Tenant administrators can configure X.509 client certificates for user authentication as an alternative to authenticating with a user name and a password.
You are assigned the Manage Tenant Configuration role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
User authentication with a trusted X.509 certificate takes place using the underlying Secure Sockets Layer (SSL) protocol and users don’t need to enter a password for their logon.
Certificates for API Authentication cannot be used for user authentication.
Remember that it may take between two and four weeks to enable the certificate.
If you want to configure a certificate, using your own trusted CA, for example for scenarios like authentication of technical users or OAuth clients, skip the procedure in this document and report an incident on SAP Support Portal Home with a component
BC-IAM-IDS. Attach to the incident the root and intermediate certificates and provide the Identity Authentication tenant host.
If the users have generated their own certificates via the profile page, they won't be able to authenticate with the configured X.509 client certificate, and vice versa.
If you want to edit an already configured certificate, choose certificate, choose the Edit button, make your changes and save them.
If you have made changes to the root certificate, report an incident on SAP Support Portal Home with a component
BC-IAM-IDS, attach to the incident the root and intermediate certificates, and provide the Identity Authentication tenant host.
If you want to delete an already configured certificate, choose the certificate, choose the Delete button, and report an incident on SAP Support Portal Home with a component BC-IAM-IDS providing the Identity Authentication tenant host.
To configure a trusted X.509 certificate, proceed as follows:
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Applications and Resources, choose the Tenant Settings tile.
At the top of the page, you can view the administrative and license relevant information of the tenant.
-
Under Authentication, choose the Trusted Certificate Configuration list item.
-
Choose the Create button.
-
Enter the name of the certificate.
The name and the Subject DN must be unique.
-
Choose one of the following options:
Certificate Options
Notes
Upload Certificate
The uploaded certificates must be in
PEMformat. Use.ceror.crtfiles.Root Certificate
Insert the public key in the text field.
-
Choose one of the following source options:
-
Distinguished Name - If selected Distinguished Name as source, the pattern must match the Subject DN of the user certificate. The CN attribute from the DN Pattern must be in the format
CN=${<logonIdentifier>}and must completely map to one of the supported logon identifiers,loginName,uid, andmail.For example: CN=${loginName},O=Management,C=US.
-
Subject Alternative Name - Other Name - If selected Subject Alternative Name - Other Name, the pattern must match the
subjectAltNameextension entry of typeotherName(Microsoft User Principal Name form) of the user certificate. The pattern for SAN value must be in format${<logonIdentifier>}and must completely map to one of the supported logon identifiers,loginName,uid, andmail. -
Subject Alternative Name - Email (RFC822 Name) - If selected Subject Alternative Name - Email (RFC822 Name), the pattern must match the
subjectAltNameextension entry of typerfc822Nameof the user certificate. The pattern for SAN value must be in format${mail}.
Two configurations with different source options in one Identity Authentication tenant are not supported.
-
-
Enter the Pattern of the certificate.
If you want to log on with a certificate where the common name contains the user ID (for example:
Subject DN: CN=P000000,O=MyOrg,C=US) then the pattern value must be:CN=${uid},O=MyOrg,C=US.If you want to log on with a certificate where the common name contains the email of the user (for example:
Subject DN: [email protected],O=MyORG,C=US), then the pattern value must be:CN=${mail},O=M,C=US. -
Save your configuration.
-
To add the certificate to your tenant, report an incident on SAP Support Portal Home with a component
BC-IAM-IDS. The SAP Cloud Root CA certificates are trusted by default.-
Attach to the incident the root and intermediate certificates.
-
Provide the Identity Authentication tenant host.
The SAP Cloud Root CA, DigiCert Global Root CA, DigiCert Global Root G2, DigiCert TLS RSA SHA256 2020 CA1, and Baltimore CyberTrust Root certificates are trusted by default.
-
Related Information
Tenant SAML 2.0 Configurations
Get SAML 2.0 IdP Metadata via Parameter
Tenant OpenID Connect Configurations
Change Tenant Texts Via Administration Console
Configure Master Data Texts Via Administration Console
Configure Links Section on Sign-In Screen
Add Instructions Section on Sign-In Screen
Enable Users to Generate and Authenticate with Certificates
Configure Allowed Logon Identifiers
Configure User Identifier Attributes
Configure Trust this browser Option
Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices
Configure Initial Password and Email Link Validity
Use Custom Domain in Identity Authentication
Change a Tenant's Display Name
Configure Default Risk-Based Authentication for All Applications in the Tenant
Configure Sinch Service in Administration Console
Configure RADIUS Server Settings (Beta)
Configure Mail Server for Application Processes
Send System Notifications via Emails
Configure Customer Managed Keys in Administration Console (Restricted Availability)
Configure Default Language for End User Screens
Reuse SAP Cloud Identity Services Tenants for Different Customer IDs