Using Stored Certificate Mappings (SAP-Bibliothek - Configuring Authentication and Single Sign-On)

Using Stored Certificate Mappings

Use

You can use this procedure to configure the login module stacks of applications to enable the AS Java to authenticate users based on established mapping of client certificates to user IDs in the UME data source of the AS Java.

To use this mode for client certificate authentication, you have to establish a mapping between the client certificate and the user ID. The AS Java enables you to map client certificates to user IDs manually with the Identity Management functions of the AS Java. Alternatively, you can add the CertPersisterLoginModule to the login module stack for client certificate authentication to map automatically client certificates to user IDs on first successful logon with another authentication mechanism.

Prerequisites

● You use a UME data source for a user store. For more information, see UME Data Sources.

● If you wish to store users’ client certificates in your LDAP directory, or if your users’ client certificates are already available in your LDAP directory, you need to map the relevant attributes. For more information, see Attribute Mapping for Client Certificates.

● To enable the mapping of client certificates to user IDs, the UME property ume.logon.allow_cert must be set to true. For more information, see Editing UME Properties.

Procedure

To map certificates to user IDs during logon, you have to add the login modules for client certificate authentication to the login module stacks for the applications that use authentication with client certificates. For more information about setting up login module stacks, see Login Module Stacks and Managing Policy Configurations.

1. Add the ClientCertLoginModule to the login module stack and configure its processing flag.

...

a. Enter wholeCert as a value for the option Rule1.getUserFrom.

Hinweis

This is the default behavior when you do not configure any options for the ClientCertLoginModule.

2. Add the login modules necessary for the fallback mechanism you are using. For example, to use Basic authentication as a fallback authentication mechanism, add the BasicPasswordLoginModule to the login module stack and configure its processing flag.

3. Configure the mapping between the client certificates and the user ID. This is a required configuration step for this mode, as based on this mapping the AS Java can determine the identity information for the user that is logging on.

You can map user IDs to client certificates either manually or by configuring the AS Java to map certificates to user IDs automatically during the first user logon. For more information, see the following sections:

○ Maintain the certificate mapping manually.

○ Maintain the certificate mapping automatically.

...

Result

Users can access AS Java applications with client certificates. The AS Java determines the user ID based on the mapping between the client certificate and the user ID in the UME data source.