SAP SSO Token Authentication Properties

Add and configure authentication provider properties for SAPSSOTokenLoginModule or accept the default values

SAPSSOTokenLoginModule properties
Property Description
Implementation class (Required) – the fully qualified class that implements the login module. com.sybase.security.sap.SAPSSOTokenLoginModule is the default class.
Provider type (Required and read-only) – LoginModule is the only supported value.
Control flag (Required) – optional is the default value. Determines how success or failure of this module affects the overall authentication decision.
SAP server URL (Required) – the SAP server URL that authenticates the user and from which Unwired Server gets the SSO2 token.
Clear password (Optional) – if set to True, the login module clears the username and password in the shared context.
Disable server certificate validation (Optional) – the default is False. If set to True, disables certificate validation when establishing an HTTPS connection to the SAP server using the configured URL. Set to True only for configuration debugging.
SAP server certificate (Optional) – name of the file containing the SAP certificate's public key in .pse format. This is required only when token caching is enabled by setting a SAP SSO token persistence data store value.
SAP server certificate password (Optional) – password used to access the SAP server certificate.
SAP SSO token persistence data store (Optional) – JNDI name used to look-up the data source to persist the retrieved SSO2 tokens.

Set to "jdbc/default" to store tokens in the Unwired Server CDB. If unconfigured, some caching is still done based on the "Authentication cache timeout interval" property associated with the security configuration setting.

If you use the default setting, you do not need to set SAP SSO token persistence data store, SAP server certificate, SAP server certificate password, or Token expiration interval properties.
To enable token caching through the SAPSSOTokenLoginModule:
  1. Set the SAP SSO token persistence data store value to "jdbc/default."
  2. Download and install the SAP SSO2 token files. See Installing the SAP SSO2Token Files on Unwired Server Hosts.
  3. Specify the correct value for the SAP server certificate, SAP server certificate, SAP server certificate password and Token expiration interval properties.
Store password (Optional) – if set to true, the login module stores the username/password in the shared context after successfully authenticating the user.
Token expiration interval (Optional) – this property is ignored when the SAP SSO token persistence data store property is not configured. It specifies the token validity period, after which time a new token is retrieved from the SAP EIS. The default value is 120 seconds.

Keep in mind that:

  • The "Token expiration interval" cannot exceed the "Token validity period", which is the amount of time defined in the back-end SAP server for which the token is valid.
  • The "Authentication cache timeout" property must be less than the "Token expiration interval" property value.
Try first password (Optional) – if set to True, the login module attempts to retrieve the username/password from the shared context, before calling the callback handler.
Use first password (Optional) – if set to True, the login module attempts to retrieve the username/password only from the shared context, and never calls the callback handler.
Related concepts
SAPSSOTokenLoginModule Authentication Provider
Preparing Your SAP Environment for SSO
Related tasks
Installing the SAP SSO2Token Files on Unwired Server Hosts