Authentication Using X.509 Client Certificates (SAP Library - User Authentication and Single Sign-On)

Authentication Using X.509 Client Certificates

Purpose

With this PAS option, the user is authenticated using the SSL protocol and X.509 client certificates, which takes place between the user’s Web browser and the Web server. If successful, the user’s Distinguished Name that is contained in his or her certificate is passed to the SAP system. The user’s SAP system ID is obtained from the mapping table USREXTID in the SAP system and a logon ticket is created for the user. Single Sign-On is then available to additional SAP services using the logon ticket.

Prerequisites

For the prerequisites for using X.509 client certificates for PAS, see the following topics:

Logon Tickets

Prerequisites for Using X.509 Client Certificates

Secure Network Communications

Process Flow

See the graphic below:

Using SSL and X.509 Client Certificates for Authentication

This graphic is explained in the accompanying text

The process is as follows:

The user accesses the PAS service for using X.509 client certificates (for example, x509).

Based on the information contained in the user’s client certificate, the Web server authenticates the user using the SSL protocol. This takes place in the protocol layer between the Web browser and the Web server. If successful, the Web server provides the user’s Distinguished Name to the WGate.

The WGate passes this information to the PAS service on the AGate, which passes it on to the SAP system application server.

The SAP system searches for a matching user ID in the user external ID mapping table.

If successful, the PAS creates a logon ticket for the user, which it sets in the user's Web browser.

The PAS redirects the user to the designated service (for example, myservice).

Result

No user ID and passwords entries are necessary for accessing the SAP system.

When the user accesses further SAP services, the logon ticket is used for Single Sign-On access.