Security Profile for a SiteMinder-Protected Back End

With SAP Mobile Platform, SiteMinder authentication is used in protected and unprotected network-edge configurations.

Network-edge and Token-based Authentication

With network-edge and token-based authentication, a security profile that integrates with applications that use a SiteMinder-protected back end, must use a Populate JAAS Subject From Client provider. The Populate JAAS Subject From Client assigns sm_user as a principal, and the SiteMinder agent adds an sm_user header to client requests. Use that header in the Populate JAAS Subject From Client provider to set a user Principal.

Note: If the SiteMinder agent does not add an sm_user header, then disable impersonation checking.

You should also have an HTTP/HTTPS Authentication provider configured for a SiteMinder-protected URL where SAP Mobile Platform can verify the validity of the user's SMSESSION cookie.

SAP Mobile Platform must send the SMSESSION cookie to the URL. If the URL is a SiteMinder Agent for an SAP-protected back end, then the SSOCookie value should be MYSAPSSO2, the SSO token used against other back-end SAP systems.

When integrating with a back-end system that is not SAP protected, SAP Mobile Platform simply requires a 200 status in the response to indicate the SMSESSION was valid.

Basic Authentication

With basic authentication, the SSOCookie is set to SMSESSION, which is returned upon successful authentication. SAP Mobile Platform has no further use of the SSOCookie; therefore, this is not a commonly used scenario.

Configuring SAP Mobile Platform SiteMinder Integration with the SAP SSO2 Mechanism
To create a security profile for your single sign-on (SSO) applications, use Management Cockpit.
Configuring Unprotected Network-Edge Authentication with a SiteMinder-Protected Back End
Configure the SMSESSION cookie for unprotected network-edge authentication to a SiteMinder-protected back end.

Parent topic: Single Sign-on Integration with SiteMinder