Single Sign-on

Android, BlackBerry, and iOS Workflow applications can provide a single sign-on (SSO) token.

Cookie-based Network Edge Authentication

Unlike standard credential cache authentication, network edge authentication is global to the Hybrid Web Container, not specific to each workflow application. Each Hybrid Web Container has a dialog to prompt for HTTP basic authentication credentials when challenged, and a session header or cookie is returned if the system is so configured for SSO. See Security > Server Security > Enabling Authentication and RBAC for User Logins > Authentication in Unwired Platform > Built-in Security Providers for User Authentication and Authorization > HTTP Authentication Security Provider for more information.

The sequence of authentication is as follows:
  1. Client Network Edge authentication – The client begins a session by sending an HTTP(S) request to the Reverse Proxy. The Reverse Proxy detects the un-authenticated request and challenges for Basic authentication. After the 401 challenge, the client may already have network credentials configured, or perhaps there is a callback to prompt for credentials.
  2. The client sends another HTTP request with the credentials, which the Reverse Proxy validates, and if valid issues a Cookie with an SSO token value. The HTTP headers will be added to the request that is created and sent to Sybase Unwired Platform.
  3. Sybase Unwired Platform receives the request and uses an enhanced CSI LoginModule to authenticate. This login module is configured to extract HTTP Headers from the request (Cookie values are a subset).
  4. Sybase Unwired Platform processes the request and a response is sent back to the client. The client is still waiting on the original HTTP request from the Reverse Proxy. When the response comes back, the Reverse Proxy typically adds the setCookie response header at this time to pass the SSO data back to the client to use in subsequent HTTP requests.
    • If the SSO token is valid, everything proceeds.
    • If the SSO token is invalid, a server to device method instructs the Hybrid Web Container to prompt for crdentials again.
Parent topic: Credentials