Enabling on premise Fiori SSO with OpenSSL certificates – Part 2

In part one of this blog series I explained how to establish a secure connection to your Fiori Launchpad with OpenSSL certificates, which is the precondition for certificate based single-sign-on, which I will be describing in this blog.

To start with, I create a client certificate and key starting with a certificate request in TinyCA:

The creation of the RSA key can take some time:

When finished, I sign the request as before with my previously created CA:

And export the resulting certificate both as a PEM (Certificate):

As well as a PKCS#12 (Certificate & Key):

To import the certificate into my Fiori Frontend server, I create an entry in table VUSREXTID in transaction SM30:

With External ID type DN of Certificate (X.509):

Into which I import my personal certificate:

From the previous PEM export:

And assign it to my user and activate it:

The only remaining task is to import my certificate key into the browser with which I access my Fiori Launchpad:

And next time I launch my Fiori Launchpad, I get presented with my certificate(s):

I could now cancel this and login as usual, but if I confirm it, I got securely single-singed-on into my Fiori Launchpad:

Of course there is much more to consider in terms of private key infrastructure (KPI) governance and there are many more enterprise ready CA tools, but the underlying concepts are always the same.

In my next blog series I explain how to secure the HANA Cloud Connector leveraging the same concepts.