Single Sign-on Authentication

Understand the role of user credentials and X.509 certificates in single sign-on authentication.

Single sign-on authentication comprises three main areas:

Configuring SAP Mobile Platform to the back end requires encryption for mutual authentication. Encrypt the communication channel between SAP Mobile Server and the SAP EIS for security reasons. For Web services, DOE, and Gateway interactions, encryption requires an HTTPS communication path with mutual certificate authentication. Use SAP Control Center to navigate to the corresponding connection pool, edit the properties, and add the properties "Certificate Alias" (give the name of a certificate alias in the keystore.jks). See Creating Connections and Connection Templates in SAP Control Center for SAP Mobile Platform.

During mutual certificate authentication between the client and SAP Mobile Platform, the client presents a certificate to SAP Mobile Server. For authentication to succeed, the client’s certificate, or more typically the certificate authority (CA) that signed the client certificate must be present in the SAP Mobile Server truststore.

Typical non-SSO setups often use a technical user. Unlike SSO, in a normal JCo connection, the user name is a technical user, and all RFCs are executed in the SAP EIS as that user rather than as the end user. The technical user is granted all rights and roles within SAP to allow it to execute the range of RFCs behind the MBOs. In the context of an SSO connection, this technical user can not authenticate against the back end with regular credentials, but often needs to use a certificate, However, in the context of SSO to SAP, a technical user certificate is added to the SAP Mobile Server certificate truststore as part of the secure network communications (SNC) setup. The technical user certificate is issued by the SAP server and is trusted by the SAP server to impersonate other users. So, once the technical user certificate is authenticated when the SNC connection is established, the SAP server further trusts that the credentials (SSO2 or X.509 values) given to identify the end user are validated by SAP Mobile Server and the SAP server executes the EIS operations as that asserted end-user.

Note: In SAP Mobile Platform, the password for the CA must match the keystore password (the default changeit). When administrators import a certificate to the keystore, they must use the same password for the key alias entry as the keystore password, and thus the same value for the Certificate Alias.
Parent topic: Single Sign-on for SAP
Related concepts
Enabling Single Sign-on for DOE-C Packages
SAP Single Sign-on and DOE-C Package Overview
SAP Single Sign-on and Online Data Proxy Overview
SAP Single Sign-on and Mobile Business Object Package Overview
Enabling Single Sign-on for Mobile Business Object Packages
Related tasks
Enabling Single Sign-on for OData Applications