Stacking Providers and Combining Authentication Results

Optionally, implement multiple login modules to provide a security solution that meets complex security requirements. SAP recommends provider stacking as a means of eliciting more precise results, especially for production environment that require different authentications schemes for administrators, DCN, SSO, and so on.

Stacking is implemented with a controlFlag attribute that controls overall behavior when you enable multiple providers. Set the controlFlag on a specific provider to refine how results are processed.

For example, say your administrative users (supAdmin in a default installation) are not also users in an EIS system like SAP. However, if they are authenticated with just the default security configuration, they cannot also authenticate to the HttpAuthenticationLoginModule used for SSO2Token retrieval. In this case, you would stack a second login modules with a controlFlag=sufficient login module for your administrative users.

Or, in a custom security configuration (recommended), you may also find that you are using a technical user for DCN who is also not an SAP user. This technical user does not need SSO because they will not need to access data. However, the technical user still needs to be authenticated by SAP Mobile Server. In this case, you can also stack another login module so this DCN user can login.

Use SAP Control Center to create a security configuration and add multiple providers as required for authentication.
Order multiple providers by selecting a login module and using the up or down arrows at to place the provider correctly in the list.
The order of the list determines the order in which authentication results are evaluated.
For each provider:
1. Select the provider name.
2. Click Properties.
3. Configure the controlFlag property with one of the available values: required, requisite, sufficient, optional.
  See controlFlag Attribute Values for descriptions of each available value.
4. Configure any other common security properties as required.
Click Save.
Select the General tab, and click Apply.

For example, say you have sorted these login modules in this order and used these controlFlag values:

LDAP (required)
NT Login (sufficient)
SSO Token (requisite)
Certificate (optional)

The results are processed as indicated in this table:

Provider	Authentication Status
LDAP	pass	pass	pass	pass	fail	fail	fail	fail
NT Login	pass	fail	fail	fail	pass	fail	fail	fail
SSO Token	*	pass	pass	fail	*	pass	pass	fail
Certificate	*	pass	fail	*	*	pass	fail	*
Overall result	pass	pass	pass	fail	fail	fail	fail	fail

Stacking LoginModules in SSO Configurations
(Not applicable to Online Data Proxy) Use LoginModule stacking to enable role-based authorization for MBOs and data change notifications (DCNs).
controlFlag Attribute Values
(Not applicable to Online Data Proxy) The SAP implementation uses the same control flag (controlFlag) attribute values and definitions as those defined in the JAAS specification.
LDAP Provider Stacking and Configuration Sharing
LDAP login and attribution modules can sometimes share a common configuration. LDAPAttributer can share the configuration properties from the configured LDAP login modules only if no configuration properties are explicitly configured for LDAPAttributer.
Configuring an LDAP Provider to use SSL
If your LDAP server uses a secure connection, and its SSL certificate is signed by a nonstandard certificate authority, for example it is self-signed, use the keytool utility (keytool.exe) to import the certificate into the truststore.

Parent topic: Security Providers