Skip to Content

"Auto-register" user by SSO client certificate?


we are running an application in WebDynpro ABAP on NW 7.31.

The applicaton shall be usable by everyone in the company with minimal effort. Everyone has a client certificate installed in their browsers and we want to do pretty much SSO using the X509 certificates.

But as far as I understand, this works only, once a user account has been created with the correct information (OU, CN etc. specified). Is there any way, we can get around this and to avoid the manual user creation process? Ideally, we want every user to visit our site and to be logged in on the first time already.

Licensing is not an issue and security is also secondary... it is just essential to be as low effort as possible for the end-user to get into our application and to still be somehow "distinguishable" (not completely anonymous). It would be also sufficient if the application runs under a generic user account, but somehow we would need to understand the user ID from the certificate. In other programming languages / web servers this should not be very complex, but I just don't find a way in AS ABAP.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Jan 11, 2012 at 12:24 PM


    Here is just an idea from what I did for a somewhat similar requirement.

    Hundred of users had to call a BSP application in an R/3 4.7 system. It was not possible to create a SAP R/3 account for these people but we wanted to control who was allowed to access the BSP and we wanted to know who used the BSP.

    Here is my workaround.

    The SAP BSP application runs with a generic user configured in SICF.

    There is a SAP Web Dispatcher in front of SAP R/3 for HTTP load balancing.

    We installed IIS web servers doing NTLM authentication and we programmed a small ASP application.

    The URL for the application is answered by the IIS ASP application.

    The IIS servers use NTLM to authenticate the windows user and check if this users is part of the Windows group authorised to run tha application.

    The IIS application calls a special login BSP on R/3 which sends a specific uncrypted cookie.

    The IIS application sends a redirect to the user browser and the cookie.

    The URL from the redirect calls the BSP application with the windows user as a parameter and sends the cookie to the BSP application.

    The BSP application checks the cookie and if it is OK, displays the application for the user.

    The SAP web dispatcher filters the access to the login BSP with the IP addresses of the IIS servers.

    The SAP web dispatcher creates a special HTTP log file which contains the Windows user of the BSP application.

    This workaround is kind of tricky but has been running successfully productively for 5 years with 500 users.

    Hope this helps.


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Bruno Haller

      Hi Bruno,

      I've never worked on the subject but I would try in this way :

      Use a SAP Web Dispatcher in front of the ABAP system and use it to terminate the SSL connection.

      Use the web dispatcher parameter icm/HTTPS/client_certificate_header_name

      to send the client certificate in a header field.

      Then set an HTTP log file on the ABAP ICM using the LOGFORMAT option with the parameter

      %i Name of a request header field, e.g. %{user-agent}i

      Check [] for details.

      Good luck because I don't know if my idea is good...



  • avatar image
    Former Member
    Jan 11, 2012 at 06:44 PM

    In this case all you want is authenticated access with generic authorizations. Why not use a self-registration scenario? (see the documentation on FM BAPI_USER_CREATE1).

    If the user does not exist, then the user ID is created and assigned a generic reference user with limited access to use the application, or sufficient to request more correct access.

    Licensing is not an issue and security is also secondary...

    Or make a public anonymous service out of it?



    Add comment
    10|10000 characters needed characters exceeded

    • Potentially thousands... And some less, if it is complex to register 😀

      About SAML: No I didn't and actually I do not have any clue what exactly this is or does. But will read now about it 😊 Thanks