Show TOC

Network-Edge AuthenticationLocate this document in the navigation structure

In network-edge authentication, the SSO system intercepts an unauthenticated client request, challenges the client to authenticate, and adds an SSO cookie to the request before forwarding it to SAP Mobile Platform Server. Network-edge authentication is the most common SAP Mobile Platform SSO scenario.

Network-edge authentication allows administrators to configure which client values can be used for authentication into SAP Mobile Platform Server.

Client applications can connect to reverse-proxy servers or agents at the network edge. These agents perform authentication, and return authenticated tokens, delivered as HTTP cookies or HTTP headers. An example of an HTTP-based SSO provider is SiteMinder, running inside the enterprise, and its SiteMinder agent, running inside an Apache reverse-proxy server at the network edge.

SAP Mobile Platform uses the HTTP/HTTPS Authentication provider to reach out to a Web server that is integrated into the SSO system to validate an SSO cookie, learn how long the cookie is valid, and to extract information about the user who is identified by the cookie such as her security roles.

Note If a network edge forces basic authentication, typically the authorization header that the client uses to respond to the challenge is forwarded to SAP Mobile Platform Server. Even though the server may not process the header for login purposes, the user's name and password may be leaked. If this happens, all of the systems can be compromised if an attacker is able to exploit the vulnerability.

To ensure that SAP Mobile Platform Server knows who a user is after a successful SSO-based login, in Management Cockpit, select Check Impersonation in the security profile settings. In network-edge authentication, the user identity (Principal) may be added as an additional header at the network edge.