I want to follow up on a sub-topic that came up in this thread:
mapping-x509-cert-info-to-j2ee-user
What concerns us is this:
In a J2EE X509 SSO scenario, we have a few choices to map user IDs to X509 certs. Our PKI is such that when a user logs into their PC, their roaming profile places their X509 certificate in their IE certificate store. This cert then gets used for a variety of enterprise apps, including SAP. It works as long as the user is at a PC they logged into. If they go to a public PC, like in a conference room, then they are aware that they have to log in manually since the conf. room uses a generic login.
For our environment of around 10,000 named users, we have them all mapped in our ABAP system table USREXTID. This is done automatically through a job that populates that table with data from our LDAP. The entry is simply CN=xxxxx and it's mapped to the SAP login ID.
This method is not possible with the J2EE side of things. Instead, the UME admin can manually import a client cert. We did that and it works.
Or, we can have the user map it themselves by clicking the "Certificate Login" link on the initial login screen and then authenticate themselves, which in turn populates their cert info into their UME record.
It is that method that concerns us. What's to stop user A from logging into his PC with his cert and then having user B come over and log into the app, subsequently perform that automatic mapping? User A would have user B's authorizations in future sessions on his own computer. We tested this and it is a technical possibility. Also if a cert is already mapped and a user clicks the "certificate login" button, then a new cert overwrites the old cert.
With our job that automatically maps CN=xxxxx info to SAP Logins in ABAP, this risk is completely eliminated. Only a user logged into their own PC, with their own Windows/XP credentials, can access the SAP app with their cert.
Please help me understand if I am missing something that eliminates the risk I've pointed out.