Mobile Device Scenario
This section provides an overview of the supported authentication methods for mobile device application scenarios based on the SAP Mobile Platform (SMP) infrastructure.
For this scenario, SAP NetWeaver Gateway supports multiple authentication options, including the following:
-
X.509 client certificate
Requires PKI infrastructure for certificate distribution (Afaria is optional). SMP .1 terminates SSL and TLS handshake and establishes new HTTPS connection to SAP NetWeaver Gateway with client certificate forwarding in the HTTP header.
-
Portal SSO
Leveraging an external Authentication Provider, for example Enterprise Portal (EP). SAP NetWeaver Gateway trusts SAP Logon tickets issued by the portal, based on the user's credentials in the portal. Secure credentials caching on the device is required.
-
Basic (SAP NetWeaver Gateway user name and password)
Secure credentials caching on the device. The application should support change of initial and expired user password.
Password can be locked out as result of DDoS attack.
Summary:
-
Consumer:
Any mobile device supported by the consumer SDK.
Device registration on SMP is two-factor authenticated.
Afaria is used for initial provisioning, including X.509 client certificate distribution
-
Connectivity Layer:
Relay server facilitates outside connection to the SAP Mobile Platform (SMP server).
-
SAP NetWeaver Gateway:
SMP terminates client request, handles device validation against known device list.
Based on the authentication option:
Certificate forwarding between SMP and SAP NetWeaver Gateway. SMP request for SAP Logon ticket from the portal (EP) and forwards it to SAP NetWeaver Gateway.
-
Business Layer
SAP NetWeaver Gateway uses Trusted RFC Connection to access backend services with named user.