Creating and Configuring Security Profiles

Create and configure security profiles to define parameters that control how the server authenticates the user during onboarding, and request-response interactions with the back end. You can also define additional SAP Mobile Platform administrator users by creating a new security profile and configuring the required authentication provider.

Guidelines:
  • Agentry applications have an additional authentication layer that is configured elsewhere; for Agentry applications, a common scenario is to configure No Authentication Challenge as the security provider, so that only Agentry performs authentication.
  • You can stack multiple security providers to leverage security features in complex systems. You can order stacked security providers to take advantage of features in the order you chose. The Control Flag must be set for each enabled security provider in the stack.
  • You must map logical roles to physical roles, as required by the application.
  • When you create a new security profile, a corresponding XML file is created in the SMP_HOME\configuration\com.sap.mobile.platform.server.security\CSI\ directory. When the security profile is updated, a copy of the XML file is saved to allow you to recover the security profile.
  1. From Management Cockpit, select the Settings tab, and select Security Profiles.
  2. Click New.
  3. Under Security Profile Properties, enter values.
    Field Value
    Name A unique name for the application authentication profile.
    Check Impersonation (Optional) In token-based authentication, whether to allow authentication to succeed when the user name presented cannot be matched against any of the user names validated in the login modules. By default the property is enabled, which prevents the user authentication from succeeding in this scenario.
  4. Under Authentication Providers, set up one or more providers for the application.
    1. Click New.
    2. In the Add Authentication Provider dialog, select a provider from the list, and click Create.
      Authentication Provider Description
      No Authentication Challenge Provider that always authenticates the supplied user. The provider offers pass-through security for SAP Mobile Platform Server, and should typically be reserved for development or testing. SAP strongly encourages you to avoid using this provider in production environments—either for administration or device user authentication.
      System Login (Admin Only) Provider that is configured by the installer with the initial administrator credentials only to give platform administrator access to Management Cockpit, so that SAP Mobile Platform Server can be configured for production use. Administrators are expected to replace this authentication provider immediately upon logging in for the first time. SAP encourages you to avoid using this provider in production environments.
      Populate JAAS Subject From Client Provider that enables administrators to add client values as named credentials, name principals, and role principals to the authenticated subject. This provider copies values from the client's HTTP request into the JAAS subject as:
      • Principals - identifies the user
      • Roles - grants access rights to SAP Mobile Platform protected resources
      • Credentials - provides single-sign-on material to use when connecting to back-end systems
      Adding client values as named credentials allows them to be used for single sign-on.
      X.509 User Certificate Provider to use when the user is authenticated by certificates. This provider can be used in conjunction with other authentication providers that support certificate authentication [for example, Directory Service (LDAP/AD)], by configuring X.509 User Certificate before the authentication providers that support certificate authentication. You can only use this provider to validate client certificates when HTTPS listeners are configured to use mutual authentication.
      Note: Agentry clients on iOS and Android do not support client/user certificates. Agentry clients on Windows and Windows CE support client-side certificates, but Agentry cannot use these certificates for user identification; Agentry requires separate user name and password authentication as well.
      HTTP/HTTPS Authentication Provider that authenticates the user with given credentials (user name and password, or SSO tokens from your SSO system) against a back end that is integrated to the your management or SSO systems. Optionally this provider may retrieve a cookie that represents additional SSO credentials to use for back-end systems that are also integrated with your SSO system.
      Directory Service (LDAP/AD) Provider that integrates with the your Active Directory or other Directory Server identity management system using LDAP. It first connects to your Directory Server using a technical user identity so it can perform an LDAP search to discover the fully qualified distinguished name (DN) of the current user in the directory. It then performs a bind to that DN with the provided password. When the bind succeeds, the user is considered authenticated. The provider then performs an LDAP search to see which groups the user is a member of. These group names are then considered as physical roles in the role mapping definitions that are used later for access controls.

      This provider is particularly useful in the Admin security profile to grant existing enterprise users usage of the Management Cockpit, and also any custom security profiles used for authenticating enterprise users for SAP Mobile Platform application usage.
    3. Enter values based on the selected authentication provider.
    4. (Optional) Click New to add additional security providers on the stack. Use the up and down arrow icons to move the security providers into the desired order.
  5. Click Save, and confirm.
Next
You must configure role mapping (map logical roles to physical roles) as required by the application.
Parent topic: Managing Security Profiles