12-18-2014 8:43 AM
Dear experts,
We are using SAML 2 authentication in our system SAP CRM 7 EHP3.
We need to define X509 authentication just for one user while others should still use SAML 2 authentication.
How is it possible to perform it?
Thanks in advance,
Sergey
12-18-2014 9:33 PM
Hi,
the standard logon procedure tries multiple authentication methods. The cert based authentication is the second option with standard procedure. SAML is usually after that. Hence you should just need to set up that user to use certs and her browser needs to provide a cert when accessing the system.
Cheers
12-19-2014 7:13 AM
Hello Martin,
It seems that SAML comes before cert authentication.
Before SAML definition we used cert authentication and all the definitions are still applied.
But when users open the application via the browser, they see ADFS screen for SAML instead of cert popup. This behavior is good for most of the users but for one user we need to change the order.
Thanks in advance,
12-19-2014 7:58 AM
Hi Sergey,
how should the system determine before authentication, which order to apply?
Regards, Patrick
12-19-2014 9:07 AM
A good question:)
We are using the definitions in the table VUSREXTID for authentication.
So we tried to define SAML mapping for all the users exclude of one, that is defined with X509 mapping. The problem is that it didn't work...
12-19-2014 10:41 AM
Hi Sergey,
you need to ba authenticated for the mapping to work. So using the userID of the user to select the scheme does not work.
The only option I see is creating a separate app with a different authentication stack, that after authentication of the user just does a redirect to the initial app.
The user requiring the 'non-standard' Scheme would then need to call this URL instead. Based on your statements, I do not know whether this is feaible or makes sense, but ...
Regards,
Patrick
12-24-2014 9:55 AM
Did you try to configure the login module stack in a way that X509 authentication comes before SAML2 one (for sure it should finish with CreateTicket)?
Can you show how you configured the login module stack?
If this can work, you can assign a particular certificate for the VIP user.