Configuring Security for SiteMinder Token and Basic Authentication

Use SAP Control Center to create a security configuration for your single sign-on (SSO) applications.

1. In SAP Control Center, navigate to the SAP Mobile Platform Cluster pane and select Security.
2. In the General tab, click New and name your security configuration.
3. Open the Security folder and select your configuration. In the Authentication tab, click Add to add a LoginModule.
4. Choose the ClientValuePropagatingLoginModule and add these properties:
   • Implementation Class – com.sybase.security.core.ClientValuePropagatingLoginModule
   • ClientHttpValuesAsPrincipals – sm_user
   • ClientHttpValuesAsNamedCredentials – smsession:SMSESSION2
   • Control Flag: optional
   Note: ClientHttpValuesAsNamedCredentials ensures that if the client application picked up an SMSESSION cookie either using Network Edge authentication or an external token, it is saved as a credential named SMSESSION2 on the subject so it can be used for SSO to a SiteMinder-protected EIS. Therefore, the credential.a.name property is SESSION2. Also, ClientHttpValuesAsPrincipals uses the sm_user HTTP header if the client has used Network Edge authentication and enables you to perform impersonation checking.
5. Click OK.
6. In the Authentication tab, select the default NoSecLoginModule and click Delete. LoginModule allows logins without credentials, and you must remove it for security integrity.
7. In the Authentication tab, click New to add a provider.
8. Select and configure the HttpAuthenticationLoginModule:
   1. Select com.sybase.security.http.HttpAuthenticationLoginModule and click Yes in the Duplicate Authentication Provider warning.
   2. Configure the module's properties so the SiteMinder-protected URL has the same policy server that issued the SMSESSION cookie to the client.
      • ClientValuesToSend = SMSESSION
      • SendClientValuesAs = cookie:SMSESSION
      This causes SAP Mobile Platform to forward the cookie to the specified SiteMinder-protected URL. If the HTTP status response code is 200, then the SMSESSION cookie is valid and the user is considered authenticated.
9. In the Authorization tab, select the NoSecAuthorizer provider type and click Delete.
10. In the Attribution tab, select the NoSecAttributer provider type and click Delete.
11. In the Settings tab, adjust the properties as follows:
    • Authentication cache timeout(seconds) – 0
    • Maximum number of failed authentications – 5
    • Authentication lock duration(in seconds) – 600
12. Click Apply.
13. In the General tab, click Validate to check your configuration.
14. With successful validation, click Apply to save all changes.

• Authentication Cache Timeout and Token Authentication
  To reduce the load, SAP Mobile Platform uses an authentication cache to reduce the load it places on your back-end identity management and security systems. Depending on your security configuration, you can adjust the authentication cache timeout to avoid authentication failures and errors.