Integration into Single Sign-On

The application is capable of operating in any single sign-on environment supported by SAP BW/4 HANA out of the box, meaning there are no limitations imposed by the application on the possible single sign-on configurations within an SAP landscape. Refer to the Authentication and Single Sign-On section in the Security Guide for SAP BW/4 HANA.

The supported mechanisms are as follows:

  • Secure Network Communications (SNC)

  • SAP Logon Tickets

  • Client Certificates

  • SAML 2.0

    Note
    SAML support is only available on SAP NetWeaver ABAP or Java 7.02 or higher.

  • SPNego with Kerberos

For more information about the supported mechanisms, search using corresponding keywords on the SAP Help Portal at http://help.sap.comInformation published on SAP site.

SSO Ticket Validity and Web Session Expiration

When a user connects to the Planning and Consolidation web client, SAP NetWeaver not only creates a web session but also generates an SSO (single sign-on) ticket (in the MYSAPSSO2 cookie). This ticket has a default validity of 8 hours.

After session timeout, the web session correctly expires but the SSO ticket remains valid. If the user sends a new request after the session has expired, the system authenticates the user through SSO and creates a new session. From the user perspective, it appears that the session has not expired.

In order to have correct session expiration, the administrator must limit the validity period of the SSO ticket (for example, to two minutes, which is the validity period of reentrance tickets). You set this using the kernel parameter login/ticket_expiration_time in the SAP NetWeaver default.pfl configuration file, for example, login/ticket_expiration_time=0:02.

For more information about how to set this parameter, see the SAP NetWeaver help at http://help.sap.com/saphelp_nw74/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htmInformation published on SAP site.