Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to define X509 authentication for specific user?

Former Member

‎12-18-2014 8:43 AM

0 Kudos

Dear experts,

We are using SAML 2 authentication in our system SAP CRM 7 EHP3.

We need to define X509 authentication just for one user while others should still use SAML 2 authentication.

How is it possible to perform it?

Thanks in advance,

Sergey

6 REPLIES 6

mvoros
Active Contributor

‎12-18-2014 9:33 PM

0 Kudos

Hi,

the standard logon procedure tries multiple authentication methods. The cert based authentication is the second option with standard procedure. SAML is usually after that. Hence you should just need to set up that user to use certs and her browser needs to provide a cert when accessing the system.

Cheers

Former Member
In response to mvoros

‎12-19-2014 7:13 AM

0 Kudos

Hello Martin,

It seems that SAML comes before cert authentication.

Before SAML definition we used cert authentication and all the definitions are still applied.

But when users open the application via the browser, they see ADFS screen for SAML instead of cert popup. This behavior is good for most of the users but for one user we need to change the order.

Thanks in advance,

Former Member
In response to mvoros

‎12-19-2014 7:58 AM

0 Kudos

Hi Sergey,

how should the system determine before authentication, which order to apply?

Regards, Patrick

Former Member
In response to mvoros

‎12-19-2014 9:07 AM

0 Kudos

A good question:)

We are using the definitions in the table VUSREXTID for authentication.

So we tried to define SAML mapping for all the users exclude of one, that is defined with X509 mapping. The problem is that it didn't work...

Former Member
In response to mvoros

‎12-19-2014 10:41 AM

0 Kudos

Hi Sergey,

you need to ba authenticated for the mapping to work. So using the userID of the user to select the scheme does not work.

The only option I see is creating a separate app with a different authentication stack, that after authentication of the user just does a redirect to the initial app.

The user requiring the 'non-standard' Scheme would then need to call this URL instead. Based on your statements, I do not know whether this is feaible or makes sense, but ...

Regards,

Patrick

TomXing
Contributor

‎12-24-2014 9:55 AM

0 Kudos

Did you try to configure the login module stack in a way that X509 authentication comes before SAML2 one (for sure it should finish with CreateTicket)?

Can you show how you configured the login module stack?

If this can work, you can assign a particular certificate for the VIP user.