Administrator

Single Sign-On Mechanisms

The SAP Mobile Platform Server OData proxy service supports the use of one or more single sign-on (SSO) mechanisms.

In single sign-on implementations, clients log in to SAP Mobile Platform Server, and then the server uses the authentication providers that you configure in the security profile to authenticate the clients to back-end systems.

SSO Mechanism Description
Basic Authentication Connects to the back end with the end user's user name and password. The provider that is configured in the security profile must authenticate the end user with a user name and password, for example, HTTP/HTTPS Authentication, Directory Service (LDAP/AD), or System Login (Admin Only).
SAPAssertionSSO Authenticates the user to the back end with a MYSAPSSO2 token.
To use this mechanism, all of the following must be true:
  • The security profile includes either the HTTP/HTTPS Authentication or the SAPSSO2 Generator provider.

  • The provider authenticates end users to SAP Mobile Platform Server against a Web server that returns a MYSAPSSO2 token.

  • The back-end server is configured to trust the signer of the MYSAPSSO2 token.

X.509 Authentication Connects to the back end using the configured technical user's X.509 certificate. The end-user certificate is passed in the HTTP ssl_client_certificate header.
Configure the back end:
  • Allow a technical user to impersonate an end user by passing the end user's certificate in the ssl_client_certificate header and executing the request in the context of the end user. The end-user certificate may be generated by the Principal Propagation provider that is configured in the security profile, or it may be supplied by the end user when he or she authenticates to the server over a mutually authenticated HTTPS connection. You can use this mechanism with either the X.509 User Certificate authentication provider or the Principal Propagation provider that is configured in the security profile.

  • Map the user certificate presented in the HTTP header to a user who is configured in the user store.

  • Verify that the back-end service can be accessed using SSL certificates.

Refer to your back-end system documentation for more information.

Kerberos Enter the Kerberos realm and the service name. Connects to the back end by setting the Kerberos token value in the Authorization: Negotiate <Kerberos token> header. Configure the back end to authenticate users with Kerberos.

You can use this mechanism only if the Kerberos provider is configured in the security profile. The server obtains a Kerberos access token for the specified realm and service name. The realm contains the back-end resources to which you want to provide SSO access.

Technical User Basic (TechUserBasic) Enter the user name and password for the technical user. Connects to the back end using these credentials.

You can use this SSO mechanism with any authentication-provider configuration in the security profile.

Technical User X.509 (TechUserX509) Connects to the back end using the configured technical-user X.509 certificate.

If selected, also choose a Certificate Alias. The list contains the alias values for certificates in the shared server keystore, smp_keystore.jks.

You can use this mechanism with any authentication-provider configuration in the security profile.

Custom Authentication Sends configured headers/cookies with values derived from a regular expression. This is a generic mechanism to pass SSO details that are not covered by other explicit mechanisms. Select Custom, and enter:
  • Name – name of the header or cookie.
  • Pattern – header or cookie value.
  • Type – header or cookie.
No Authentication Back ends require no credentials for authentication. Your destination is granted direct access to relevant on-premise services.