2006 Aug 25 1:19 PM
Hello,
perhaps someone of you has also tried to implement SSO via Client Certificates and is able to help me...
I have configured the login modules for rule based authentication with the option Rule1.getUserFrom = wholeCert and I have attached my certificate to my user in useradmin.
And also added the login module to the template ticket, as suggested by the documentation at help.sap.com
But when I logon to the portal or other application (for example useradmin) via https the authentication doesn't work (but I'm still able to logon via password).
I also tried auto. certifcate mapping and mapping by subject name but in every case the system ignores the configured login module. There are no errors in the log files.
Thank You,
Frank
2006 Aug 25 1:50 PM
Hi Frank,
did you configure the SSO for an individual policy configuration or did you edit and save the changes the ticket policy config? I ask, b/c if you applied the changes to the individual policy config then the SSO with certificates will be used <b>only</b> when you access the applications for that policy config.
You can also double check the login module flags - perhaps the authentication check doesn't reach the ClientCertLM at all.
Since you followed the help portal instruction I assume you've enabled strong crypto - it is required for client cert SSO. Ano easily committed mistake is to also not use the HTTPS port in the access URL.
Let me know if this helps...
Yonko
2006 Aug 25 2:06 PM
Hello Yonko,
thank you for your reply.
I try to enable SSO for Client Certs. now for some weeks now and I have tried both - individual policy configuration and the ticket policy. The options are also set directly on the login modules and not in the stacks.
SSL is generally working and the system asks for the configured certificates. To make sure that there's no problem with our certificates I also tried to use the preconfigured S-User Certificates.
For me it look's like that the system needs a specified policy for a components used for logon. But I have no idea where to look for it...
Regards,
Frank
2006 Aug 25 4:07 PM
Hi Frank,
for /useradmin AFAIK this is the ticket policy config. Most of the J2EE applications also use this policy configuration for SSO.
You can also double check the config for the property ume.logon.allow_cert. If that doesn't help I guess the best option is to go to support.
Regards,
Yonko
2006 Aug 29 9:34 AM
Hello,
for all who are interested in this: I solved it on my own.
I had 2 problems:
1. During the last trys I had made some weeks ago, I had not used the ticket policy.
2. Because I had no more ideas , but just to try, I also entered ume.configuration.active as option for the ClientCertificate Module this week.
So I created the second problem during my experiments.
The solution is just to use the ticket policy and to ensure that all options are valid.
2007 Jan 04 12:30 PM
Hello,
Can you please describe the solution in more detail.
seems i had the same problem - but no solution
At the application i configured following login modules:
ClientCertLoginModule SUFFICIENT {Rule1.AttributeName=CN, Rule1.getUserFrom=subjectName}
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
with best regards
Thomas