Administrator

Stacking Authentication Providers and Combining Results

Implement multiple authentication providers to provide a security solution that meets complex security requirements.

Context

SAP recommends stacking providers as a means of eliciting more precise results, especially for production environments that require different authentication schemes for administrators, push notifications, and so on. Stacking is implemented with a controlFlag attribute that controls overall behavior when you enable multiple providers. Set the controlFlag on a specific provider to refine how results are processed.

For example, if your administrative users (smpAdmin in a default installation) are not users in a back-end system like SAP, and they are authenticated with the default security configuration, they cannot also authenticate with the HTTP/HTTPS Authentication provider, which is used for SSO2Token retrieval. In this case, you would stack a second authentication provider with controlFlag=sufficient for your administrative users.

In a custom security profile (recommended), a technical user, who is not an SAP user, can send for push notifications. Technical users do not need SSO, because they do not access data; however, they must be authenticated by SAP Mobile Platform Server. To enable a technical user to log in, add another authentication provider.

Procedure

  1. Use Management Cockpit to create a security profile and add multiple providers as required for authentication.
  2. Assign priority to multiple providers by selecting an authentication provider, and clicking the up or down arrows to position the provider correctly in the list.
    The order of the list determines the order in which authentication results are evaluated.
  3. For each provider:
    1. Select the provider name.
    2. Set the controlFlag property to the appropriate value: Required, Requisite, Sufficient, or Optional.
      See controlFlag Attribute Values for descriptions of each value.
    3. Configure any other common security properties as required.
  4. Click Save.

Example

If you have sorted these authentication providers in the following order, and used the corresponding controlFlag values, the results are processed as follows:
Provider controlFlag Value Authentication Result
Directory Service (LDAP/AD) Required succeed succeed succeed succeed fail fail fail fail
HTTP/HTTPS Authentication Sufficient succeed fail fail fail succeed fail fail fail
System Login (Admin Only) Requisite * succeed succeed fail * succeed succeed fail
X.509 User Certificate Optional * succeed fail * * succeed fail *
Overall result   succeed succeed succeed fail fail fail fail fail
An asterisk means the corresponding authentication provider is not called because of a combination of the outcomes of previous providers in the list and the controlFlag values. For example:
  • In the third column of the table, because both Directory Service (LDAP/AD) and HTTP/HTTPS Authentication succeed, the controlFlag settings for System Login (Admin Only) and X.509 User Certificate are such that they need not be invoked.
  • In the fourth column, HTTP/HTTPS Authentication is set to Sufficient and it fails, so the System Login (Admin Only) provider is invoked.
  • If authentication succeeds and either the Kerberos or Principal Propagation provider is in the stack, it is always invoked to add SSO credentials.

For more detailed information on JAAS providers, see the Java Authentication and Authorization Service (JAAS) Reference GuideInformation published on non-SAP site.