Authentication Cache Timeout and Token Authentication

By default, the authentication cache holds a user’s subject, principals, and credentials used for single sign-on to an EIS for 3600 seconds (one hour). If the user name and password contained inside subsequent SAP Mobile Platform requests are unchanged, the request is considered authenticated and uses the cached security information for access control and single sign-on to EIS operations.

If you cache an SMSESSION for a user and the token expires before the cache entry, you get authentication failures during the single sign-on EIS operations. This leads to either synchronization errors or operation replay errors.

Configure the authentication cache to avoid errors and failures. If needed, you can disable the authentication cache entirely by setting the cache timeout to 0. Every SAP Mobile Platform request is reauthenticated. For non-Network Edge basic authentication, you can set the cache interval to slightly less than the Idle Timeout for your SiteMinder session policy.

For Network Edge authentication, you must set the authentication cache timeout to 0. If the URL configured to validate the SMSESSION token also returns an HTTP header with the expiration time for the token expressed in milliseconds since the epoch (1/1/1970), the HttpAuthenticationLoginModule can use that value to adjust the authentication cache expiration for this subject’s entry so it expires at an appropriate time. Use the TokenExpirationTimeHttpHeader to specify the name of the header containing this expiration value. Additionally, you can use TokenExpirationInterval property to reduce time from the expiration so it does not expire while SAP Mobile Platform is processing a request.

For detailed examples, including how to configure the timeout in the SiteMinder Admin, see How-To: Set up SUP with SiteMinder at http://scn.sap.com/docs/DOC-29574.