Configuring Component Systems for SSO with SAP Logon Tickets (SAP Library

Configuring Component Systems for SSO with SAP Logon Tickets

When a user calls an external application, his or her logon ticket is passed on to the appropriate application or information system where it is checked to see if it is valid. In order to work with SAP logon tickets, the external application has to perform three tasks as follows:

The external system has to make sure that a trusted Portal Server has issued the ticket.
The digital signature in the ticket of the Portal Server needs to be verified. The first two steps require the digital certificate of the issuing Portal Server.
If the ticket is valid, the appropriate user ID contained in it has to be extracted.

This verification procedure is standard in SAP systems. For information on how to configure SAP Systems, see Configuring SAP Systems to Accept and Verify SAP Logon Tickets.

For non-SAP systems two tools are provided that enable these systems to verify and work with SAP logon tickets.

A Web server filter can be deployed that performs the necessary verification steps and writes the application user IDs into the HTTP header.

An application programming interface (API) and corresponding verification library are provided that allow for verification of the logon ticket and extraction of the application user IDs. The software vendor of the component system can use these to enable the system to accept and verify SAP logon tickets.