SiteMinder provides various client authentication options for
SAP Mobile Platform, including single sign-on (SSO), tokens, and Network
SiteMinder client authentication includes:
- Network Edge – when a reverse proxy or Relay Server in the
DMZ is protected by SiteMinder, the SAP Mobile Platform client is challenged for basic authentication
credentials. If the credentials are valid, an SMSESSION cookie is issued and
the client is allowed through to the SAP Mobile Platform server. The client begins a session (RBS, MBS,
or OData) by sending an HTTP(S) request to the reverse proxy. The reverse
proxy detects the unauthenticated request, and challenges using basic
authentication. After the 401 challenge, the client may already have network
credentials configured, or executes a callback to prompt for
- Non-Network Edge – the Network Edge (reverse proxy or Relay
Server) is not protected. The client’s request is allowed to flow to
SAP Mobile Platform, where a LoginModule
presents the basic credentials to a SiteMinder-protected Web server on
behalf of the client. SAP Mobile Platform
server retains the SMSESSION cookie and credentials for the client.
- External tokens – the SAP Mobile Platform client application obtains an SMSESSION cookie
external to the SAP Mobile Platform libraries
using custom application processing. This SMSESSION token passes into the
SAP Mobile Platform libraries as a cookie.
SAP Mobile Platform libraries add the
cookie to subsequent HTTP requests to SAP Mobile Platform server. The cookie may or may not be checked at
the Network Edge.
- SAP SSO2 integration – the SAP Mobile Platform user is initially authenticated by SiteMinder,
resulting in an SMSESSION for the user. This SMSESSION is forwarded along
with the SAP user ID to a SiteMinder SAP agent running inside of NetWeaver
as a LoginModule. The SMSESSION is revalidated, and the
TokenIssuingLoginModule is allowed to issue an SSO2 ticket for the specified
SAP user ID. This ticket returns to SAP Mobile Platform as an MYSAPSSO2 cookie. SAP Mobile Platform now has both an SMSESSION and an
SSO2 ticket to use for SSO purposes with various EIS depending on which SSO
mechanism the EIS requires.
Note In any of these authentication patterns, you can add the SMSESSION token
as a credential to the authenticated SAP Mobile Platform subject
for use in single sign-on to SiteMinder-protected systems.