso configuration.

Answers (1)

Answers (1)

0 Kudos

Hi Stanislaw

As far as I know VUSREXTID is the only option for mapping certificates when on NW701.

Later releases allow for mapping of certificates against other attributes i.e. alternative name. This is what we use with certs issued by SAPSSO 2.0.

Rule-Based Certificate Mapping (Transaction CERTRULE)

https://help.sap.com/saphelp_nw74/helpdata/en/c8/30fd902dc8473b9e59db1576cc784b/frameset.htm 

login/certificate_mapping_rulebased = 1

Not the answer your are after, but hope it helps.

Rgrds
Craig

0 Kudos

Thanks a lot, Craig. I'm aware of CERTRULE tcode and it's functionality and sadly, as you've mentioned, NW701 is too low to get my hands on it... Rule-Based Certificate Mapping should be available as a BASIS component upgrade rather then bumping the whole EHP, but it's just me complaining.

Thanks ones again.