SiteMinder Client Authentication

SiteMinder provides various client authentication options for SAP Mobile Platform.

In SiteMinder client authentication

SAP Mobile Platform uses the SSO cookie name SMSESSION.
When network edge authentication is used, SiteMinder adds an SM_USER header to the client's request along with the SMSESSION cookie. The Populate JAAS Subject From Client provider should set SM_USER as a Subject Principal so that check Impersonation can be enabled.

Note: SAP Mobile Platform does not support using SMSESSION as SSO credentials to any back-end systems.

SiteMinder client authentication includes:

Network edge – when a reverse proxy in the DMZ is protected by SiteMinder, the SAP Mobile Platform client is challenged for basic authentication credentials. If the credentials are valid, an SMSESSION cookie is issued and the client is allowed through to the SAP Mobile Platform server. The client begins a session by sending an HTTPS request to the reverse proxy. The reverse proxy detects the unauthenticated request, and challenges using basic authentication. After the 401 challenge, the client may already have network credentials configured, or executes a callback to prompt for credentials.
Unprotected-network edge – the network edge (reverse proxy) is not protected. The client’s request is allowed to flow to SAP Mobile Platform, where an authentication provider presents the basic credentials to a SiteMinder-protected Web server on behalf of the client. SAP Mobile Platform server retains the SMSESSION cookie and credentials for the client.
External tokens – the SAP Mobile Platform client application obtains an SMSESSION cookie that is external to the SAP Mobile Platform libraries using custom application processing. This SMSESSION token passes into the SAP Mobile Platform libraries as a cookie. SAP Mobile Platform libraries add the cookie to subsequent HTTP requests to SAP Mobile Platform server. The cookie may or may not be checked at the network edge.