(Android, iOS, Windows 8.1, and Windows 10) Manage application registration and authentication processes either through SAP Mobile Platform Server, SAP Cloud Platform mobile service for development and operations or through SAP Gateway server.
Most of the Hybrid SDK (Kapsel) plugins rely upon the services provided by the Logon plugin. This plugin manages the process of onboarding applications with SAP Mobile Platform Server, and authenticating users. The Logon plugin, where available, interfaces with Client Hub and pulls certificates from Afaria.
The SAP Mobile Platform Server integrates with common security providers such as HTTP/HTTPS Authentication, Directory Service (LDAP), or X.509 user certificate. The Logon plugin provides a login screen where the user can enter the values needed to connect to SAP Mobile Platform server using one of these providers, and stores those values in its own secure datavault.
Datavault and Passcode Policy
The datavault provided with the Logon plugin is a separate datavault from the one provided with the EncryptedStorage plugin, and is used to store user names, password, and keys, while the EncryptedStorage plugin is suited to storing application data. The datavault stores the server connection details and, in basic authentication, the username and password. In certificate-based authentication, the certificate is not stored in the datavault.
You set a passcode policy on the SAP Mobile Platform Server. The client downloads this policy after a successful user login. To unlock a datavault, you provide a passcode if the policy requires one. If the policy does not require a passcode, you do not need to provide a passcode. However, a policy that does not require a passcode is unsecure and is not recommended.
When not using the datavault, it can timeout and the datavault locks itself upon the time expiration in the passcode policy. Note: even though you could be using an application actively, if you are not accessing the datavault, it can timeout. You can first notice the datavault lock, when you try to access the application.
The datavault is deleted if the user forgets their passcode while unlocking the application and expires the maximum number of attempts to login, or explictly deletes the registration. Data stored by the EncryptedStorage plugin is also deleted, because once the datavault is deleted this data would no longer be accessible. For security reasons, when the datavault is deleted, the Login plugin sends a notification to the other Kapsel plugins so they can clean up their data if required.
The initPasscodeManager method allows you to use datavault and passcode policy features of Logon plugin, without registering with an SAP Mobile Platform server.
- Use deletePasscodeManager method to delete datavault and all data stored.
Logon States During Application Onboarding
The following states occur in the Logon plugin during Hybrid SDK (Kapsel) application onboarding:
- Unregistered: this state occurs when you launch the application for the first time, and prior to registration with the server.
- Registered: this state occurs when you have successfully registered with SAP Mobile Platform or Netweaver Gateway. The registration information has not been persisted into the datavault.
Fully registered: this state occurs when the registration information has been persisted into the datavault. The datavault is protected by the user selected password, or by a system-generated default password. (If allowed by the application developer, and the user chooses to disable the password, then the datavault is still encrypted, but a system-generated default password is used to protect the datavault).
The Logon plugin lets the user lock and unlock the application, to protect sensitive data. If you call the unlock method with a system-generated password, you can call the method without need to provide the password. Using a default password is less secure as the datavault can be unlocked without the user providing a password. The datavault can be in the following states:
- Datavault locked: the datavault is locked and requires a passcode to unlock it before accessing the application data.
- Datavault unlocked: The passcode for the datavault has been verified, and the datavault is available for access.
Support for Online Applications
The Hybrid SDK (Kapsel) supports online applications that do not require onboarding by providing a passcode management API in the Logon plugin. This support allows you to use functionality such as passcode and encrypted storage in your online application, without requiring your application to onboard with SAP Mobile Platform Server.
The passcode management API in the Logon plugin allows you to create and delete a datavault without registering with SAP Mobile Platform. You can use the passcodePolicy parameters to set the passcode policy, and the context parameter to set the default passcode shown in the setting passcode screen, so the user does not need to type the passcode on the mobile device. You can return the passcode policy by calling the sap.Logon.core.getContext API.
After the datavault is created, you manage the datavault using the existing datavault management API in the Logon plugin, including the methods managePasscode, unlock, lock, set, and get.
Kapsel supports the following security configurations:
- Basic authentication (HTTP)
- Basic authentication (HTTPS)
- Basic authentication + OTP
- External token-based SSO
- Mutual certificate authentication between the client and SAP Mobile Platform Server
- Network-edge token-based SSO
- Non Network edge
- OAuth authentication
- SAML + OTP (One Time Pin)
- SSO over HTTP
- SSO over HTTPS
- SSO with certificate (X509) MCIM
- SSO with token - MCIM
- SSO with username password - MCIM
From the client perspective, the client authenticates either through basic authentication, or through mutual certificate authentication. In the basic authentication scenario, the client must provide a client certificate that is signed by a certificate authority trusted by the server.
For Android, if a system certificate is required for registration, the system certificate provider can be used. To use the system certificate provider, add “certificate”:”com.sap.SystemCertProvider” to the context given to the Logon plugin.
- SAP Mobile Platform supported authentication scenarios, see Planning Your Security Landscape in Administrator
- SAP Cloud Platform mobile service for development and operations supported authentication scenarios, see Application Authentication in Administrator > Security Landscape Design
The Hybrid SDK (Kapsel) plugins support Apache Cordova's domain whitelisting model. Whitelisting allows you to control access to external network resources. Apache Cordova whitelisting allows you to whitelist individual network resources (URLs), for example, http://www.google.com.
For information about the whitelist rules, see http://docs.phonegap.com/en/3.3.0/guide_appdev_whitelist_index.md.html.