The Logon plugin manages the application registration and authentication processes either through SAP Mobile Platform Server, or through SAP Gateway server. The plugin is supported for use with applications on the Android, iOS, and Windows 8.1 platforms.
Most of the Hybrid SDK (Kapsel) plugins rely upon the services provided by the Logon plugin. This plugin manages the process of onboarding applications with SAP Mobile Platform Server, and authenticating users. The Logon plugin, where available, interfaces with Client Hub and pulls certificates from Afaria.
The SAP Mobile Platform Server integrates with common security providers such as HTTP/HTTPS Authentication, Directory Service (LDAP), or X.509 user certificate. The Logon plugin provides a login screen where the user can enter the values needed to connect to SAP Mobile Platform server using one of these providers, and stores those values in its own secure data vault.
The data vault provided with the Login plugin is a separate data vault from the one provided with the EncryptedStorage plugin, and is used to store user names, password, keys and certificates, while the EncryptedStorage plugin is suited to storing application data. The data vault stores the server connection details and, in basic authentication, the username and password. In certificate-based authentication, the certificate is not stored in the data vault.
You set a passcode policy on the SAP Mobile Platform Server. The client downloads this policy after a successful user login. To unlock a data vault, you provide a passcode if the policy requires one. If the policy does not require a passcode, you do not need to provide a passcode. However, a policy that does not require a passcode is unsecure and is not recommended.
When not using the data vault, it can timeout and the data vault locks itself upon the time expiration in the passcode policy. Note: even though you could be using an application actively, if you are not accessing the data vault, it can timeout. You can first notice the data vault lock, when you try to access the application.
The data vault is deleted if the user forgets their passcode while unlocking the application and expires the maximum number of attempts to login, or explictly deletes the registration. Data stored by the EncryptedStorage plugin is also deleted, because once the data vault is deleted this data would no longer be accessible. For security reasons, when the data vault is deleted, the Login plugin sends a notification to the other Kapsel plugins so they can clean up their data if required.
The following states occur in the Logon plugin during Hybrid SDK (Kapsel) application onboarding:
Fully registered: this state occurs when the registration information has been persisted into the data vault. The data vault is protected by the user selected password, or by a system-generated default password. (If allowed by the application developer, and the user chooses to disable the password, then the data vault is still encrypted, but a system-generated default password is used to protect the data vault).
The Logon plugin lets the user lock and unlock the application, to protect sensitive data. If you call the unlock method with a system-generated password, you can call the method without need to provide the password. Using a default password is less secure as the data vault can be unlocked without the user providing a password. The data vault can be in the following states:
The Hybrid SDK (Kapsel) supports online applications that do not require onboarding by providing a passcode management API in the Logon plugin. This support allows you to use functionality such as passcode and encrypted storage in your online application, without requiring your application to onboard with SAP Mobile Platform Server.
The passcode management API in the Logon plugin allows you to create and delete a data vault without registering with SAP Mobile Platform. You can use the passcodePolicy parameters to set the passcode policy, and the context parameter to set the default passcode shown in the setting passcode screen, so the user does not need to type the passcode on the mobile device. You can return the passcode policy by calling the sap.Logon.core.getContext API.
After the data vault is created, you manage the data vault using the existing data vault management API in the Logon plugin, including the methods managePasscode, unlock, lock, set, and get.
Kapsel supports the following security configurations:
From the client perspective, the client authenticates either through basic authentication, or through mutual certificate authentication. In the basic authentication scenario, tthe client must provide a client certificate that is signed by a certificate authority trusted by the server.
For more information on SAP Mobile Platform supported authentication scenarios, see Planning Your Security Landscape in Administrator.
The Hybrid SDK (Kapsel) plugins support Apache Cordova's domain whitelisting model. Whitelisting allows you to control access to external network resources. Apache Cordova whitelisting allows you to whitelist individual network resources (URLs), for example, http://www.google.com.
For information about the whitelist rules, see http://docs.phonegap.com/en/3.3.0/guide_appdev_whitelist_index.md.html.