cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using the SLS certificate enrolled via SAP Authenticator on iOS device

Go to solution
Colt
Active Contributor

on ‎09-16-2016 1:54 PM

0 Kudos

Hi Experts,

I set up SAP Authenticator in combination with SLS and the TOTP solution to provision certificates on the iOS device.

OTP_ONLINE_USER enrollment result:

OTP initialized; 2 application profiles and one X.509 certificate issued for my user:

In order to test this, I've created an Application URL pointing to a Java Portal.

I noticed that this certificate isn't shown in the iOS "profiles" and can't be used e.g. by Safari for X.509 client authentication against a web server.

Please let me know under which circumstances one can use these certificates, thank you

Cheers,
Carsten

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member200373
Participant
‎09-16-2016 2:04 PM
0 Kudos

Hi Carsten,

the quick answer is:

A certificate, better the private key and the keychain where it is stored, resides in the app´s sandbox and cannot be used by other or even systems apps. That´s the well thought out and secure design of Apple.

You should be able to use the certificate within SAP Authenticator, i.e. if an https resource is asking for or requires TLS client authentication.

With an iOS group keychain you can share an app´s keychain between other apps signed by the same vendor.

So you should be able to consume such SAP Authenticator certificate from other SAP apps (using the same code signer and have turned on group keychains for the same ID).

-- Stephan

Show replies
Show replies
Colt
Active Contributor
‎09-16-2016 2:13 PM
0 Kudos

Hi Stephan,

Helps to shed some light here. I am aware of the app sandboxing concept, so i wasn't surprised my Safari wasn't able to use the key/cert. And I've been thinking already about the fact, the SAP apps e. g. Fiori Client would be able to share the keychain somehow. Would appreciate if you know about some further sources of information available about that, guess it is more a SMP topic, right? But helpful, thank you!

Carsten

Answers (0)

Ask a Question