Single Sign-On Mechanisms
The SAP Mobile Platform Server OData proxy service supports the use of one or more single sign-on (SSO) mechanisms.
In single sign-on implementations, clients log in to SAP Mobile Platform Server, and then the server uses the authentication providers that you configure in the security profile to authenticate the clients to back-end systems.
|Basic Authentication||Connects to the back end with the end user's user name and password. The provider that is configured in the security profile must authenticate the end user with a user name and password, for example, HTTP/HTTPS Authentication, Directory Service (LDAP/AD), or System Login (Admin Only).|
|SAPAssertionSSO||Authenticates the user to the back end with a MYSAPSSO2 token.
To use this mechanism, all of the following must be true:
|X.509 Authentication||Connects to the back end using the configured technical user's X.509 certificate. The
end-user certificate is passed in the HTTP
Configure the back end:
Refer to your back-end system documentation for more information.
|Kerberos||Enter the Kerberos realm and the service name. Connects to the back end by setting the
Kerberos token value in the Authorization: Negotiate
<Kerberos token> header. Configure the
back end to authenticate users with Kerberos.
You can use this mechanism only if the Kerberos provider is configured in the security profile. The server obtains a Kerberos access token for the specified realm and service name. The realm contains the back-end resources to which you want to provide SSO access.
|Technical User Basic (TechUserBasic)||Enter the user name and password for the technical user. Connects to the back end
using these credentials.
You can use this SSO mechanism with any authentication-provider configuration in the security profile.
|Technical User X.509 (TechUserX509)||Connects to the back end using the configured technical-user X.509 certificate.
If selected, also choose a Certificate Alias. The list contains the alias values for certificates in the shared server keystore, smp_keystore.jks.
You can use this mechanism with any authentication-provider configuration in the security profile.
|Custom Authentication||Sends configured headers/cookies with values derived from a regular
expression. This is a generic mechanism to pass SSO details that are not
covered by other explicit mechanisms. Select Custom,
|No Authentication||Back ends require no credentials for authentication. Your destination is granted direct access to relevant on-premise services.|