Show TOC

Authentication Cache Timeout and Token AuthenticationLocate this document in the navigation structure

To reduce the load, SAP Mobile Platform uses an authentication cache to reduce the load it places on your back-end identity management and security systems. Depending on your security configuration, you can adjust the authentication cache timeout to avoid authentication failures and errors.

By default, the authentication cache holds a user’s subject, principals, and credentials used for single sign-on to an EIS for 3600 seconds (one hour). If the user name and password contained inside subsequent SAP Mobile Platform requests are unchanged, the request is considered authenticated and uses the cached security information for access control and single sign-on to EIS operations.

Note When using token-based authentication, clients should use a hash code of the token as the password, so SAP Mobile Platform proceeds through the login modules and replaces the cached token credential. This prevents using an expired token in single sign-on to an EIS.

If you cache an SMSESSION for a user and the token expires before the cache entry, you get authentication failures during the single sign-on EIS operations. This leads to either synchronization errors or operation replay errors.

Configure the authentication cache to avoid errors and failures. If needed, you can disable the authentication cache entirely by setting the cache timeout to 0. Every SAP Mobile Platform request is reauthenticated. For non-Network Edge basic authentication, you can set the cache interval to slightly less than the Idle Timeout for your SiteMinder session policy.

For Network Edge authentication, you must set the authentication cache timeout to 0. If the URL configured to validate the SMSESSION token also returns an HTTP header with the expiration time for the token expressed in milliseconds since the epoch (1/1/1970), the HttpAuthenticationLoginModule can use that value to adjust the authentication cache expiration for this subject’s entry so it expires at an appropriate time. Use the TokenExpirationTimeHttpHeader to specify the name of the header containing this expiration value. Additionally, you can use TokenExpirationInterval property to reduce time from the expiration so it does not expire while SAP Mobile Platform is processing a request.

For detailed examples, including how to configure the timeout in the SiteMinder Admin, see How-To: Set up SUP with SiteMinder at published on SAP site.