| No
Authentication Challenge |
Always authenticates the supplied user. The provider offers
pass-through security for SAP Mobile Platform Server, and
should typically be reserved for development or testing.
SAP strongly encourages you to
avoid using this provider in production environments—either for
administration or device user authentication. |
| System Login (Admin Only) |
Configured by the installer with the initial administrator
credentials to give platform administrators access to
Management Cockpit, so they can configure
SAP Mobile Platform Server for production use.
Administrators are should replace this authentication provider
immediately after logging in the first time.
SAP encourages you to avoid using
this provider in production environments. |
| Populate JAAS Subject From Client |
Enables administrators to add client values as named credentials,
name principals, and role principals to the authenticated subject.
This provider copies values from the client's HTTP request into the
JAAS subject as:- Principals – identifies the user.
- Roles – grants access rights to
SAP Mobile Platform protected
resources.
- Credentials – provides single sign-on material to use when
connecting to back-end systems.
Adding client values as named credentials allows them to be
used for single sign-on. |
| X.509 User Certificate |
For users who are authenticated by certificates. You can use this
provider with other authentication providers that support
certificate authentication, for example, Directory Service
(LDAP/AD), by configuring X.509 User Certificate before the authentication providers that support certificate
authentication. You can only use this provider to validate client
certificates when HTTPS listeners are configured to use mutual
authentication. You can configure optional advanced
properties, such as key-value pairs, for this provider by
selecting Advanced in
Management Cockpit.
Note Agentry
clients on iOS and Android do not support client/user
certificates. Agentry clients on Windows and Windows CE support
client-side certificates, but Agentry cannot use these
certificates for user identification; Agentry requires separate
user name and password authentication as well.
|
| SAML2 |
Provider that authenticates a user through a trusted identity
provider.
Use only a single SAML2 instance, by itself or in combination with other
authentication providers, when you define a security
profile.
|
| Principal Propagation |
Provides clients with single sign-on access to back-end systems;
does not authenticate a client that is opening a session with
SAP Mobile Platform Server. To use the Principal Propagation provider:
- Assign X.509 as the SSO mechanism for application back-end
connections.
- Specify one or more authentication providers in the security
profile stack. Do not use X.509 User Certificate as one of the authentication providers.
|
| HTTP/HTTPS Authentication |
Authenticates a user with given credentials (user name and
password, or SSO tokens from your SSO system) against a back end
that is integrated into your management or SSO systems. Optionally,
this provider may retrieve a cookie that represents additional SSO
credentials to use for back-end systems that are also integrated
with your SSO system. You can configure optional, advanced
properties, such as Username HTTP Header, and Token Expiration
Interval, by selecting Advanced in
Management Cockpit.
|
| Kerberos |
Provider that has no part in authenticating the user based on
credentials provided, but once another provider has
authenticated the user, this module can provide Kerberos SSO
credentials for that user to back-end
systems.
You cannot use Kerberos by itself when you define a security profile. - Kerberos does not authenticate a client that is opening a
session with SAP Mobile Platform Server.
- You must specify one or more other authentication
providers in the security profile stack.
- Kerberos can authenticate only between
SAP Mobile Platform Server and a back end that
is configured for Kerberos support, by passing on an authentication provided by
an authentication provider specified in the security
profile stack.
|
| Directory Service
(LDAP/AD) |
Integrates with your Active Directory or other Directory Server
identity management system using LDAP. The provider first connects
to your Directory Server using a technical user identity so it can
perform an LDAP search to discover the fully qualified distinguished
name (DN) of the current user in the directory. It then binds the DN
to the provided password. When the bind succeeds, the user is
considered authenticated. The provider then performs an LDAP search
to see which groups the user is a member of. These group names are
considered physical roles in the role mapping definitions that are
used later for access controls. This provider is particularly
useful in the Admin security profile to allow existing
enterprise users to use Management Cockpit,
and also any custom security profiles used for authenticating
enterprise users for SAP Mobile Platform
application usage.
You can configure optional advanced
properties, such as Certificate Authentication Filter and
Certificate Attributes, for this provider by selecting
Advanced in
Management Cockpit.
|
| SAPSSO2 Generator |
Internal method of generating a token for SSO access to back-end
systems.
To use SAPSSO2 Generator:
- Specify one or more authentication providers in the security
profile stack.
|
Settings 
Security Profiles 
.