The security support matrices detail how SAP Mobile Platform supports various security configurations for client authentication and when using SSO to your back-end system. To properly plan your security environment in SAP Mobile Platform, understand authentication types, and the corresponding supported authentication providers, client types, and applications.
When administering client authentication in SAP Mobile Platform, ensure you use supported authentication providers for your authentication and client types. Use this matrix to understand SAP Mobile Platform supported authentication scenarios for device (client) to SAP Mobile Platform Server connections, and the corresponding supported application types.
| Authentication Type | Description | Authentication Provider(s) | Native Application Support | Hybrid Application Support | Agentry Application Support |
|---|---|---|---|---|---|
| Anonymous | No authentication of users, and grants read-only
access to application data by assigning the anonymous security
profile to the
application, Note: Read-only
access is dependent on how the application is configured. If the
back-end connection has been configured to connect to a
technical user, it is possible for clients to perform write
operations.
|
Note: Do not use the No
Authentication Challenge provider if you use back-end SSO.
|
Yes | Yes | Yes |
| Basic authentication | User name and password authentication |
|
Yes | Yes | Yes |
| External token-based SSO | The
application has custom code or logic to obtain a security token from
a service external to SAP Mobile Platform.
This
token
is
added into the HTTP header and SAP Mobile Platform uses it for
authentication. Site Minder is an example of a token-based SSO implementation. |
|
Yes | No | No |
| Network-edge token-based SSO | The
user enters credentials (either user name and password or X.509
certificate), and the credentials are checked at the network edge.
When the network edge determines the credentials are valid, it may
introduce a security token into the proxies client request
(typically a cookie), and SAP Mobile Platform
validates the security token rather than the original user
credentials. Site Minder is an example of a token-based SSO implementation. |
|
Yes | Yes | Yes |
| X.509 certificate | Mutual certificate authentication |
|
Yes | Yes | No |
When administering SSO to your back-end system with SAP Mobile Platform, make sure you use supported authentication providers for your SSO mechanism and application types. Use this matrix to understand SAP Mobile Platform supported authentication scenarios for SAP Mobile Platform Server to back-end connections, and the corresponding supported application types.
| SSO Mechanism | Description | Authentication Provider(s) | Native Application Support | Hybrid Application Support | Agentry Application Support |
|---|---|---|---|---|---|
| Basic authentication | User name and password authentication |
|
Yes | Yes | Yes |
| SSO2 Token | HTTP headers or cookies that have an SSO value
integrated with the customer's SSO systems. Use the HTTP/HTTPS Authentication provider to retrieve a MYSAPSSO2 cookie from a
Net
Weaver token-issuing service.
Note: Site Minder SSO tokens can be used against Net Weaver to
retrieve the MYSAPSSO2 cookie.
|
|
Yes | No | No |
| X.509 single sign-on | Mutual certificate authentication |
Note:
You must configure the application
connection to use the certificate alias in the server
keystore that should be used to make the HTTPS connection to
the back end.
The specified technical user certificate (configured using the certificate alias in the application definition) should be capable of impersonating the end user. The back end should be configured to trust the technical user to have validated the end user certificate. Configure this according to your specific back end in use. The CA certificate that signed the back end server certificate should be imported into the SAP Mobile Platform keystore/truststore. |
Yes | Yes | No |