Android, BlackBerry, and iOS Workflow applications can provide a single sign-on (SSO)
token.
Cookie-based Network Edge Authentication
Unlike standard credential cache authentication, network edge authentication is
global to the Hybrid Web Container, not specific to each workflow application. Each
Hybrid Web Container has a dialog to prompt for HTTP basic authentication
credentials when challenged, and a session header or cookie is returned if the
system is so configured for SSO. See Security > Server Security > Enabling
Authentication and RBAC for User Logins > Authentication in Unwired Platform >
Built-in Security Providers for User Authentication and Authorization > HTTP
Authentication Security Provider for more information.
The sequence of authentication is as follows:
- Client Network Edge authentication – The client begins a session by sending
an HTTP(S) request to the Reverse Proxy. The Reverse Proxy detects the
un-authenticated request and challenges for Basic authentication. After the
401 challenge, the client may already have network credentials configured,
or perhaps there is a callback to prompt for credentials.
- The client sends another HTTP request with the credentials, which the
Reverse Proxy validates, and if valid issues a Cookie with an SSO token
value.
The
HTTP headers will be added to the request that is created and sent to Sybase
Unwired Platform.
- Sybase Unwired Platform receives the request and uses an enhanced CSI
LoginModule to authenticate. This login module is
configured to extract HTTP Headers from the request (Cookie values are a
subset).
- Sybase Unwired Platform processes the request and a response is sent back to
the client. The client is still waiting on the original HTTP request from
the Reverse Proxy. When the response comes back, the Reverse Proxy typically
adds the setCookie response header at this time to pass the SSO data back to
the client to use in subsequent HTTP requests.
- If the SSO token is valid, everything proceeds.
- If the SSO token is invalid,
a
server to device method instructs the Hybrid Web Container to prompt
for crdentials again.