Use SAP Control Center to create a
security configuration for your single sign-on (SSO) applications.
Procedure
- In SAP Control Center, navigate
to the SAP Mobile Platform Cluster
pane and select Security.
- In the General tab, click
New and name your security
configuration.
- Open the Security folder and
select your configuration. In the Authentication tab, click Add
to add a LoginModule.
- Choose the ClientValuePropagatingLoginModule
and add these properties:
- Implementation Class –
com.sybase.security.core.ClientValuePropagatingLoginModule
- ClientHttpValuesAsPrincipals – sm_user
- ClientHttpValuesAsNamedCredentials – smsession:SMSESSION2
- Control Flag:
optional
Note ClientHttpValuesAsNamedCredentials ensures that if the client
application picked up an SMSESSION cookie either using Network Edge authentication
or an external token, it is saved as a credential named SMSESSION2 on the subject
so it can be used for SSO to a SiteMinder-protected EIS. Therefore, the
credential.a.name property is SESSION2. Also, ClientHttpValuesAsPrincipals uses
the sm_user HTTP header if the client has used Network Edge authentication and
enables you to perform impersonation checking.
- Click OK.
- In the Authentication tab,
select the default NoSecLoginModule and click Delete. LoginModule allows logins without credentials,
and you must remove it for security integrity.
- In the Authentication tab,
click New to add a provider.
- Select and configure the HttpAuthenticationLoginModule:
- Select com.sybase.security.http.HttpAuthenticationLoginModule and
click Yes in the Duplicate
Authentication Provider warning.
- Configure the module's properties so the SiteMinder-protected
URL has the same policy server that issued the SMSESSION cookie to the client.
- ClientValuesToSend = SMSESSION
- SendClientValuesAs = cookie:SMSESSION
This causes SAP Mobile Platform to forward the cookie to the specified
SiteMinder-protected URL. If the HTTP status response code is 200, then the
SMSESSION cookie is valid and the user is considered authenticated.
- In the Authorization tab,
select the NoSecAuthorizer provider type and
click Delete.
- In the Attribution tab, select the
NoSecAttributer provider type and click
Delete.
- In the Settings tab, adjust
the properties as follows:
- Authentication cache
timeout(seconds) – 0
- Maximum number of failed
authentications – 5
- Authentication lock duration(in
seconds) – 600
- Click Apply.
- In the General tab, click
Validate to check your configuration.
- With successful validation, click Apply to save all changes.
Example
For detailed examples focusing on SiteMinder specific configurations for
SAP Mobile Platform, see
How-To: Set up SUP with SiteMinder
at
http://scn.sap.com/docs/DOC-29574.