Show TOC

Principal Propagation Configuration PropertiesLocate this document in the navigation structure

The Principal Propagation (X.509) provider enables single sign-on (SSO) access to back-end resources. To use this provider, an authentication provider must first authenticate clients, and you must select X.509 as the SSO mechanism.

Configure a Principal Propagation provider by:
  • Generating a certificate and private key to use in the public key infrastructure (PKI) system
  • Importing to a back-end system, a public version of the CA signing key, as a trusted CA for the temporary user certificates that this login module will generate and sign
  • Importing the certificate and the private key to the SAP Mobile Platform keystore, and configuring the alias, using the keytool utility
  • Configuring the Principal Propagation provider with the alias of the imported certificate and private key
  • Configuring an authentication provider, in the same security profile
  • Entering appropriate values for the properties below
Table 1: Principal Propagation Configuration Properties
Property Name Default Value Description

Provider Description


Differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.

CA Signing Certificate Alias


An alias in the system keystore that corresponds to the CA signing certificate and private key to sign the dynamically generated certificate for the authenticated user.

Subject Pattern


Pattern for the generated subject distinguished name. If you specify the variable ${name}, the authenticated principal name is substituted for it.

Certificate Validity Period


The number of minutes the generated certificate is valid. After the validity period, a new certificate is generated for SSO to the back end. Performance declines if you set this value too low.

Clock Skew Tolerance


Number of additional minutes a certificate remains valid. Compensates for differences in time between the machine on which SAP Mobile Platform Server is running and the back-end machine that receives the certificate generated by the Principal Propagation credential.

By default, a generated certificate is valid for 10 minutes. If the clock skew tolerance is 10, a generated certificate is valid for an additional 10 minutes in both directions. For example, if the time on the server clock is 12:00, the certificate is valid between 11:50 and 12:20. If the time on the receiving server is within 10 minutes of the time on the sending server, it receives a valid certificate; if the time on the receiving server is more than 10 minutes behind, or more than 20 minutes ahead of, the time on the sending server, it receives an invalid certificate.

To validate your settings, click Test Settings. A message reports either success or failure; if validation fails, invalid settings are highlighted.