Administrator

Planning Your Security Landscape

The security support matrices detail how SAP Mobile Platform supports various security configurations for client authentication and for using SSO to back-end systems. To correctly plan your security environment, you must understand the authentication types, and the corresponding authentication providers, client types, and applications.

Client Authentication

When administering client authentication in SAP Mobile Platform, ensure you use supported authentication providers for your authentication and client types. Use this matrix to understand the supported authentication scenarios for device (client) to SAP Mobile Platform Server connections, and the corresponding supported application types.

Table 51: SAP Mobile Platform Client Authentication Matrix
Authentication Type Description Authentication Providers Supported Application Types
Anonymous No user authentication; grants read-only access to application data by assigning the anonymous security profile to the application. No specific authentication provider is required.
  • Agentry
  • hybrid
  • native
  • Web
Basic authentication User name and password authentication
  • HTTP/HTTPS Authentication
  • Directory Service (LDAP/AD)
  • System Login (Admin Only)
  • No Authentication Challenge
  • Agentry
  • hybrid
  • native
  • Web
External token-based SSO An application has custom code or logic to obtain a security token from a service that is external to SAP Mobile Platform. This token is added to the HTTP header and SAP Mobile Platform uses it for authentication.

CA Single Sign-On is an example of a token-based SSO implementation.

  • Populate JAAS Subject From Client
  • HTTP/HTTPS Authentication
  • native
  • Web
Network-edge token-based SSO The user enters credentials (either user name and password or X.509 certificate), and the credentials are checked at the network edge. When the credentials are validated, a security token is added to the proxies client request (typically a cookie); SAP Mobile Platform validates the security token rather than the original user credentials.

CA Single Sign-On is an example of a token-based SSO implementation.

  • Populate JAAS Subject From Client
  • HTTP/HTTPS Authentication
  • Agentry
  • hybrid
  • native
  • Web
SAML2 Grants access to resources for which a trusted identity provider exists. Used with an SSO provider, such as Kerberos or Principal Propagation, SAML2 access can extend to all back-end resources that are configured for those providers, after a user logs in.

SAP Mobile Platform Server must initiate a SAML authentication sequence. Clients cannot authenticate to SAP Mobile Platform Server by presenting an existing SAML assertion.

SAML2.
  • Agentry
  • hybrid
  • native
  • Web
X.509 certificate Mutual certificate authentication.

(Agentry only) Supported for client platforms that have certificate-provisioning OS support, or if a custom OpenUI authentication module is provided that can retrieve a client-side certificate

X.509 User Certificate
  • Agentry
  • hybrid
  • native
  • Web

Single Sign-On to Back-End Systems

When you administer SSO to SAP Mobile Platform back-end systems, use supported authentication providers for your SSO mechanism and application types. Use this matrix to understand the supported authentication scenarios for SAP Mobile Platform Server to back-end connections, and the corresponding supported application types.

Table 52: SAP Mobile Platform SSO Authentication Matrix
SSO Mechanism Description Supported Authentication Providers Supported Application Types
Basic authentication Connects to the back end with a user name and password. The provider that is configured in the security profile must authenticate the end user with the user name and password.
  • HTTP/HTTPS Authentication
  • Directory Service (LDAP/AD)
  • System Login (Admin Only)
  • Agentry
  • hybrid
  • native
  • Web
SSO2 Token Authenticates a user to the back end using a MYSAPSSO2 token. You can use this mechanism only if an HTTP/HTTPS Authentication provider is configured in the security profile, and it authenticates the end user to SAP Mobile Platform Server against a Web server that returns a MYSAPSSO2 token. HTTP/HTTPS Authentication
  • hybrid
  • native
  • Web
Technical User Basic Connects to the back end using the technical-user user name and password. Any
  • Agentry
  • hybrid
  • native
  • Web
Technical User X.509 Connects to the back end using the configured technical-user X.509 certificate. Any
  • hybrid
  • native
  • Web
Kerberos Kerberos can create its token after an authentication provider that you specify authenticates the user. The token then provides SSO access to all back-end resources that are grouped into the same realm in your Kerberos system.

Sets the Kerberos token value in the Authorization: Negotiate <Kerberos token ticket value> header.

Configure the back end to authenticate users with Kerberos.

You can use this mechanism only if the Kerberos provider is configured in the security profile. The server obtains a Kerberos access token for the specified realm and service name. The realm contains the back-end resources to which you want to provide SSO access.

Any authentication provider with the Kerberos provider
  • Agentry
  • hybrid
  • native
  • Web
Custom Sends configured headers/cookies with values derived from regular expressions. This is a generic mechanism to pass SSO details that are not covered by other explicit mechanisms. Any
  • native
  • hybrid
  • Web
X.509 single sign-on See note, below. Connects to the back end using the configured technical-user X.509 certificate. The end-user certificate is passed in the SSL_CLIENT_CERT HTTP header.

Configure the back end to allow the technical-user to impersonate the end user and execute the request in the context of the end user.

The end-user certificate can be generated by the Principal Propagation provider that is configured in the security profile, or it can be supplied by the end user when he or she authenticates to the server over a mutually authenticated HTTPS connection.

To use this mechanism, configure the security profile to include either:
  • The X.509 User Certificate authentication provider, or

  • The Principal Propagation provider and an authentication provider.

  • X.509 User Certificate, or
  • Any authentication provider, other than X.509 User Certificate, plus the Principal Propagation provider
  • native
  • hybrid
  • Web