Skip to Content

Enabling on premise Fiori SSO with OpenSSL certificates – Part 2

In part one of this blog series I explained how to establish a secure connection to your Fiori Launchpad with OpenSSL certificates, which is the precondition for certificate based single-sign-on, which I will be describing in this blog.

To start with, I create a client certificate and key starting with a certificate request in TinyCA:

Create Request.png

The creation of the RSA key can take some time:

Creating RSA key.png

When finished, I sign the request as before with my previously created CA:

Sign Request.png

And export the resulting certificate both as a PEM (Certificate):


As well as a PKCS#12 (Certificate & Key):


To import the certificate into my Fiori Frontend server, I create an entry in table VUSREXTID in transaction SM30:


With External ID type DN of Certificate (X.509):

Determine Work Area.png

Into which I import my personal certificate:

New Entries.png

From the previous PEM export:


And assign it to my user and activate it:


The only remaining task is to import my certificate key into the browser with which I access my Fiori Launchpad:

PKCS #12.png

And next time I launch my Fiori Launchpad, I get presented with my certificate(s):

Select a certificate.png

I could now cancel this and login as usual, but if I confirm it, I got securely single-singed-on into my Fiori Launchpad:


Of course there is much more to consider in terms of private key infrastructure (KPI) governance and there are many more enterprise ready CA tools, but the underlying concepts are always the same.

In my next blog series I explain how to secure the HANA Cloud Connector leveraging the same concepts.

You must be Logged on to comment or reply to a post.