Using Stored Certificate Mappings (SAP Library - User Authentication and Single Sign-On)

Using Stored Certificate Mappings

Use

You can use this procedure to configure the J2EE Engine login module stack to authenticate users based on established mapping of client certificates to user IDs in the UME data source of the J2EE Engine.

To use this mode for client certificate authentication, you have to establish a mapping between the client certificate and the J2EE Engine user ID. The J2EE Engine enables you to map client certificates to user IDs manually with the Identity Management functions of the J2EE Engine. Alternatively, you can add the CertPersisterLoginModule to the login module stack for client certificate authentication to map automatically client certificates to user IDs on first logon.

Prerequisites

● You use a UME data source for a user store. For more information, see UME Data Sources.

● If you wish to store users’ client certificates in your LDAP directory, or if your users’ client certificates are already available in your LDAP directory, you need to map the relevant attributes. For more information, see Attribute Mapping for Client Certificates.

● To enable the mapping of client certificates to user IDs, the UME property ume.logon.allow_cert must be set to true. For more information, see Editing UME Properties and Logon.

Procedure

To map certificates to user IDs during logon, you have to add the login modules for client certificate authentication to the login module stacks for the J2EE Engine applications that use authentication with client certificates. For more information about setting up login module stacks, see Login Module Stacks and Managing Policy Configurations.

1. Add the ClientCertLoginModule to the login module stack and configure its processing flag.

...

a. Enter wholeCert as a value for the option Rule1.getUserFrom.

Note

This is the default behavior when you do not configure any options for the ClientCertLoginModule.

2. Add the login modules necessary for the fallback mechanism you are using. For example, to use Basic authentication as a fallback authentication mechanism, add the BasicPasswordLoginModule to the login module stack and configure its processing flag.

3. Configure the mapping between the client certificates and the J2EE Engine user ID. This is a required configuration step for this mode, as based on this mapping the J2EE Engine can determine the identity information for the user that is logging on.

You can map user IDs to client certificates either manually or configure the J2EE Engine to map certificates to user IDs automatically during first user logon. For more information, see the following sections:

○ Maintain the certificate mapping manually.

○ Maintain the certificate mapping automatically.

...

Result

Users can log on to the J2EE Engine with client certificates. The J2EE Engine determines the user ID based on the mapping between the client certificate and the user ID in the UME data source.