controlFlag Attribute Values

The SAP implementation uses the same controlFlag attribute values and definitions as those defined in the JAAS specification.

If you stack multiple providers, set the controlFlag attribute for each enabled provider.

Control Flag Value	Description
Required	The authentication provider is required. Authentication proceeds down the authentication provider list.
Requisite	The authentication provider is required. Subsequent behavior depends on the authentication result: If authentication succeeds, authentication continues down the authentication provider list. If authentication fails, control returns immediately to the application; authentication does not proceed down the authentication provider list.
Sufficient	The authentication provider is not required. Subsequent behavior depends on the authentication result: If authentication succeeds, control returns immediately to the application; authentication does not proceed down the authentication provider list. If authentication fails, authentication continues down the authentication provider list.
Optional (default)	The authentication provider is not required to successfully authenticate the user. Regardless of success or failure, authentication proceeds down the authentication provider list.

Example

Providers are listed in this order and with these controlFlag settings:

X.509 User Certificate (Sufficient)
Directory Service (LDAP/AD) (Optional)
HTTP/HTTPS Authentication (Sufficient)

A client performing certificate authentication (for example, X.509 SSO to SAP) can authenticate immediately. Subsequent providers are not called, because they are not required. Regular user name and password credentials, if they exist, go to LDAP, which may authenticate them, and set them up with roles from the LDAP groups to which they belong. Then HTTP/HTTPS Authentication is invoked.