In this blog post we will see how we can enable X.509 Certificates based single sign on for User Authentication in SAP Cloud Identity Services - Identity Authentication.

Prerequisites:

1. You are using SAP Cloud Identity Services and you have created your Identity Authentication service tenant.


2. Trust setup between Identity Authorization service tenant and your BTP account is complete.


3. You are using the same Identity Authorization service tenant for User Authentication.


4. You have Manage Tenant Configuration role assigned to you.

Follow the steps to Create a certificate and enable it for user authentication.

1. Get the public certificate of root CA (Certificate Authority) and intermediary CA. If you have the certificates available already go to step 6.


2. We will create our own CA to sign our own client certificates for testing purposes. Note that it's better to use an automated system instead because its more secure and certificates expire. To create a CA, we will use openssl. If you have git bash installed then it will be already available in bash terminal or if you have chocolatey you can use
   

   choco install openssl​

   
   


3. Create a configuration file which will have information about our CA. e.g. Open a notepad and paste the below content and save as ca.config.

ca.config (adapt to your needs) :

[ ca ]

default_ca      = CA_default



[ CA_default ]

serial = ca-serial

crl = ca-crl.pem

database = ca-database.txt

name_opt = CA_default

cert_opt = CA_default

default_crl_days = 365

default_md = md5



[ req ]

default_bits           = 4096

days                   = 365

distinguished_name     = req_distinguished_name

attributes             = req_attributes

prompt                 = no

output_password        = password



[ req_distinguished_name ]

C                      = <Country goes here>

ST                     = <State goes here>

L                      = <City/Location here>

O                      = <Organization>

OU                     = <Organizational Unit>

CN                     = <Common Name of CA>

emailAddress           = <Email address of CA>



[ req_attributes ]

challengePassword      = test

 

4. Next, We create the CA certificate with the following command. This will generate two files ca-key.pem (private key of CA) and ca-crt.pem (public key of CA)

openssl req -new -x509 -days 9999 -config ca.config -keyout ca-key.pem -out ca-crt.pem

 

5. We would need to convert the certificate from pem to crt file format. We will use the converted ca.crt and upload it in admin UI of Identity Authorization service tenant. Use:
   

   openssl x509 -outform der -in ca-crt.pem -out ca.crt​

   
   


6. Access the tenant's administration console for Identity Authentication by using the console's URL. Note The URL has the following pattern: https://<tenant ID>.accounts.ondemand.com/admin. If you have a configured custom domain, the URL has the <your custom domain>/admin pattern.


7. Under Applications and Resources, choose the Tenant Settings tile.


8. Choose the Trusted Certificate Configuration list item.


9. Choose the +Add button.


10. Enter a unique name for the certificate.


11. Choose the Upload Certificate option and upload the ca.crt (certificate of CA) to your Identity Authorization service tenant.


12. Select source option as Distinguished Name.


13. Enter the Pattern of the certificate as CN=${loginName},O=SAP,C=US. Change the pattern according to values configured in your root CA or ca.config.


14. Save your configuration. Next, we will need create an incident on SAP Support Portal Home with a component BC-IAM-IDS. Attach the root and intermediate certificates and provide the Identity Authentication tenant host in the support ticket. Once the ticket is completed, now we can create client certificates signed by the CA, that we have configured in Identity Authorization service tenant. If you already have client certificates, then skip below steps.


15. Create a configuration file which will have information about our client.Note: Fill the values in req_distinguished_name section according to pattern configured in Identity Authorization service tenant. If pattern configured is CN=${loginName},O=SAP,C=US, then make sure that value of CN is set to login name configured in Identity Authorization service tenant, under user management, O is SAP, and C is US. Login name can be configured in User Management under Users & Authorizations from the sidebar. e.g. client.config (adapt to your needs) :
    

    [ req ]
    
    default_bits           = 4096
    
    days                   = 365
    
    distinguished_name     = req_distinguished_name
    
    attributes             = req_attributes
    
    prompt                 = no
    
    x509_extensions        = v3_ca
    
    
    
    [ req_distinguished_name ]
    
    C                      = <Country goes here>
    
    ST                     = <State goes here>
    
    L                      = <City/Location here>
    
    O                      = <Organization>
    
    OU                     = <Organizational Unit>
    
    CN                     = <Common Name of Client or User>
    
    emailAddress           = <Email address of Client or User>
    
    
    
    [ req_attributes ]
    
    challengePassword      = password
    
    
    
    [ v3_ca ]
    
    authorityInfoAccess = @issuer_info
    
    
    
    [ issuer_info ]
    
    OCSP;URI.0 = http://gunter.example.com/
    
    caIssuers;URI.0 = http://example.com/ca.cert

    
    


16. We will create a private key for the client.
    

    openssl genrsa -out client-key.pem 4096​

    
    


17. We now create a certificate signing request with the help of the config file.
    

    openssl req -new -config client.config -key client-key.pem -out client-csr.pem​

    
    


18. Now use the CA to sign the certificate signing request for our client. If you have chosen a different password than “password”, then please adapt the below command.
    

    openssl x509 -req -extfile client.config -days 365 -passin "pass:password" -in client-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out client-crt.pem​

    
    


19. Verify that client certificate is okay using
    

    openssl verify -CAfile ca-crt.pem client-crt.pem​

    
    Expected output:
    

    client-crt.pem: OK​

    
    


20. Combine public and private key of our client certificate so that it can be imported in browser.
    

    openssl pkcs12 -inkey client-key.pem -in client-crt.pem -export -out client-crt.pfx​

    
    

The generated file client-crt.pfx now can be imported to browser.

 

References:

SAP Help

X.509 Certificate based logon to OData Services | SAP Blogs

 

Summary: We saw that how can we use features of SAP Cloud Identity Services to enable certificate based authentication. If you have any questions please feel free to drop a comment or you can always reach out to wider community for Q&A and the topic here.