SAP logon tickets represent the user credentials. The Portal Server issues a logon ticket to a user after successful initial authentication. The logon ticket itself is stored as a cookie on the client and is sent with each request of that client. It can then be used by external applications such as SAP systems to authenticate the portal user to those external applications without any further user logons being required.

SAP logon tickets contain information about the authenticated user. They do not contain any passwords. Specifically, logon tickets contain the following items:

• Portal user ID and one mapped user ID for external applications
• Validity period
• Information identifying the issuing system
• Digital signature

Technically, SSO with SAP logon tickets works as follows:

1. The first time the Portal Server is started, it generates a cryptographic key pair. The private part of this key is used for ticket generation (for the digital signature).
2. Once the user has been successfully authenticated in the portal, the Portal Server issues a logon ticket to the user. This logon ticket is stored as a non-persistent cookie in the browser on the client.
3. Each time the user tries to access an external system from the portal, the Portal Server sends the logon ticket with the request to the external system.
4. The external system checks that the logon ticket is valid by verifying the digital signature of the Portal Server. It uses the public key contained in the digital certificate of the Portal Server to verify this.
5. If the logon ticket is valid, the external system extracts the user ID for that system from the logon ticket.
6. The user is logged on to the external system without having to enter his or her user ID and password.

To allow Single Sign-On using SAP logon tickets between the portal and its component systems you must perform the following steps:

1. Configure the Portal Server to allow Single Sign-On with SAP logon tickets.
2. Configure the component systems to accept and verify SAP logon tickets.