HTTP/HTTPS Authentication Configuration Properties

The HTTP/HTTPS Authentication provider authenticates the user with given credentials (user name and password) against the secured back end that requires basic authentication. To facilitate single sign-on (SSO), you can configure it to retrieve a cookie with the configured name and add it to the JAAS subject.

Description

Configure this provider to authenticate the user by:

Using only the specified user name and password.
Using only the specified client value or values.
Attempting token authentication. If that fails, revert to basic authentication using the supplied user name and password. You may find this helpful when using the same security configuration for authenticating users with a token, such as device users hitting the network edge, and when Push Notification requests from within a firewall present a user name and password but no token.

Note: The HTTP/HTTPS Authentication provider allows token validation by connecting to an HTTP server capable of validating the token specified in the HTTP header and cookie set in the session.

Note: This provider can either be used for SSO tokens or HTTP basic without SSO. The sole condition being that the back-end support HTTP basic authentication.

Note: Note that if "ClientHttpValuesToSend" property is configured, the provider only attempts to authenticate the user using those values. It does not set the user name and password credentials in the http session to the Web server. If the specified client values are not found in the client session to SAP Mobile Platform or if the Web server fails to validate the specified token, then this provider fails the authentication unless the property "TryBasicAuthIf TokenAuthFails" is set to true to enable it to revert to passing the user name and password credentials to respond to the basic authentication

Properties

HTTP/HTTPS Authentication Properties
Configuration Option	Default Value	Description
Control Flag	Optional	Indicates how the security provider is used in the login sequence. Optional – the authentication provider is not required, and authentication proceeds down the authentication provider list, regardless of success or failure. Sufficient – the authentication provider is not required, and subsequent behavior depends on whether authentication succeeds or fails. Required – the authentication provider is required, and authentication proceeds down the authentication provider list. Requisite – the authentication provider is required, and subsequent behavior depends on whether authentication succeeds or fails.
Description	None	(Optional) A meaningful string that describes the providers usage. A description makes it easier to differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.
URL	None	Required. The HTTP or HTTPS URL that authenticates the user. For SSO, this is the server URL from which SAP Mobile Platform Server acquires the SSO cookie/token.
Disable Server Certificate Validation	False	(Optional) If true, this property disables certificate validation when establishing an HTTPS connection to the secured Web server (SWS) using the configured URL. Set to true only for configuration debugging.
HTTP Connection Timeout Interval	60000	The value, in seconds, after which an HTTP connection request to the Web-based authentication service times out. If the HTTP connection made in this provider (for either user authentication or configuration validation) does not have a timeout set, and attempts to connect to a Web-based authentication service that is unresponsive, the connection also becomes unresponsive, which might in turn cause SAP Mobile Platform Server to become unresponsive. Set the timeout interval to ensure that authentication failure is reported without waiting indefinitely for the server to respond.
Send Password As Cookie	None	(Deprecated) Use only for backward compatibility. New configurations should use SendClientHttpValuesAs and ClientHttpValuesToSend to configure token authentication. Sends the password to the URL as a cookie with this name. If not specified, the password is not sent in a cookie. This property is normally used when there is a cookie-based SSO mechanism in use (for example, SiteMinder), and the client has included an SSO token into the password.
Client HTTP Values To Send	None	A comma-separated list of client HTTP values to be sent to the HTTP server. For example: `ClientHttpValuesToSend=client_personalization_key, client_cookie_name` Set this property if you are using token authentication. Setting this property triggers token authentication. Only token authentication is attempted, unless TryBasicAuthIfTokenAuthFails is configured to true in conjunction with ClientHttpValuesToSend. This property does not apply if the user is to be authenticated using only the supplied user name and password.
Send Client HTTP Values As	None	Comma-separated list of strings that indicate how to send ClientHttpValuesToSend to the HTTP server. For example: `SendClientHttpValuesAs=header:header_name, cookie: cookie_name` This property does not apply if the user is to be authenticated using only the supplied user name and password.
Try Basic Auth if Token Auth Fails	False	Whether the provider should attempt basic authentication using the specified user name and password credentials if token authentication is configured and fails. This property is applicable only if token authentication is enabled. This property does not apply if the user is to be authenticated using only the supplied user name and password.
Successful Connection Status Code	200	HTTP status code that is interpreted as successful when a connection is established to the secured Web server.
SSO Cookie Name	None	(Optional) Name of the cookie that is set in the session between the authentication provider and the secured Web server, which holds the SSO token for single sign-on. The provider looks for this cookie in the connection to the Secured Web Server. If the cookie is found, it is added to the authenticated subject as a named credential. The authentication provider ignores the status code when an SSO cookie is found in the session; authentication succeeds regardless of the return status code.
Credential Name	None	Name to set in the authentication credential that contains the token returned in SSOCookieName. If this property is not configured, the SSOCookieName property value is set as the name of the token credential
Username HTTP Header	None	HTTP response header name returned by the HTTP server with the user name retrieved from the token. Upon successful authentication, the retrieved user name is added as a SecNamePrincipal. This property does not apply if the user is to be authenticated using only the supplied user name and password.
Regex For User Name Match	None	Regular expression used to match the supplied user name with the user name that is returned by the HTTP server in UsernameHttpHeader. The string "{username}" in the regex is replaced with the specified user name before it is used . If specified, it compares the user name retrieved from the Username Http Header with the user name specified in the callback handler. If the user names do not match, authentication fails. If the user names match, both the specified user name and the retrieved user name are added as SecNamePrincipals to the authenticated subject. This property does not apply if the user is to be authenticated using only the supplied user name and password.
Roles HTTP header	None	(Optional) Name of an HTTP header that the server may return. The header value contains a comma-separated list of roles to be granted.
Token Expiration Time HTTP Header	None	HTTP response header name that is returned by the HTTP server with the validity period of the token, in milliseconds, since the start of January 1, 1970. If the header is returned in the HTTP response from the secured Web server, the token is cached for the duration it remains valid unless TokenExpirationInterval is also configured. If this response header is not returned with the token, it might result in unintended use of the token attached to the authenticated context even after it has expired. This property does not apply if the user is to be authenticated using only the supplied user name and password.
Token Expiration Interval	0	Interval, in milliseconds, to be deducted from the actual expiration time returned in TokenExpirationTimeHttpHeader. This ensures that the token credential that is retrieved from the authenticated session remains valid until it is passed on to the secure Web server for SSO. This property does not apply if the user is to be authenticated using only the supplied user name and password. If the configured TokenExpirationInterval value exceeds the amount of time the token is valid, authentication by HTTP/HTTPS Authentication fails even if the token is validated successfully by the secured Web server.