SiteMinder Client Authentication

SiteMinder provides various client authentication options for Sybase Unwired Platform, including single sign-on (SSO), tokens, and Network Edge.

SiteMinder client authentication includes:
  • Network Edge – when a reverse proxy or Relay Server in the DMZ is protected by SiteMinder, the Sybase Unwired Platform client is challenged for basic authentication credentials. If the credentials are valid, an SMSESSION cookie is issued and the client is allowed through to the Sybase Unwired Platform server. The client begins a session (RBS, MBS, or OData) by sending an HTTP(S) request to the reverse proxy. The reverse proxy detects the unauthenticated request, and challenges using basic authentication. After the 401 challenge, the client may already have network credentials configured, or executes a callback to prompt for credentials.
  • Non-Network Edge – the Network Edge (reverse proxy or Relay Server) is not protected. The client’s request is allowed to flow to Sybase Unwired Platform, where a LoginModule presents the basic credentials to a SiteMinder-protected Web server on behalf of the client. Sybase Unwired Platform server retains the SMSESSION cookie and credentials for the client.
  • External tokens – the Sybase Unwired Platform client application obtains an SMSESSION cookie external to the Sybase Unwired Platform libraries using custom application processing. This SMSESSION token passes into the Sybase Unwired Platform libraries as a cookie. Sybase Unwired Platform libraries add the cookie to subsequent HTTP requests to Sybase Unwired Platform server. The cookie may or may not be checked at the Network Edge.
  • SAP SSO2 integration – the Sybase Unwired Platform user is initially authenticated by SiteMinder, resulting in an SMSESSION for the user. This SMSESSION is forwarded along with the SAP user ID to a SiteMinder SAP agent running inside of NetWeaver as a LoginModule. The SMSESSION is revalidated, and the TokenIssuingLoginModule is allowed to issue an SSO2 ticket for the specified SAP user ID. This ticket returns to Sybase Unwired Platform as an MYSAPSSO2 cookie. Sybase Unwired Platform now has both an SMSESSION and an SSO2 ticket to use for SSO purposes with various EIS depending on which SSO mechanism the EIS requires.
Note: In any of these authentication patterns, you can add the SMSESSION token as a credential to the authenticated Sybase Unwired Platform subject for use in single sign-on to SiteMinder-protected systems.