cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Pass External Username from SCP IDP to On-Premise ABAP System

christoffer_fuss
Participant

on ‎06-20-2018 8:04 AM

Hello,

I am using the SAP Cloud Identity Service as my SAML IDP for authentication. I configured principal propagation in my Cloud Connector for authentication on my SAP system. This works fine if there is a 1on1 relationship of External Cloud Users to SAP Users.

For example my external User 'P000001' of my IDP is mapped in transaction CERTRULE to my ABAP user 'TEST1'.

Now I have the problem that multiple external users are mapped to the same ABAP user 'TEST2'.

This leads to the problem that I dont know, which external user is logged on my ABAP system because they are logged in as 'TEST2' (in sy-uname).

How can I access the external username of the Client Certificate of the current logged in ABAP user?

Best Regards,

Chris

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎06-20-2018 2:28 PM

Hi Christopher,

Have you tried to configure your system for Principal Propagation as explained in this blog?

Regards,
Ivan

Show replies
Show replies
christoffer_fuss
Participant
‎06-20-2018 2:35 PM
0 Kudos

Hi Ivan,

yes I followed this blog and as I said Principal Propagation is working fine. In Transaction CERTRULE my external user is mapped to my sap user and I am logged in with that user in my SAP system. I Can see the User in variable sy-uname. What I need is to access in my ABAP code the external user id which was mapped to my user.

Is this possible? If not, how can I access my external user in my ABAP?

Best regards,

Chris

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎06-20-2018 4:10 PM

Hi Chris,

You mean, you want to do a reverse lookup on the user. So let's say you have you sy-uname = TEST2 and you need to figure out the user name that is stored (mapped) on the CERTRULE transaction. And the expected result would be your P000001 user - the one you use to logon in SCP in the first place. Is my assumption correct?

If so, you could use the FM: CERTRULE_USER_TO_RULES to retrieve the rules that apply to an ABAP user id. And based on it, retrieve the mapped external user id.

The FM takes a structure named LOGONNAMES as input and you could enter it like so:

TYPE:A  <---- this is A for ALIAS
NAME:TEST2

The result would give you something like:

USRCERTRULES:
  SUBJECT: CN=P000001, O=Your Org, C=DE
  ISSUER: CN=Your CA, O=Your Org, C=DE
  SUBJECT_ALT_NAME:

Then, just parse the Subject field to extract the user id.

You might need to figure out which index to choose from if you have more than a single mapping for the same user - which doesn't make much sense as this should give you a 1:1 relationship.

Hope this helps,
Ivan

christoffer_fuss
Participant
‎06-20-2018 4:57 PM

Hi Ivan,

this is exactly what I want. Thank you so much. I will try it out and let you know if it works.

Best Regards,

Chris

christoffer_fuss
Participant
‎07-08-2018 5:03 PM
0 Kudos

Hi Ivan thanks again for your help,

Can you show me how a rule must look like to match all the different P-Users like P000001, P000002 etc. to the same SAP User TEST2?

If I use a rule with CN=P000001 it just works when there is a SAP User with the same name P000001.

If a use an "Explicit Mapping" of CN=P000001 to SAP user TEST2 the FM CERTRULE_USER_TO_RULES thworws an exception.

Best reagrds,

Chris

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎08-06-2018 8:16 PM
0 Kudos

Hi Christoffer,

In such case you can check the certificate directly on table USRCERTMAP. I couldn't find any standard FM to pass the user id that would return the certificate while using "Explicit Mapping". Still, one could develop your own FM to do that base on the mentioned table.

Regards,
Ivan

jfk
Explorer
‎02-12-2021 12:05 AM
0 Kudos

Hi,

you can use this code snipped in your DPC_EXT class of your OData service to get the Name used in the certificate

READ TABLE mr_request_details->technical_request-request_header INTO DATA(ls_cert_str) WITH TABLE KEY name = 'ssl_client_cert'.
IF sy-subrc = 0.
DATA(lr_cert) = cl_abap_x509_certificate=>get_instance( if_certificate = ls_cert_str-value ).
lr_cert->get_subject_dn(
IMPORTING
et_dn = DATA(lt_dn)
).
READ TABLE lt_dn INTO DATA(ls_dn) WITH KEY oid = 'CN'.
DATA(lv_dn_name) = ls_dn-value.
ENDIF.

I got this code snipped from here
https://answers.sap.com/questions/12905835/scp-portal-open-an-app-with-user-name-as-parameter.html

Best regards
Jan

Show replies
Show replies
christoffer_fuss
Participant
‎07-17-2018 7:12 AM
0 Kudos

I am still struggeling with this problem. Is there really no way to pass the external username safely to SAP system?

Best Regards,

Chris

Show replies
Show replies
christoffer_fuss
Participant
‎07-08-2018 4:37 PM
0 Kudos

The above answer of Ivan of using the FM "CERTRULE_USER_TO_RULES" just works with transaction "CERTRULE" by using rules (as the name suggests).

But this works not with "Explicit Mappings" in CERTRULE or with using transaction "EXTID_DN" because it returns only the matched rule and not the X.509 Certificate.

So Is there a way to get the X.509 certificate which was used for the Logon?

Best Regards,

Chris

Show replies
Show replies
Ask a Question