Single Sign-On for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory
In my recent SDN blog
I provided an overview about the options to achieve single sign-on for SAP NetWeaver Application Server based systems that reside in Microsoft environments
One option mentioned there was the usage of X.509 certificates that can automatically be issued to end users and distributed to their computers with the help of Microsoft Active Directory.
Some questions regarding the mapping of end users were raised as comments in my blog that have not been addressed in the session SIM208 that I presented at SAP TechEd 2008. Therefore I would like to address them here in my blog.
Another reason why I am writing this blog is that in the meantime SAP IT has successfully implemented the X.509 certificate autoenrollment capabilities of Microsoft Active Directory.
We are thus using this technology at SAP internally.
h4. Why using X.509 certificate auto enrollment?
If we look at the three options to achieve Single-Sign On in Microsoft environments the first option of using SAP Logon Tickets has the advantage that SAP Logon Tickets are supported for all scenarios. You need however a ticket issuing instance which is especially a problem for .NET based Web Service Clients because in contrast to the usage of SAML scenarios the developer has to take care him- or herself how to get the SAP Logon Ticket into the request.
While SAML is the recommended way for the current and upcoming releases it cannot be used for older releases.
In contrast to this X.509 Certificates can be used to achieve Single Sign-On for Browser and web service based access to SAP Systems that are either based on ABAP and Java for current releases as well as for older releases.
The setup of a PKI infrastructure is usually seen as very cumbersome and expensive task. Automatic enrollment of user certificates using Microsoft Active Directory however provides a quick and simple way to issue X.509 certificates to users and to enable single sign-on using a public key infrastructure (PKI). It minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) by providing Single Sign-On for an SAP NetWeaver system landscape leveraging the resources of an existing Microsoft Active Directory infrastructure.
Because of this SAP IT decided to implement X.509 Certificate Auto Enrollment. Mid of this year SAP IT has thus replaced its existing PKI Infrastructure through X.509 certificate auto enrollment using Microsoft Active Directory.
It is since then there is a real Single Sign-On because in contrast to the old solution users do not have to enter an additional password to leverage their X.509 certificate after having successfully logged on to Active Directory. The certificate is now automatically copied to the local certificate store on a user’s client. This local store is an encrypted store for certificates on Windows clients and contains personal and public root certificates.
The secure storage of X.509 certificates in Microsoft Active Directory offered the following additional benefits:
- High performance because data is retrieved from a local domain controller rather than from a central CA
While the initial setup for an ABAP server to accept X.509 certificates is one time effort there are ongoing tasks that have to be performed by the SAP administrator because the SAP user accounts have to be mapped to their X.509 certificates.
The mapping of a certificate to the end user can be accomplished automatically by using SAP NetWeaver Identity Management or by using one of the following three options that are provided as part of the standard:
- Transaction EXTID_DN
using transaction EXTID_DN or SM30 it is possible to map single entries in table VUSREXTID. Transaction EXTID_DN now also offers the option of a file upload.
- certmap service
Reading other attributes than common name or fully distinguished name from the AD is a little bit trickier and requires a custom policy module.
Recently the option to use a BADI implementation together with the report RSUSREXT as described in SAP Note 1254821 was added to the standard. BADI support is available for recent support package levels for 7.00, 7.01, 7.10 and 7.11 as specified in SAP Note 1254821.