Configuring the AS ABAP for Issuing Tickets for Logon
Use this procedure to enable SAP NetWeaver Application Server (AS) ABAP to issue tickets for authentication. There are two types of tickets:
-
Logon tickets
These tickets enable SSO for Web-based access.
RecommendationFor cross system SSO, especially across domains, we recommend using SAML 2 and HTTP security session management to implement SSO in your SAP landscape. This requires the use of an identity provider.
For more information, see Configuring AS ABAP as a Service Provider.
-
Authentication assertion tickets
These tickets enable system-to-system communication on the behalf of a given user or service.
-
You have configured the ticket-accepting system to trust the ticket-issuing system.
-
You have ensured the system clocks remain synchronized.
-
Users in the issuing and accepting systems have the same user IDs.
-
Set the profile parameters on AS ABAP according to the table below.
|
Parameter |
Value |
Comment |
|---|---|---|
|
login/accept_sso2_ticket |
1 |
Set this parameter to enable the server to accept an existing logon or assertion ticket. |
|
login/create_sso2_ticket |
2 or 3 |
Enter the value 3 to enable the AS ABAP to issue authentication assertion tickets and no logon tickets. We recommend you use this value. Enter the value 2 to enable the AS ABAP to issue logon and assertion tickets. Use this value if you use legacy systems that require you to use logon tickets. |
|
login/ticket_expiration_time |
Required value |
Default = 8 hours (logon tickets only) |
For more information, see the documentation provided for the profile parameters in transaction RZ11.
Use the SSO administration wizard to view the SSO configuration of the current server. Execute the tool without specifying an RFC destination.
Be sure to replace the SSO PSE of the server before the public-key certificate expires. Otherwise, users cannot receive logon tickets and cannot use SSO.
For more information, see Creating or Replacing a PSE.