SiteMinder client authentication includes:
- Network Edge – when a reverse proxy or Relay Server in the
DMZ is protected by SiteMinder, the Sybase Unwired Platform client is challenged for basic authentication
credentials. If the credentials are valid, an SMSESSION cookie is issued and
the client is allowed through to the Sybase Unwired Platform server. The client begins a session (RBS, MBS,
or OData) by sending an HTTP(S) request to the reverse proxy. The reverse
proxy detects the unauthenticated request, and challenges using basic
authentication. After the 401 challenge, the client may already have network
credentials configured, or executes a callback to prompt for
credentials.
- Non-Network Edge – the Network Edge (reverse proxy or Relay
Server) is not protected. The client’s request is allowed to flow to
Sybase Unwired Platform, where a LoginModule
presents the basic credentials to a SiteMinder-protected Web server on
behalf of the client. Sybase Unwired Platform
server retains the SMSESSION cookie and credentials for the client.
- External tokens – the Sybase Unwired Platform client application obtains an SMSESSION cookie
external to the Sybase Unwired Platform libraries
using custom application processing. This SMSESSION token passes into the
Sybase Unwired Platform libraries as a cookie.
Sybase Unwired Platform libraries add the
cookie to subsequent HTTP requests to Sybase Unwired Platform server. The cookie may or may not be checked at
the Network Edge.
- SAP SSO2 integration – the Sybase Unwired Platform user is initially authenticated by SiteMinder,
resulting in an SMSESSION for the user. This SMSESSION is forwarded along
with the SAP user ID to a SiteMinder SAP agent running inside of NetWeaver
as a LoginModule. The SMSESSION is revalidated, and the
TokenIssuingLoginModule is allowed to issue an SSO2 ticket for the specified
SAP user ID. This ticket returns to Sybase Unwired Platform as an MYSAPSSO2 cookie. Sybase Unwired Platform now has both an SMSESSION and an
SSO2 ticket to use for SSO purposes with various EIS depending on which SSO
mechanism the EIS requires.
Note: In any of these authentication patterns, you can add the SMSESSION token
as a credential to the authenticated Sybase Unwired Platform subject
for use in single sign-on to SiteMinder-protected systems.