Show TOC

Kerberos Single Sign-On ProviderLocate this document in the navigation structure

After a client is authenticated by an authentication provider, Kerberos enables single sign-on (SSO) access to back-end resources.

Once a client has been authenticated, Kerberos establishes a connection to the Kerberos Distribution Center (KDC) using the SAP Mobile Platform service user, realm, and key. It then creates a Kerberos credential with a reference to this connection, and adds the credential to the subject.

Note SAP Mobile Platform uses the constrained-delegation feature of the Kerberos protocol.

SAP Mobile Platform Server uses the Kerberos credential to obtain a Kerberos access token, on behalf of the authenticated user, for the realm and service name specified in the back-end endpoint properties.

Note When adding Kerberos to a security profile:
  • Another login module that precedes it in the security profile must succeed and set the subject principal name. The Kerberos provider inherits the name from that preceding module.
  • If you use Kerberos with an X.509 User Certificate, an administrator should define the X.509 User Certificate certificateAttrAsPrincipal property; otherwise, the KDC may not generate a Kerberos token.