SiteMinder Client Authentication

SiteMinder provides various client authentication options for SAP Mobile Platform, including single sign-on (SSO), tokens, and Network Edge.

SiteMinder client authentication includes:
  • Network Edge – when a reverse proxy or Relay Server in the DMZ is protected by SiteMinder, the SAP Mobile Platform client is challenged for basic authentication credentials. If the credentials are valid, an SMSESSION cookie is issued and the client is allowed through to the SAP Mobile Platform server. The client begins a session (RBS, MBS, or OData) by sending an HTTP(S) request to the reverse proxy. The reverse proxy detects the unauthenticated request, and challenges using basic authentication. After the 401 challenge, the client may already have network credentials configured, or executes a callback to prompt for credentials.
  • Non-Network Edge – the Network Edge (reverse proxy or Relay Server) is not protected. The client’s request is allowed to flow to SAP Mobile Platform, where a LoginModule presents the basic credentials to a SiteMinder-protected Web server on behalf of the client. SAP Mobile Platform server retains the SMSESSION cookie and credentials for the client.
  • External tokens – the SAP Mobile Platform client application obtains an SMSESSION cookie external to the SAP Mobile Platform libraries using custom application processing. This SMSESSION token passes into the SAP Mobile Platform libraries as a cookie. SAP Mobile Platform libraries add the cookie to subsequent HTTP requests to SAP Mobile Platform server. The cookie may or may not be checked at the Network Edge.
  • SAP SSO2 integration – the SAP Mobile Platform user is initially authenticated by SiteMinder, resulting in an SMSESSION for the user. This SMSESSION is forwarded along with the SAP user ID to a SiteMinder SAP agent running inside of NetWeaver as a LoginModule. The SMSESSION is revalidated, and the TokenIssuingLoginModule is allowed to issue an SSO2 ticket for the specified SAP user ID. This ticket returns to SAP Mobile Platform as an MYSAPSSO2 cookie. SAP Mobile Platform now has both an SMSESSION and an SSO2 ticket to use for SSO purposes with various EIS depending on which SSO mechanism the EIS requires.
Note: In any of these authentication patterns, you can add the SMSESSION token as a credential to the authenticated SAP Mobile Platform subject for use in single sign-on to SiteMinder-protected systems.
Parent topic: SiteMinder Authentication with SAP Mobile Platform