Administrator

HTTP/HTTPS Authentication Configuration Properties

The HTTP/HTTPS Authentication provider authenticates user credentials (user name and password) against a secured back end that performs basic authentication. To facilitate single sign-on (SSO), you can configure the provider to retrieve a cookie and add it to the JAAS subject.

Description

Configure this provider to authenticate users by:
  • Using only the specified user name and password.
  • Using only the specified client value or values.
  • Attempting token authentication. If that fails, revert to basic authentication using the supplied user name and password. You may find this helpful when using the same security configuration for authenticating users with a token, such as device users hitting the network edge, and when push-notification requests from within a firewall present a user name and password but no token.

If you configure the ClientHttpValuesToSend property, the provider uses that value when it attempts to authenticate the user. It does not set the user name and password credentials in the HTTP session with the Web server. If the specified client values are not found in the SAP Mobile Platform client session, or if the Web server cannot validate the specified token, authentication fails, unless the TryBasicAuthIfTokenAuthFails property is set to true, in which case, the provider tries basic authentication by passing the user name and password.

HTTP/HTTPS Authentication Properties

Table 63: HTTP/HTTPS Authentication General Properties
Configuration Option Default Value Description
Control Flag Optional
Indicates how the security provider is used in the login sequence.
  • Optional – the authentication provider is not required, and authentication proceeds down the authentication provider list, regardless of success or failure.
  • Sufficient – the authentication provider is not required, and subsequent behavior depends on whether authentication succeeds or fails.
  • Required – the authentication provider is required, and authentication proceeds down the authentication provider list.
  • Requisite – the authentication provider is required, and subsequent behavior depends on whether authentication succeeds or fails.
Description None Differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.
URL None The HTTP or HTTPS URL that authenticates the user. For SSO, this is the server URL from which SAP Mobile Platform Server acquires the SSO cookie/token.
Disable Server Certificate Validation False (Optional) Determines whether server certificate validation is disabled.

If true, this property disables certificate validation when establishing an HTTPS connection to the secured Web server (SWS) using the configured URL. Set to true only for configuration debugging.

HTTP Connection Timeout Interval

60000

Number of seconds before an HTTP connection request to the Web-based authentication service times out.

If the HTTP connection made in this provider (for either user authentication or configuration validation) does not have a timeout set, and attempts to connect to a Web-based authentication service that is unresponsive, the connection also becomes unresponsive, which might in turn cause SAP Mobile Platform Server to become unresponsive. Set the timeout interval to ensure that authentication failure is reported without waiting indefinitely for the server to respond.

Client HTTP Values To Send None A comma-separated list of client HTTP values to be sent to the HTTP server.

For example:

ClientHttpValuesToSend=<client_personalization_key>, <client_cookie_name>

Set this property if you are using token authentication.

Setting this property triggers token authentication. Only token authentication is attempted, unless TryBasicAuthIfTokenAuthFails is configured to true in conjunction with ClientHttpValuesToSend.

This property does not apply if the user is to be authenticated using only the supplied user name and password.

Send Client HTTP Values As None Comma-separated list of strings that indicate how to send ClientHttpValuesToSend to the HTTP server.

For example:

SendClientHttpValuesAs=header:<header_name>, cookie: <cookie_name>

This property does not apply if the user is to be authenticated using only the supplied user name and password.

Try Basic Auth if Token Auth Fails False Determines whether the provider should attempt basic authentication using the specified user name and password credentials if token authentication is configured and fails. This property is applicable only if token authentication is enabled.

This property does not apply if the user is to be authenticated using only the supplied user name and password.

Successful Connection Status Code 200 HTTP status code that is interpreted as successful when a connection is established to the secured Web server.
SSO Cookie Name None (Optional) Name of the cookie that is set in the session between the authentication provider and the secured Web server; the cookie holds the SSO token for single sign-on. The provider looks for this cookie in the connection to the secured Web server. If the cookie is found, it is added to the authenticated subject as a named credential.

The authentication provider ignores the status code when an SSO cookie is found in the session; authentication succeeds regardless of the return status code.

Credential Name None Name to set in the authentication credential that contains the token returned in SSOCookieName. If this property is not configured, the SSOCookieName property value is set as the name of the token credential.
Table 64: HTTP/HTTPS Authentication Advanced Properties
Configuration Option Default Value Description
Send Password As Cookie None (Deprecated) Sends the password to the URL as a cookie with this name. If not specified, the password is not sent in a cookie. This property is normally used when there is a cookie-based SSO mechanism in use (for example, SiteMinder), and the client has included an SSO token into the password.

Use only for backward compatibility. New configurations should use SendClientHttpValuesAs and ClientHttpValuesToSend to configure token authentication.

Username HTTP Header None HTTP response header name returned by the HTTP server with the user name retrieved from the token. Upon successful authentication, the user name is added as a SecNamePrincipal.

This property does not apply if the user is to be authenticated using only the supplied user name and password.

Regex For User Name Match None Regular expression used to match the supplied user name with the user name that is returned by the HTTP server in UsernameHttpHeader. The string "{username}" in the regex is replaced with the specified user name before it is used . If specified, it compares the user name retrieved from the Username HTTP Header with the user name specified in the callback handler.

If the user names match, both the specified user name and the retrieved user name are added as SecNamePrincipals to the authenticated subject. If the user names do not match, authentication fails.

This property does not apply if the user is to be authenticated with only a supplied user name and password.

Roles HTTP header None (Optional) Name of an HTTP header that the server may return. The header value contains a comma-separated list of roles to be granted.
Token Expiration Time HTTP Header None HTTP response header name that is returned by the HTTP server with the validity period of the token, in milliseconds, since the start of January 1, 1970. If the header is returned in the HTTP response from the secured Web server, the token is cached for the duration it remains valid unless TokenExpirationInterval is also configured. If this response header is not returned with the token, it might result in unintended use of the token attached to the authenticated context even after it has expired.

This property does not apply if the user is to be authenticated using only the supplied user name and password.

Token Expiration Interval 0 Number of milliseconds to deduct from the actual expiration time returned in TokenExpirationTimeHttpHeader. This ensures that the token credential retrieved from the authenticated session remains valid until it is passed on to the secure Web server for SSO.

This property does not apply if the user is to be authenticated with only a user name and password. If the configured TokenExpirationInterval value exceeds the amount of time the token is valid, authentication by HTTP/HTTPS Authentication fails even if the token is validated successfully by the secured Web server.

Use Legacy Charset Off (false) To encode HTTP header data using the legacy ISO-8859-1 character set, set to On (true). The default encoding character set is UTF-8.

To validate your settings, click Test Settings. A message reports either success or failure; if validation fails, invalid settings are highlighted.