Authentication

Set up your HTTP client to use one of four types of authentication.

Basic authentication – Provide a username and password to login. This method is available when connecting through HTTP and one-way HTTPS.
SSO token – Provide an SSO token to login. This method is available when connecting through HTTP and HTTPS and a token validation service is available and configured.
X.509 Mutual authentication – Provide a client certificate to login. This method is available only through HTTPS port configured with enabling mutual authentication. For more information on mutual authentication, see Single Sign-on for SAP in Security.
X.509 Mutual authentication through intermediary – Provide a forwarded client certificate to login; the forwarded certificate is provided by the SSL_CLIENT_CERT header. The SSL_CLIENT_CERT header contains a forwarded PEN-encoded client certificate. This method is available only through an appropriately configured HTTPS listener. The certificate forwarder must have the "SUP Impersonator" role to be authorized for this type of login. The certificate of the actual "SUP Impersonator" user cannot be used as a regular user certificate.
Intermediary refers to the relay server or an apache reverse proxy. The requests are sent on mutual SSL connection from client to intermediary and then intermediary to SUP. From client to intermediary, client certificate is used on transport level. From intermediary to SUP, the impersonator certificate is used on transport level. The client certificate is forwarded as SSL_CLIENT_CERT HTTP request header.

A request targeting a resource that requires authentication fails with error code 401 unless X.509 mutual authentication is used to establish a valid authenticated request context (The certificate validation login module must exist in the security configuration used to authenticate the request and the certificate validation must be successful and sufficient. If that is not the case, regular username/password or token authentication is attempted and the request is authenticated equal to a non X.509 authenticated connection). After three subsequent failed authentication attempts using the same X-SUP-SESSID, the fourth attempt fails with a 403 error code.