Android, BlackBerry, and iOS Hybrid Apps can
provide a single sign-on (SSO) token.
Cookie-based Network Edge Authentication
Unlike standard credential cache authentication, network edge
authentication is global to the Hybrid Web Container, not specific
to each Hybrid App. Each Hybrid Web Container
has a dialog to prompt for HTTP basic authentication credentials when challenged,
and a session header or cookie is returned if the system is so configured for SSO.
See HTTP Authentication Security Provider in Security
for more information.
The sequence of authentication is as follows:
- Client Network Edge authentication – The client begins a session by sending
an HTTP(S) request to the Reverse Proxy. The Reverse Proxy detects the
un-authenticated request and challenges for Basic authentication. After the
401 challenge, the client may already have network credentials configured,
or perhaps there is a callback to prompt for credentials.
- The client sends another HTTP request with the credentials,
which the Reverse Proxy validates, and if valid issues a Cookie with an SSO
token value. The HTTP headers will be added to the request that is created
and sent to SAP Mobile Platform.
- SAP Mobile Platform receives the request
and uses an enhanced CSI LoginModule to
authenticate. This login module is configured to extract HTTP Headers from
the request (Cookie values are a subset).
- SAP Mobile Platform processes the
request and a response is sent back to the client. The client is still
waiting on the original HTTP request from the Reverse Proxy. When the
response comes back, the Reverse Proxy typically adds the setCookie response
header at this time to pass the SSO data back to the client to use in
subsequent HTTP requests.
- If the SSO token is valid, everything proceeds.
- If the SSO token is invalid, a server to device
method instructs the Hybrid Web Container to prompt
for crdentials again.