SiteMinder provides various client authentication options for
SAP Mobile Platform.
In SiteMinder client authentication
- SAP Mobile Platform uses the
SSO cookie name SMSESSION.
- When network edge authentication is used, SiteMinder adds an
SM_USER header to the client's request along with the SMSESSION cookie. The
Populate JAAS Subject From Client provider should set SM_USER as a Subject Principal so
that check Impersonation can be enabled.
Note SAP Mobile Platform does
not support using SMSESSION as SSO credentials to any back-end systems.
SiteMinder client authentication includes:
- Network edge – when a reverse proxy in the DMZ is protected by SiteMinder,
the SAP Mobile Platform client is challenged for basic
authentication credentials. If the credentials are valid, an SMSESSION
cookie is issued and the client is allowed through to the
SAP Mobile Platform server. The client begins a session by
sending an HTTPS request to the reverse proxy. The reverse proxy detects the
unauthenticated request, and challenges using basic authentication. After
the 401 challenge, the client may already have network credentials
configured, or executes a callback to prompt for credentials.
- Unprotected-network edge – the network edge (reverse proxy) is not
protected. The client’s request is allowed to flow to
SAP Mobile Platform, where an authentication provider
presents the basic credentials to a SiteMinder-protected Web server on
behalf of the client. SAP Mobile Platform server retains the
SMSESSION cookie and credentials for the client.
- External tokens – the SAP Mobile Platform client application
obtains an SMSESSION cookie that is external to the
SAP Mobile Platform libraries using custom application
processing. This SMSESSION token passes into the
SAP Mobile Platform libraries as a cookie.
SAP Mobile Platform libraries add the cookie to subsequent
HTTP requests to SAP Mobile Platform server. The cookie may or
may not be checked at the network edge.