Implement multiple authentication providers to provide a security solution that meets complex security requirements.
SAP recommends stacking providers as a means of eliciting more precise results, especially for production environments that require different authentication schemes for administrators, push notifications, and so on. Stacking is implemented with a controlFlag attribute that controls overall behavior when you enable multiple providers. Set the controlFlag on a specific provider to refine how results are processed.
For example, if your administrative users (smpAdmin in a default installation) are not users in a back-end system like SAP, and they are authenticated with the default security configuration, they cannot also authenticate with the HTTP/HTTPS Authentication provider, which is used for SSO2Token retrieval. In this case, you would stack a second authentication provider with controlFlag=sufficient for your administrative users.
In a custom security profile (recommended), you can use a technical user, who is not an SAP user, for push notifications. Technical users do not need SSO, because they do not access data; however, they must be authenticated by SAP Mobile Platform Server. To enable a technical user to log in, add another authentication provider.
Provider | controlFlag Value | Authentication Result | |||||||
---|---|---|---|---|---|---|---|---|---|
Directory Service (LDAP/AD) | Required | succeed | succeed | succeed | succeed | fail | fail | fail | fail |
HTTP/HTTPS Authentication | Sufficient | succeed | fail | fail | fail | succeed | fail | fail | fail |
System Login (Admin Only) | Requisite | * | succeed | succeed | fail | * | succeed | succeed | fail |
X.509 User Certificate | Optional | * | succeed | fail | * | * | succeed | fail | * |
Overall result | succeed | succeed | succeed | fail | fail | fail | fail | fail |
For more detailed information on JAAS providers, see the Java Authentication and Authorization Service (JAAS) Reference
Guide.