Tenant administrators can configure X.509 client certificates for user authentication as an alternative to authenticating with a user name and a password.
You are assigned the Manage Tenant Configuration role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
User authentication with a trusted X.509 certificate takes place using the underlying Secure Sockets Layer (SSL) protocol and users don’t need to enter a password for their logon.
Certificates for API Authentication cannot be used for user authentication.
Remember that it may take between two and four weeks to enable the certificate.
To configure a trusted X.509 certificate, proceed as follows:
-
Access the tenant's administration console for Identity Authentication by using the console's URL.
The URL has the following pattern:
https://<tenant ID>.accounts.ondemand.com/adminTenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID. For more information about your tenants, see Viewing Assigned Tenants and Administrators.
If you have a configured custom domain, the URL has the following pattern:
<your custom domain>/admin. -
Under Applications and Resources, choose the Tenant Settings tile.
At the top of the page you can view the administrative and license relevant information of the tenant.
-
Choose the Trusted Certificate Configuration list item.
-
Choose the +Add button.
-
Enter the name of the certificate.
The name and the Subject DN must be unique.
-
Choose one of the following options:
Certificate Options
Notes
Upload Certificate
The uploaded certificates must be in
PEMformat. Use.ceror.crtfiles.Root Certificate
Insert the public key in the text field.
-
Choose one of the following source options:
-
Distinguished Name - If selected Distinguished Name as source, the pattern must match the Subject DN of the user certificate. The CN attribute from the DN Pattern must be in the format
CN=${<logonIdentifier>}and must completely map to one of the supported logon identifiers,loginName,uid, andmail.For example: CN=${loginName},O=Management,C=US.
-
Subject Alternative Name - Other Name - If selected Subject Alternative Name - Other Name, the pattern must match the
subjectAltNameextension entry of typeotherName(Microsoft User Principal Name form) of the user certificate. The pattern for SAN value must be in format${<logonIdentifier>}and must completely map to one of the supported logon identifiers,loginName,uid, andmail. -
Subject Alternative Name - E-Mail (RFC822 Name) - If selected Subject Alternative Name - E-Mail (RFC822 Name), the pattern must match the
subjectAltNameextension entry of typerfc822Nameof the user certificate. The pattern for SAN value must be in format${mail}.
Two configurations with different source options in one Identity Authentication tenant are not supported.
-
-
Enter the Pattern of the certificate.
If you want to log on with a certificate where the common name contains the user ID (for example:
Subject DN: CN=P000000,O=MyOrg,C=US) then the pattern value must be:CN=${uid},O=MyOrg,C=US.If you want to log on with a certificate where the common name contains the e-mail of the user (for example:
Subject DN: [email protected],O=MyORG,C=US), then the pattern value must be:CN=${mail},O=M,C=US. -
Save your configuration.
-
To add the certificate to your tenant, report an incident on SAP Support Portal Home with a component
BC-IAM-IDS. The SAP Root CA certificates are trusted by default.-
Attach to the incident the root and intermediate certificates.
-
Provide the Identity Authentication tenant host.
The SAP Root CA, SAP Passport CA G2, DigiCert Global Root CA, and DigiCert TLS RSA SHA256 2020 CA1 certificates are trusted by default.
-
Related Information
Tenant OpenID Connect Configurations
Change Tenant Texts Via Administration Console
Configure Master Data Texts Via Administration Console
Configure Links Section on Sign-In Screen
Add Instructions Section on Sign-In Screen
Configure Allowed Logon Identifiers
Configure User Identifier Attributes
Configure Trust this browser Option
Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices
Enable Users to Recover Password with Security Questions
Enable Users to Recover Password with PIN Code
Configure Initial Password and E-Mail Link Validity
Use Custom Domain in Identity Authentication
Change a Tenant's Display Name
Configure Default Risk-Based Authentication for All Applications in the Tenant
Configure Sinch Service in Administration Console
Configure RADIUS Server Settings (Beta)
Configure Mail Server for Application Processes
Send System Notifications via E-Mails
Configure Default Language for End User Screens
Reuse Identity Authentication Tenants for Different Customer IDs