Understand how OData applications fit in the SAP Mobile Platform landscape, and learn how to secure communication paths
and enable single sign-on (SSO) for these applications.
The proxy connector is the Online Data Proxy (ODP) connector between OData
applications and the SAP Gateway, and uses an HTTP or HTTPS connection from SAP Mobile Server to the SAP Gateway. A separate HTTP or HTTPS
port is used by the SAP Gateway to push changes through SAP Mobile Server to the OData application. SAP Mobile WorkSpace is not used to create MBOs, generate code, create
applications, or for deployment. Instead, in OData-based mobile applications that run in
SAP Mobile Server:
- Applications are developed using the OData SDK.
- The SAP Gateway/enterprise information system (EIS) is
responsible for data federation and content management.
- OData applications are message based – the SAP Gateway performs
queue handling, data caching, and is push enabled to push data changes out to
SAP Mobile Server, which in turn pushes these
changes to the physical devices.
- The connection between OData applications and the SAP Gateway does not support
SSL.
SAP Mobile Server acts as a pass-through server for
OData-based applications.
ODP Data Flow
- The OData clients have two protocol choices: MBS and pure HTTP. With pure HTTP,
clients can perform mutual certificate authentication as well as authentication
for the X.509 certificate validated at the Network Edge used for SSO to the
OData gateway.
An OData client application registers with
SAP Mobile Server and subscribes to push notifications
from the SAP Gateway. SAP Mobile Server forwards the
subscription request to the SAP Gateway. The SAP Gateway stores the
subscription request for the collection with the push delivery address
(HTTPS SSL port).
In an SSO configuration, the client
provides credentials to SAP Mobile Server
(user name and password, or X.509 user certificate) that are authenticated
by the security configuration's authentication module
(CertificateAuthenticationLoginModule for X.509 or
HttpAuthenticationLoginModule for SSO2). Once authenticated by SAP Mobile Server, and assuming that SAP Mobile Server and the SAP Gateway have a secure
communication path, SSO is enabled.
- When application data changes in SAP and determines that a particular client has
a subscription to that change, the Gateway connects to the
SAP Mobile Server HTTP(S) port and sends a message
identifying the client, along with the message payload.
SAP Mobile Server looks up the client and queues the message.
If the client is connected, the message is delivered immediately. If the client
is offline, then SAP Mobile Server attempts to send a push
notification to the client (BES HTTP Push for Blackberry, APNS notification for
iOS) to attempt to wake up the client and have it retrieve the messages.