The SAP implementation uses the same control flag (controlFlag) attribute values and definitions as those defined in the JAAS specification.
If you stack multiple providers, you must set the control flag attribute for each enabled provider.
Providers are listed in this order and with these controlFlag settings:
A client performing certificate authentication (for example, X.509 SSO to SAP) can authenticate immediately. Subsequent providers are not called, because they are not required. Regular user name and password credentials, if they exist, go to LDAP, which may authenticate them, and set them up with roles from the LDAP groups they belong to. Then NativeOS is invoked, and if that succeeds, SAP Mobile Platform picks up roles based on the Windows groups they belong to.