Show TOC

Single Sign-On MechanismsLocate this document in the navigation structure

The SAP Mobile Platform Server OData Proxy service supports the use of one or more single sign-on (SSO) mechanisms.

In single sign-on implementations, clients log in to SAP Mobile Platform Server; the server then uses the authentication providers that you configure in the security profile to authenticate the clients to back-end systems.

SSO Mechanism Description
Basic Connects to the back end with the end user's user name and password. The provider that is configured in the security profile must authenticate the end user with a user name and password, for example, HTTP/HTTPS Authentication, Directory Service (LDAP/AD), or System Login (Admin Only)
Kerberos Enter the Kerberos realm and the service name. Connects to the back end by setting the Kerberos token value in the Authorization: Negotiate <Kerberos token value> header. Configure the back end to authenticate users with Kerberos.

You can use this mechanism only if the Kerberos provider is configured in the security profile. The server obtains a Kerberos access token for the specified realm and service name. The realm contains the back-end resources to which you want to provide SSO access.

Note The service user who is configured in the security profile must also be configured in Active Directory with permission to delegate to the application-endpoint service.
SSO2 Authenticates the user to the back end using a MYSAPSSO2 token.

You can use this mechanism only if an HTTP/HTTPS Authentication provider is configured in the security profile, and it authenticates the end user to SAP Mobile Platform Server against a Web server that returns a MYSAPSSO2 token.
Technical User Basic (TechUserBasic) Enter the user name and password for the technical user. Connects to the back end using these credentials.

You can use this SSO mechanism with any authentication-provider configuration in the security profile.
Technical User X.509 (TechUserX509) Connects to the back end using the configured technical-user X.509 certificate.

You can use this mechanism with any authentication-provider configuration in the security profile.
X.509 Connects to the back end using the configured technical user's X.509 certificate. The end-user certificate is passed in the SSL_CLIENT_CERT HTTP header. Configure the back end:

  • Allow a technical user to impersonate an end user by passing the end user's certificate in the HTTP header, SSL_CLIENT_CERT, and executing the request in the context of the end user. The end-user certificate may be generated by the Principal Propagation provider that is configured in the security profile, or it may be supplied by the end user when he or she authenticates to the server over a mutually authenticated HTTPS connection. You can use this mechanism with either the X.509 User Certificate authentication provider or the Principal Propagation provider that is configured in the security profile.

  • Map the user certificate presented in the HTTP header to a user who is configured in the user store.

  • Verify that the back-end service can be accessed using SSL certificates.

Refer to your back-end system documentation for more information.
Custom Sends configured headers/cookies with values derived from a regular expression. This is a generic mechanism to pass SSO details that are not covered by other explicit mechanisms. Select Custom, and enter:
  • Name – name of the header or cookie.
  • Pattern – header or cookie value.
  • Type – header or cookie.
Related Information