Hello Stefan,
In the new SCN platform we strongly recommend against using multiple user accounts. This can cause problems as I can see in your user accounts (inconsistency between the SCN account and LDAP)
Using the admin tool, I fixed the inconsistencies in your accounts and did some manual manipulation.
Now your s-user is associated with brose email address and your p-user is associated with soocs email address.
Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct?)
You should be able to perform the following operations:
Go to SCN: http://scn.sap.com/welcome
Log in with your p-user (this time login with your p-number, not with your email address)
Verify that your account is ok, with all the activities and points.
Only if you still need your s-user account, perform the following:
log out from your p-user
Log in with your s-user (this time login with your s-number, not with your email address)
During this login you will have to approve the email address (must be different from the email address of your p-user), then you will be required to agree to the SCN terms of use.
Please update me if this was helpful.
Hi David,
sorry, but you have not understood the issue and mixed it up even more.
Now your s-user is associated with brose email address and your p-user is associated with soocs email address.
Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct
No, not all. I don't have that brose email address anymore (as i quit that company) and i still see the soocs email address for the S-User.
However i just want to use the P-user furthermore, but this is not possible at all, because of you can not logon to SCN without having a valid SSL certificate provided by SMP. This is the issue right here. You can test that pretty easily. Just use Safari with Mac OS and delete all your SSL certificates (for the S-Users) in your key store. After that try to open SCN and you will get the error "The page requires a valid ssl client certificate".
The perfect situation would be:
As i requested point 1 several times and i was told that this is not possible due to lack of platform functionality, i would be happy with point 2 only. But this is also not working 
To be honest i am almost at the end of my tether with the new SCN. Most of the basic functions, that members need (Copy user content, Logon without SSL certificate, etc.) is not working properly or even not all. Luckily my lost blog content was fixed after round about 2.5 months, but now i will lose it anyway, because of it can not be copied to my P-User.
Here is a screenshot of the error, if i try to logon with my P-User without having a Single-Sign On certificate installed in my key store. I am not able to enter my P-User ID or password at all, because of this error.
Best Regards
Stefan
P.S.: I write these posts with my old S-User to get a solution for this issue. The SSL certificate for my S-User will expire and then i have to use the P-User.
Hi Stefan,
I do not have any experience with Mac (and no experience with Safari)
I only fixed the issues that I saw related to your SCN user accounts.
I have reached out to someone who might be able to help on the other topics.
Meanwhile, you say that you still see that the s-user is associated with soocs.
This leads me to suspect that you might have some unwanted history in your browser.
Would you care trying the following steps:
Hi David,
open the browser and log in to SCN with your p-user as I mentioned in my last message.
*disapproval* ... exactly THIS is not possible. How should i logon with my P-User, when i am not able to get to the logon mask due to the SSL issue!
Meanwhile, you say that you still see that the s-user is associated with soocs.
Yes for sure. Just check my profile for that (E-Mail address). However this was correct, because of this profile is currently linked to all of my activities.
Could you please revert all the changes that you have done?
I already have created a new e-mail address on my domain soocs.de for the P-User account. Unfortunately i am not able to change it for the P-User on first logon, because of the SSL issue with Mac OS and Safari.
Thank you.
Regards
Stefan
Hi Stefan,
where do you login from? Do you click login on http://scn.sap.com/welcome or http://scn.sap.com ? If the later, please try the /welcome option.
To be frank I haven't seen this issue before. I'll forward it to a colleague to have a look at it. It does not seem to be an issue with the collaboration platform here.
Did you try other browsers like Firefox or Chrome? Especially FF would be an option as it brings its own cert management etc.
Best,
Oliver
Hi Oliver,
it is the same error regardless of which URL i use.
No i didn't try any other browser, because of i want to use Safari like for all the other millions of websites too 
Regards
Stefan
The error "The page requires a valid ssl client certificate" I have seen only twice before now: once on Safari for Windows, and once on Chrome for iPad.
In both cases, this is due to a bug in how SSL is handled by the browser.
In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore". "Request" means that a certificate will be requested from the client, but it is not mandatory. "Require" means that a certificate is mandatory.
We use the "Request" setting, precisely so that the absence of a certificate does not prevent users accessing the system via username/password.
Unfortunately, it seems that there is some piece of SSL code on some Apple platforms that interprets "request" as "require" and will not let you in without a certificate.
In the case of the other error "Digital certificate has expired", this is seems to be a case that the browser is presenting an outdated certificate to the server, and this is being rejected at SSL level - therefore, all certificates have not been removed from the browser in this case.
I recommend that you get the latest O/S updates from Apple, and hopefully this fixes their SSL bug.
Best regards,
Darren Hague
(SAP ID Service architect)
Hi Darren,
thanks for your reply.
Unfortunately i am using the newest Mac OS and Safari release. As previously mentioned:
What's next? I don't want to use a different browser for SAP SCN only 
I think this issue should be very easy to reproduce on your site too.
Best Regards
Stefan
Hi Stefan,
I will check with my colleagues, but several people in the SAP ID Service team also use Safari on a Mac, so this is something that we are testing constantly during development.
Best regards,
Darren
Hi Darren,
any updates about this issue?
Thanks and Regards
Stefan
... 3 weeks gone without any update or notice ...
Sorry, but we have not been able to reproduce this issue. As I said in my earlier message, this is clearly a bug in how the browser is handling SSL in the "Request certificate" case - a certificate is requested by us, but not required. This is from our SSL endpoint's documentation:
"Set the certification mode in the clientssl profile to Request. Setting this mode sends a certificate request to the client. In this case, the SSL profile always grants access, regardless of the status or absence of the certificate. Granting access is not dependent on whether a certificate is present, nor does connection terminate if a certificate is not received"
I did pick up a clue from another site:
"The reason why it seems to be working for some Safari users is that they don't have a private key in any of their keychains. Once you have any kind of private key (.Mac, FileVault master key, ...) in any of your keychains, it fails miserably."
Could this be the issue in your case?
Best regards,
Darren
There are some potential workarounds also in this thread at Apple.
Hi Darren,
thanks for your reply.
If i remove the SSL (SMP) certificate i still have one in my keychain. This certificate has nothing to do with SAP - it is from Apple itself (com.apple.idms.appleid.prd). I will check the thread.
Thanks.
Best Regards
Stefan
Hi Stefan,
i found your thread, because i ran into the same problem.
You may already have found your solution, but i like to add what i did now.
The Apple-ID entry in the keystore of the Mac seems to be in relation with the problem. No idea why calling the scn.sap.com is catching this one.
Because the date of the keystone-entry for the Apple-ID was the day when i started my "MacOS career" i had doubts to just delete it and see what happens. (Will there be any problems with the AppStore/OS-Updates afterwords?
There was no helpful hint to the few similar threads in the web, therefore i just tried it.
Result:
Now i'm able to login to scn.sap.com again. (= normal behavior)
I'm still able to start the AppStore, too.
That's it so far. I anything comes up in the next days i'll update the thread.
Best regards
Christian
Hi Christian,
thanks for your update.
I still have that issue and i am still afraid to delete that apple certificate 
Regards
Stefan
Hi Stefan,
after deleting the apple-id certificate several other certificates in the "All objects" list got invalid.
They all had a URL from SAP in common
https:// ... sap .... .com
I guess these entries were created by all the failed attempts before and were signed by the apple-id.
To check which entries will be affected by the deletion of the
com.apple.idms.appledid.prd.<long number>
try the following:
Take some digits from the long number or the whole string and enter it in the search field in the upper right corner. The list will present you:
- The apple-idms-entry that you (should) like to delete
- all the entries that are releated to this id
If these are only entries in relation with the SAP pages, there shouldn't be reason not to give it a try.
It can't make things worse. (With the exported apple-idms you should feel save enough to do it)
For myself it works pretty fine. I requested certificates for two S-IDs and SAFARI prompts for it when logging on the the SCN/ServiceMarketPlace.
After a few day there now is additionaly a new apple-idms-entry underneath the two S0000xxxx entries.
If there wouldn't be the the two others i might have the old problem back, but now i'm free to choose.
DISCLAIMER: I'm a new to MacOSX and can only report what i did to get the things working. Hope that there is nothing i've not detected till now.
Being curious about your progress
Christian
Hi Christian,
today i got the bravery and time to remove that certificate and test it ... and it works perfect now.
I am able to logon to SCN with Safari. I hope that the "apple-idms" certificate will not return in my case, because i have a public SCN user and i can not create a SSL certificate for such users.
Regards
Stefan
