Network-Edge Authentication

In network-edge authentication, the SSO system intercepts an unauthenticated client request, challenges the client to authenticate, and adds an SSO cookie to the request before forwarding it to SAP Mobile Platform Server. Network-edge authentication is the most common SAP Mobile Platform SSO scenario.

Network-edge authentication allows administrators to configure which client values can be used for authentication into SAP Mobile Platform Server.

Client applications can connect to reverse-proxy servers or agents at the network edge. These agents perform authentication, and return authenticated tokens, delivered as HTTP cookies or HTTP headers. An example of an HTTP-based SSO provider is SiteMinder, running inside the enterprise, and its SiteMinder agent, running inside an Apache reverse-proxy server at the network edge.

SAP Mobile Platform uses the HTTP/HTTPS Authentication provider to reach out to a Web server that is integrated into the SSO system to validate an SSO cookie, learn how long the cookie is valid, and to extract information about the user who is identified by the cookie such as her security roles.

To ensure that SAP Mobile Platform Server knows who a user is after a successful SSO-based login, in Management Cockpit, select Check Impersonation in the security profile settings. In network-edge authentication, the user identity (Principal) may be added as an additional header at the network edge.