Skip to Content
Author's profile photo Andre Fischer

Single Sign-On for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory

In my recent SDN blog

Single sign-on Technologies supported by the SAP NetWeaver Application Server as a Service Provider in Microsoft based environments

I provided an overview about the options to achieve single sign-on for SAP NetWeaver Application Server based systems that reside in Microsoft environments

One option mentioned there was the usage of X.509 certificates that can automatically be issued to end users and distributed to their computers with the help of Microsoft Active Directory.

Some questions regarding the mapping of end users were raised as comments in my blog that have not been addressed in the session SIM208 that I presented at SAP TechEd 2008. Therefore I would like to address them here in my blog.

Another reason why I am writing this blog is that in the meantime SAP IT has successfully implemented the X.509 certificate autoenrollment capabilities of Microsoft Active Directory.

We are thus using this technology at SAP internally.

h4. Why using X.509 certificate auto enrollment?

If we look at the three options to achieve Single-Sign On in Microsoft environments the first option of using SAP Logon Tickets has the advantage that SAP Logon Tickets are supported for all scenarios. You need however a ticket issuing instance which is especially a problem for .NET based Web Service Clients because in contrast to the usage of SAML scenarios the developer has to take care him- or herself how to get the SAP Logon Ticket into the request.

While SAML is the recommended way for the current and upcoming releases it cannot be used for older releases.

In contrast to this X.509 Certificates can be used to achieve Single Sign-On for Browser and web service based access to SAP Systems that are either based on ABAP and Java for current releases as well as for older releases.

The setup of a PKI infrastructure is usually seen as very cumbersome and expensive task. Automatic enrollment of user certificates using Microsoft Active Directory however provides a quick and simple way to issue X.509 certificates to users and to enable single sign-on using a public key infrastructure (PKI). It minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) by providing Single Sign-On for an SAP NetWeaver system landscape leveraging the resources of an existing Microsoft Active Directory infrastructure.

Because of this SAP IT decided to implement X.509 Certificate Auto Enrollment. Mid of this year SAP IT has thus replaced its existing PKI Infrastructure through X.509 certificate auto enrollment using Microsoft Active Directory.

It is since then there is a real Single Sign-On because in contrast to the old solution users do not have to enter an additional password to leverage their X.509 certificate after having successfully logged on to Active Directory. The certificate is now automatically copied to the local certificate store on a user’s client. This local store is an encrypted store for certificates on Windows clients and contains personal and public root certificates.

The secure storage of X.509 certificates in Microsoft Active Directory offered the following additional benefits:

    • High performance because data is retrieved from a local domain controller rather than from a central CA

h4. How to map the certificates to the end users?

While the initial setup for an ABAP server to accept X.509 certificates is one time effort there are ongoing tasks that have to be performed by the SAP administrator because the SAP user accounts have to be mapped to their X.509 certificates.

The mapping of a certificate to the end user can be accomplished automatically by using SAP NetWeaver Identity Management or by using one of the following three options that are provided as part of the standard:

 

    1. Transaction EXTID_DN

      using transaction EXTID_DN or SM30 it is possible to map single entries in table VUSREXTID. Transaction EXTID_DN now also offers the option of a file upload.

    2. certmap service

Reading other attributes than common name or fully distinguished name from the AD is a little bit trickier and requires a custom policy module.

Recently the option to use a BADI implementation together with the report RSUSREXT as described in SAP Note 1254821 was added to the standard. BADI support is available for recent support package levels for 7.00, 7.01, 7.10 and 7.11 as specified in SAP Note 1254821.

    Best Regards,

    André

    Assigned Tags

        3 Comments
        You must be Logged on to comment or reply to a post.
        Author's profile photo Martijn de Boer
        Martijn de Boer
        Additional information on how to create mappings based on a BAdi is available through SAP Note 1362866: https://service.sap.com/sap/support/notes/1362866
        Author's profile photo Manuel Herr
        Manuel Herr

        Hi Andre, this blog is a little bit older, but i'm very interested in the problem to get other attributes in the DN of an AD certificate. I have exact this problem. I do not get a automated connection between the DN in the certificate an the username in sap with the report rsusrext.

        I posted my question already here SAP SSO with X.509 automate process with RSUSREXT.
        Maybe you have an solution for me?

        Kind regards

        Manuel

        Author's profile photo Andre Fischer
        Andre Fischer
        Blog Post Author

        Hi Manuel,

        unfortunately I do not have a solution at hand since I have not been working on this topic for quite a while.

        Best Regards,

        Andre