The Check Impersonation attribute, enabled by default, ensures that SAP Mobile Platform verifies who the user is after successful SSO-based login. Check Impersonation determines whether to allow SSO authentication to succeed when the user name cannot be matched against any of the user names validated in the authentication providers. Disabling Check Impersonation in Management Cockpit allows authentication to proceed without verifying that the presented token is associated with the user.
The Check Impersonation attribute allows authentication to succeed when, in token-based authentication, the presented user name cannot be matched against any of the user names validated in the authentication providers. In token-based authentication, even though a valid token may be presented to SAP Mobile Platform, the token may not be associated with the user indicated by the user name. To prevent the user authentication from succeeding in this scenario, the Check Impersonation attribute is enabled by default. When an unauthenticated request is received by SAP Mobile Platform (for example, from a device or Push Notification request), it may contain a token (in an HTTP header or cookie) that should be validated to authenticate the user. In some cases, a user name can be extracted from the token. In SAP Mobile Platform, the specified user name is matched to the name of at least one of the public principals added by the authentication providers. If the user name cannot be extracted from the token as part of the validation, then the specified user name is not added as a principal.
In certain situations, it may not be possible for the token validation server to return the user name embedded in the token. If no such custom authentication provider is available, then the administrator can allow authentication to succeed even when the user name presented cannot be matched against any of the user names validated by the configured authentication providers. In these situations, a custom authentication provider that maps the token to a user name and adds a principal with that user name may be used. To allow this authentication, uncheck the Check Impersonation check box in Management Cockpit for the associated security profile.