Creating and Configuring Security Profiles
Create and configure security profiles to control how the server authenticates users during onboarding, and to manage request-response interactions with the back end.
- For Agentry applications, which have an additional authentication layer that is configured elsewhere, a common scenario is to configure No Authentication Challenge as the security provider, so that only Agentry performs authentication.
- You can stack multiple security providers to combine security features in complex systems; place the providers in the order that takes advantage of the features you chose. Set the Control Flag for each enabled security provider in the stack.
- You must map logical roles to physical roles, as required by the application.
- When you create a new security profile, a corresponding XML file is created in the <SMP_HOME>\configuration\com.sap.mobile.platform.server.security\CSI\ directory. When a security profile is updated, a copy of the XML file is saved, which allows you to recover the previous version.
- For an example of how to configure a security profile with an X.509 User Certificate authentication provider, see Creating a Security Profile with X.509 Authentication.
- In Management Cockpit, select .
- Click the Create icon .
- Enter the following:
Field Value Security Profile Name A unique name for the security profile. Check Impersonation (Optional) In token-based authentication, whether to allow authentication to succeed when the user name presented cannot be matched against any of the user names validated in the login modules. By default, the property is enabled, which prevents user authentication in this scenario.
- Under List of Defined
Authentication Providers, set up one or more providers for the
- Click .
- Select an authentication provider from the list.
Authentication Provider Description No Authentication Challenge Always authenticates the supplied user. The provider offers pass-through security for SAP Mobile Platform Server, and should typically be reserved for development or testing. SAP strongly encourages you to avoid using this provider in production environments—either for administration or device user authentication. System Login (Admin Only) Configured by the installer with the initial administrator credentials to give platform administrators access to Management Cockpit, so they can configure SAP Mobile Platform Server for production use. Administrators should replace this authentication provider immediately after logging in the first time. SAP encourages you to avoid using this provider after the production environment is configured. Populate JAAS Subject From Client Enables administrators to add client values as named credentials, name principals, and role principals to the authenticated subject. This provider copies values from the client's HTTP request into the JAAS subject as:
- Principals – identifies the user.
- Roles – grants access rights to resources that are protected by SAP Mobile Platform.
- Credentials – provides single sign-on material to use when connecting to back-end systems. Adding client values as named credentials allows them to be used for single sign-on.
X.509 User Certificate For users who are authenticated by certificates. You can use this provider with other authentication providers that support certificate authentication, for example, Directory Service (LDAP/AD), by configuring X.509 User Certificate before the authentication providers that support certificate authentication. You can use this provider to validate client certificates only when HTTPS listeners are configured to use mutual authentication.
You can configure optional advanced properties, such as key-value pairs, for this provider by selecting Advanced in Management Cockpit.
SAML2 Provider that authenticates a user through a trusted identity provider.
Use only a single SAML2 instance, by itself or in combination with other authentication providers, when you define a security profile.
Mobiliser Login (Basic Authentication) Authenticates users with basic authentication by passing their credentials to the Mobiliser system. Principal Propagation Provides clients with single sign-on access to back-end systems; does not authenticate a client that is opening a session with SAP Mobile Platform Server.
To use the Principal Propagation provider:
- Assign X.509 as the SSO mechanism for application back-end connections.
- Specify one or more authentication providers in the security profile stack. Do not use X.509 User Certificate as one of the authentication providers.
HTTP/HTTPS Authentication Authenticates a user with given credentials (user name and password, or SSO tokens from your SSO system) against a back end that is integrated into your management or SSO systems. Optionally, this provider may retrieve a cookie that represents additional SSO credentials to use for back-end systems that are also integrated with your SSO system.
You can configure optional, advanced properties, such as Username HTTP Header, and Token Expiration Interval, by selecting Advanced in Management Cockpit.
Provider that has no part in authenticating the user based on credentials provided, but once another provider has authenticated the user, this module can provide Kerberos SSO credentials for that user to back-end systems.You cannot use Kerberos by itself when you define a security profile.
- Kerberos does not authenticate a client that is opening a session with SAP Mobile Platform Server.
- You must specify one or more other authentication providers in the security profile stack.
- Kerberos can authenticate only between SAP Mobile Platform Server and a back end that is configured for Kerberos support, by passing on an authentication provided by an authentication provider specified in the security profile stack.
Directory Service (LDAP/AD) Integrates with your Active Directory or other Directory Server identity management system using LDAP. The provider first connects to your Directory Server using a technical user identity so it can perform an LDAP search to discover the fully qualified distinguished name (DN) of the current user in the directory. It then binds the DN to the provided password. When the bind succeeds, the user is considered authenticated. The provider then performs an LDAP search to see which groups the user is a member of. These group names are considered physical roles in the role mapping definitions that are used later for access controls.
This provider is particularly useful in the Admin security profile to allow existing enterprise users to use Management Cockpit, and also any custom security profiles used for authenticating enterprise users for SAP Mobile Platform application usage.
You can configure optional advanced properties, such as Certificate Authentication Filter and Certificate Attributes, for this provider by selecting Advanced in Management Cockpit.
Internal method of generating a token for SSO access to back-end systems.
To use SAPSSO2 Generator, specify one or more authentication providers in the security profile stack.
- Enter values based on the selected authentication provider.
- (Optional) To validate your settings, click Test Settings.
- Click Save.
- (Optional) Click New to add additional security providers on the stack. Use the up and down arrows to move the security providers into the correct order.
- Map SAP Mobile Platform logical roles to predefined physical roles—see Mapping Logical Roles to Physical Roles.
- (Optional) If the server is running in a cluster, click Refresh to update the UI with changes made in other server nodes.
- Click Save, and confirm.