Show TOC

Stacking Providers and Combining Authentication ResultsLocate this document in the navigation structure

Optionally, implement multiple login modules to provide a security solution that meets complex security requirements. SAP recommends provider stacking as a means of eliciting more precise results, especially for production environment that require different authentications schemes for administrators, DCN, SSO, and so on.

Context

Stacking is implemented with a controlFlag attribute that controls overall behavior when you enable multiple providers. Set the controlFlag on a specific provider to refine how results are processed.

For example, say your administrative users (supAdmin in a default installation) are not also users in an EIS system like SAP. However, if they are authenticated with just the default security configuration, they cannot also authenticate to the HttpAuthenticationLoginModule used for SSO2Token retrieval. In this case, you would stack a second login modules with a controlFlag=sufficient login module for your administrative users.

Or, in a custom security configuration (recommended), you may also find that you are using a technical user for DCN who is also not an SAP user. This technical user does not need SSO because they will not need to access data. However, the technical user still needs to be authenticated by SAP Mobile Server. In this case, you can also stack another login module so this DCN user can login.

Procedure

  1. Use SAP Control Center to create a security configuration and add multiple providers as required for authentication.
  2. Order multiple providers by selecting a login module and using the up or down arrows at to place the provider correctly in the list.
    The order of the list determines the order in which authentication results are evaluated.
  3. For each provider:
    1. Select the provider name.
    2. Click Properties.
    3. Configure the controlFlag property with one of the available values: required, requisite, sufficient, optional.
      See controlFlag Attribute Values for descriptions of each available value.
    4. Configure any other common security properties as required.
  4. Click Save.
  5. Select the General tab, and click Apply.

Example

For example, say you have sorted these login modules in this order and used these controlFlag values:
  • LDAP (required)
  • NT Login (sufficient)
  • SSO Token (requisite)
  • Certificate (optional)
The results are processed as indicated in this table:
Provider Authentication Status
LDAP pass pass pass pass fail fail fail fail
NT Login pass fail fail fail pass fail fail fail
SSO Token * pass pass fail * pass pass fail
Certificate * pass fail * * pass fail *
Overall result pass pass pass fail fail fail fail fail
In this section: