This section provides an overview of the supported authentication methods for mobile device application scenarios based on the SAP Mobile Platform (SMP) infrastructure.
For this scenario, SAP Gateway supports multiple authentication options, including the following:
X.509 client certificate
Requires PKI infrastructure for certificate distribution (Afaria is optional). SMP.1 terminates SSL and TLS handshake and establishes new HTTPS connection to SAP Gateway with client certificate forwarding in the HTTP header.
Leveraging an external Authentication Provider, for example Enterprise Portal (EP). SAP Gateway trusts SAP Logon tickets issued by the portal, based on the user’s credentials in the portal. Secure credentials caching on the device is required.
Basic (SAP Gateway user name and password)
Secure credentials caching on the device. The application should support change of initial and expired user password.
Password can be locked out as result of DDoS attack.
Any mobile device supported by the consumer SDK.
Device registration on SMP is two-factor authenticated. Afaria is used for initial provisioning including X.509 client certificate distribution.
Relay server facilitates outside connection to the Mobile Platform (SMP).
SMP terminates client request, handles device validation against known device list.
Based on the authentication option:
Certificate forwarding between SMP and SAP Gateway.
SMP request for SAP Logon ticket from the portal (EP) and forwards it to SAP Gateway.
SAP Gateway uses Trusted RFC Connection to access backend services with a named user.