Skip to Content
0

How to configure Agentry for 2 Factor authentication using Basic Authentication for work manager 6.4

Sep 19, 2017 at 06:31 PM

208

avatar image
Former Member

Hi Experts,

We are following the options of Two factor authentication in SMP and for the application SAP work manager 6.4 by looking into the document

https://www.sap.com/documents/2015/08/ccac3421-5a7c-0010-82c7-eda71af511fa.html

We want to use below 2FA.

Two Factor authentication- User Authentication AgentryClient + built in client certificate

In page 26 It is mentioned as

Factor 1 •The Agentryclient can be deployed with a certificate that the customer can define in the deployment process •This certificate is the same for all deployed Agentrybinary clients*

We are using iOS platform. We want to know how the client certificate can be deployed during the deployment process?

Any help is much appreciated.

agentry2fa.png (53.8 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Bill Froelich
Sep 20, 2017 at 03:55 AM
0

The client certificate can be built into the ipa file that is created with the necessary Open Auth code to read and send it to the server. Alternatively you would have to look at a process to either

1) Copy the certificate to the client Documents folder via iTunes

2) Use some kind of open with handler to receive the file from another application (like email) so the client could copy to a known location

In either case the client would need to be configured with the Open Auth code to read the certificate and then pass it through to the SMP3 server.

--Bill

Show 11 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thanks a lot for the quick reply Bill. Is there any documents that provides the step to configure the Agentry client with Open auth code to read the certificate?

0

There is code provided in the samples of the Agentry Open UI Client Frameworks projects.

2
Former Member
Bill Froelich

Hi Bill, As per suggestion we were able to built the client.

We can see the Open UI additional login screen, showing up during login.

We want to know, what are settings that we need to do on the SMP server side in order for this certificate authentication to take place. Like which security profile we need select and what are other server configurations we need to do.

As always appreciate your help.

0
Former Member

Thanks a lot Bill I will try to look on the sample code and smpopenuicredentialprovider class information. I will try and will let you know if any issues or concerns.

Really Appreciate your inputs

0
Former Member

Hi Bill, As per suggestion we were able to built the client.

We can see the Open UI additional login screen, showing up during login.

We want to know, what are settings that we need to do on the SMP server side in order for this certificate authentication to take place. Like which security profile we need select and what are other server configurations we need to do.

As always appreciate your help.

0

I haven't set this up in quite a while. From what I remember you would typically define a new Security Configuration (for example named "ClientCert") and instead of selecting "No Authentication Provider", add the "X.509 User Certificate" option. You will also need to make sure the CA that generated the user certs is also imported so the SMP server can validate the certificate.

When the client connects, the SMP server will validate the user cert then pass through the connection to Agentry where the user name and password will be processed and authenticated for the backend connection.

1
Former Member

Hi Bill,

I have created a new certificate profile "Client_cert" chosing X.509 as auth provider. And imported the certificate as well in the SMP. But getting "The user and password is invalid" when trying to connected using the new agentry client.

Is it because SMP is not able to validate?

0

The SMP server needs to have the CA imported that issued the certificate. It does not need the actual client certificate.

I would suggest you turn up the Security log settings and retry your connection to see what errors may be generated.

--Bill

0
Former Member
Bill Froelich

Hi Bill,

I bumped up the security log and found these in it.

"

- Authenticating request |

-CheckIfSessionExists returned false. Was logged out due to webapp switch false |

- authfilter-1: Security Configuration set to: 'Client_cert' |

Authentication Failed for: 'null' |

- No AuthenticationEntryPoint was set during login attempt. Falling back to HTTP 401 +

- Authenticating request |

- CheckIfSessionExists returned false. Was logged out due to webapp switch false |

- authfilter-1: Security Configuration set to: 'Client_cert' |

- Authentication Header indicates type is 'Basic' |

Authentication Failed for: 'test_smob1' |

- No AuthenticationEntryPoint was set during login attempt. Falling back to HTTP 401 + WWW-Authenticate|

"

Do you know why it is errorring out and saying "null"

0
Former Member

Hi Bill,

We were able to configure the certificate. Thanks for all your help. The final change is point the application in 8082 for http authentication.

Appreciate all the help.

0

Glad you got everything working

0