Stacking Providers and Combining Authentication Results

Implement multiple authentication providers to provide a security solution that meets complex security requirements. SAP recommends provider stacking as a means of eliciting more precise results, especially for production environments that require different authentications schemes for administrators, Push Notification, SSO, and so on.

Stacking is implemented with a controlFlag attribute that controls overall behavior when you enable multiple providers. Set the controlFlag on a specific provider to refine how results are processed.

For example, say your administrative users (smpAdmin in a default installation) are not also users in a back-end system like SAP. However, if they are authenticated with just the default security configuration, they cannot also authenticate to the HTTP/HTTPS Authentication provider used for SSO2Token retrieval. In this case, you would stack a second authentication provider with a controlFlag=sufficient authentication provider for your administrative users.

Or, in a custom security profile (recommended), you may also find that you are using a technical user for Push Notification who is also not an SAP user. This technical user does not need SSO because they will not need to access data. However, the technical user still needs to be authenticated by SAP Mobile Platform Server. In this case, you can also stack another authentication provider so this Notification user can login.

  1. Use Management Cockpit to create a security profile and add multiple providers as required for authentication.
  2. Order multiple providers by selecting an authentication provider, and using the up or down arrows to place the provider correctly in the list.
    The order of the list determines the order in which authentication results are evaluated.
  3. For each provider:
    1. Select the provider name.
    2. Configure the controlFlag property with one of the available values: required, requisite, sufficient, optional.
      See controlFlag Attribute Values for descriptions of each available value.
    3. Configure any other common security properties as required.
  4. Click Save.
For example, if you have sorted these authentication providers in the following order, and used these controlFlag values:
The results are processed as indicated in this table:
Provider Authentication Status
Directory Service (LDAP/AD) pass pass pass pass fail fail fail fail
NT Login pass fail fail fail pass fail fail fail
SSO Token * pass pass fail * pass pass fail
Certificate * pass fail * * pass fail *
Overall result pass pass pass fail fail fail fail fail
Note: The * means the corresponding authentication provider is not called because of the outcomes of previous providers in the list and the controlFlag settings. For example, in the first column of the table, since both LDAP and NT Login succeeded, the controlFlag settings for SSO Token and Certificate are such that they need not be invoked at all. In the 3rd column, the "sufficient" NT Login has failed the SSO Token module is invoked.
Parent topic: Creating and Configuring Security Profiles with Authentication Providers
Related tasks
Defining Application Authentication
Related reference
controlFlag Attribute Values