Preparing Your Environment for Single Sign-On

Verify that the SAP back end is configured correctly to accept SSO connections from SAP Mobile Platform Server.

  1. Set all parameters for the type of credentials accepted by the server:
    • Technical User
    • Basic (user name and password)
    • X.509 certificate – set up, import, and verify certificates using the Trust Manager (transaction STRUST).
    • Kerberos
    • SSO2 token
    • Custom cookies/headers
    • Principal Propagation
  2. Use the ICM configuration utility to enable the ICM HTTPS port.
  3. Set the type of authentication to enable communication over HTTPS.
    • Server authentication only – the server expects the client to authenticate itself using basic authentication, not SSL
    • Client authentication only – the server requires the client to send authentication information using SSL certificates. The ABAP stack supports both options. Configure the server to use SSL with client authentication by setting the ICM/HTTPS/verify_client parameter:
      • 0 – do not use certificates.
      • 1 – allow certificates (default).
      • 2 – require certificates.
  4. Use the Trust Manager (transaction STRUST) for each PSE (SSL server PSE and SSL client PSE) to make the server's digitally signed public-key certificates available. Use a public key-infrastructure (PKI) to get the certificates signed and into the SAP system.

    For information, see SAP Trust Manager at .

  5. To enable secure communication, SAP Mobile Platform Server and the SAP server that it communicates with must exchange valid CA X.509 certificates. Deploy these certificates, which are used during the SSL handshake with the SAP server, into the SAP Mobile Platform Server keystore.
  6. The user identification (distinguished name), specified in the certificate must map to a valid user ID in the AS ABAP, which is maintained by the transaction SM30 using table view (VUSREXTID).

    See Configuring the AS ABAP for Supporting SSL at