The new Secure Login Server version of SAP Single Sign-On 3.0 comes with a new REST based X.509 certificate enrollment protocol. It allows other SAP products, third party developers, and customers to develop and implement their own "Secure Login" clients, using the full range of authentication, user mapping, and certificate configuration functionality of Secure Login Server.
What's the point?
Secure Login Server comes with interfaces to multiple clients, like Secure Login Client and JavaScript Web Client, Certificate Lifecycle Management, SAP Mobile Platform, SAP Cloud Connector, SAP Authenticator for iOS and Android.
For all these clients, Secure Login Server offers several authentication schemes and protocols including multi-factor and risk-based authentication, client profiles, and user name mapping algorithms which are required for modelling single sign-on workflows for specific SAP or non-SAP login scenarios.
All these SAP made clients use Secure Login Server´s REST API. Now we decided to open this API to our customers.
More details, please!
All you need to develop your own client is available on most modern operating systems, be it server, desktop, or mobile. Use your favourite programming language, like C++, Swift, NodeJS, or Java.
Of course you are responsible for the secure implementation. This includes private key generation and storage, and also the secure communication with Secure Login Server. A few security parameters will be checked there: The private key type and length, the consistency of the certificate signing request, and the TLS protocol version and cipher suite strength. Other important details are up to your implementation and operating system, like protection of your private key, sharing permissions with local applications, and update strategies to avoid unexpected expiration.
The following steps cover the enrollment of a client certificate in general:
Anything else?
You may wonder why the client has to deal with desired and requested certificate names and extensions. Right, this is not required as long as Secure Login Server is using internal CAs. But if a Remote CA is used, all user name mapping and certificate template knowledge of Secure Login Server gets lost. This way, it is at least sent to the Remote CA inside a signed blob. However, it´s up to the CA if such information is taken over or ignored.
More about this in my blog SAP Single Sign-On 3.0 - Secure Login Server with Enterprise PKI.
Further technical specifications of the REST protocol and its JSON and FORM elements will be published soon.
One picture, please.
Much more details, documentation, videos can be found in the SAP Help Portal pages and our SSO Community.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
27 | |
25 | |
19 | |
14 | |
13 | |
11 | |
10 | |
9 | |
8 | |
6 |