Skip to Content

Use of SNC/SSO with certificates

Is it possible to configure the SNC matching of user id's and SNC names to not use the full distinguished name ?

We would like to enable SSO/SNC using certificates.

Please support here

Thanks in advance,

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Nov 14, 2008 at 02:10 PM

    >

    > Is it possible to configure the SNC matching of user id's and SNC names to not use the full distinguished name ?

    >

    > We would like to enable SSO/SNC using certificates.

    >

    > Please support here

    >

    > Thanks in advance,

    I assume that you are referring to the SNC mappings defined in an ABAP stack (SU01: SNC tab -> table USRACL). This mapping is independent from the SNC product being used. The mapping is based on the so-called "canonical SNC name" - on the entire one, not on parts of it.

    So the answer is "no" (regarding SNC mappings).

    If you are referring to "X.509 client certificate mappings" (mutual SSL authentication) then there is some light at the end of the tunnel: with NWAS ABAP 7.1 Enhancement Pack 1 (7.11) a new feature is available: "rule-based certificate mapping". The rule engine allows to configure that only certain parts of the subject name are relevant for the mapping.

    However, the "classic" certificate mapping (ABAP transaction EXTID_DN, table USREXTID) always takes the entire subject name (in the ABAP-specific printable notation).

    Regards, Wolfgang

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      @Wolfgang,

      Sorry to correct you but you're only referring to the SAP part of the system. SAP will take the complete name as supplied by the SNC library (per your description). The SNC library can choose to only deliver a part of the SNC name to SAP. SAP would never notice this.

      The maximum guaranteed SNC name can only be 85 (or so) characters (although there seems to be space for 255 characters in the database). This is too short for some organizations so we implemented a mechanism to shorten the SNC name. It is cumbersome, though.

  • avatar image
    Former Member
    Nov 14, 2008 at 12:52 PM

    Yes, but not with the SAP Crypto Library. Contact me directly for details as commercial postings (aside from SAP's own) are not allowed here.

    Add comment
    10|10000 characters needed characters exceeded