Application and Device Security Overview
Developers and administrators can combine multiple mechanisms to fully secure applications and devices. SAP Mobile Platform security features for devices include data encryption, login screens, and data vaults for storing sensitive data.
Key SAP Mobile Platform security features for devices include the encryption of data, the implementation of login screens, and the use of DataVault to store sensitive data. Application security is based mainly on the mapping of roles within a security configuration. A security profile defines the authentication and authorization security provider for an application package's access control and activities. For example, for an application, an administrator may create a security profiles that points to the LDAP server for authentication and authorization, and does not associate any provider for attribution and auditing.
Single sign-on (SSO) enables mobile device application users to enter credentials only once to gain access to all resources, including servers, packages, and data sources related to that application. SAP Mobile Platform supports SSO authentication for mobile clients that access data from an SAP back end using either X.509 certificates or SSO logon tickets (SSO2). In addition, administrators can use their SSO system of choice with SAP Mobile Platform to achieve end-to-end integration across client applications and back-end resources. In addition to supporting X.509 certificate security, SAP Mobile Platform expands single sign-on support to third-party and standard single sign-on mechanisms. With expanded single sign-on support, SAP Mobile Platform enables the authentication framework to accept HTTP headers and cookies propagated by the client or a proxy server and then authenticate and propagate the user to the back end.
SAP Mobile Platform supports Afaria device management and security functionality. Developers may create client applications that can generate certificate requests which in turn are passed through Afaria to the corporate PKI system for CA signature. If Afaria is not deployed, the process for generating and provisioning client certificates follows the standard corporate certificate request and renewal process. Afaria device management and security functionality includes features such as remote device locking, remote data cleanup, data fading (a feature that enables the IT administrator to lock, wipe, or reset a device that has not communicated with the corporate network or Afaria server after a predetermined number of days), and password expiration management.