Create and configure security profiles to define parameters that control how the server authenticates the user during onboarding, and request-response interactions with the back end. You can also define additional SAP Mobile Platform administrator users by creating a new security profile and configuring the required authentication provider.
|Name||A unique name for the application authentication profile.|
|Check Impersonation||(Optional) In token-based authentication, whether to allow authentication to succeed when the user name presented cannot be matched against any of the user names validated in the login modules. By default the property is enabled, which prevents the user authentication from succeeding in this scenario.|
|No Authentication Challenge||Always authenticates the supplied user. The provider offers pass-through security for SAP Mobile Platform Server, and should typically be reserved for development or testing. SAP strongly encourages you to avoid using this provider in production environments—either for administration or device user authentication.|
|System Login (Admin Only)||Configured by the installer with the initial administrator credentials to give platform administrators access to Management Cockpit, so they can configure SAP Mobile Platform Server for production use. Administrators are expected to replace this authentication provider immediately upon logging in for the first time. SAP encourages you to avoid using this provider in production environments.|
|Populate JAAS Subject From Client||Enables administrators to add client values as named credentials,
name principals, and role principals to the authenticated subject.
This provider copies values from the client's HTTP request into the
JAAS subject as:
|X.509 User Certificate||For users who are authenticated by certificates. You can use this provider with other
authentication providers that support certificate authentication,
for example, Directory Service
(LDAP/AD), by configuring X.509 User Certificate before the authentication providers that support certificate
authentication. You can only use this provider to validate client
certificates when HTTPS listeners are configured to use mutual
You can configure optional advanced properties, such as key-value pairs, for this provider by selecting Advanced in Management Cockpit.
Note Agentry clients on iOS and Android do not support client/user certificates. Agentry clients on Windows and Windows CE support client-side certificates, but Agentry cannot use these certificates for user identification; Agentry requires separate user name and password authentication as well.
Provider that authenticates a user through a trusted identity provider.
Use only a single SAML2 instance, by itself or in combination with other authentication providers, when you define a security profile.
|Principal Propagation||Provides clients with single sign-on access to back-end systems; does not authenticate
a client that is opening a session with
SAP Mobile Platform Server.
To use the Principal Propagation provider:
|HTTP/HTTPS Authentication||Authenticates a user with given credentials (user name and password, or SSO tokens
from your SSO system) against a back end that is integrated into
your management or SSO systems. Optionally, this provider may
retrieve a cookie that represents additional SSO credentials to use
for back-end systems that are also integrated with your SSO
You can configure optional, advanced properties, such as Username HTTP Header, and Token Expiration Interval, by selecting Advanced in Management Cockpit.
Provider that has no part in authenticating the user based on credentials provided, but once another provider has authenticated the user, this module can provide Kerberos SSO credentials for that user to back-end systems.
You cannot use Kerberos by itself when you define a security profile.
|Directory Service (LDAP/AD)||Integrates with your Active Directory or other Directory Server identity management
system using LDAP. The provider first connects to your Directory
Server using a technical user identity so it can perform an LDAP
search to discover the fully qualified distinguished name (DN) of
the current user in the directory. It then binds the DN to the
provided password. When the bind succeeds, the user is considered
authenticated. The provider then performs an LDAP search to see
which groups the user is a member of. These group names are
considered physical roles in the role mapping definitions that are
used later for access controls.
This provider is particularly useful in the Admin security profile to allow existing enterprise users to use Management Cockpit, and also any custom security profiles used for authenticating enterprise users for SAP Mobile Platform application usage.
You can configure optional advanced properties, such as Certificate Authentication Filter and Certificate Attributes, for this provider by selecting Advanced in Management Cockpit.
Internal method of generating a token for SSO access to back-end systems.
To use :