Authentication assertion tickets are a form of bearer token used by SAP NetWeaver Application Server (AS) to identify a user to another SAP NetWeaver AS. SAP NetWeaver AS issues the assertion ticket on the behalf of the current user. SAP NetWeaver AS issues assertion tickets for all user types.
A batch job triggers a Web service that calls another SAP NetWeaver AS. SAP NetWeaver AS issues an assertion ticket on the behalf of a user, Giovanni Ricci, and logs on to the second SAP NetWeaver AS in Giovannis name.
The figure below illustrates two systems, System A and System B, in a use case for assertion tickets. System A requests a resource from System B and issues an assertion ticket for the current user. System B reads the assertion ticket from the HTTP header to log the current user on. It does this assuming the assertion ticket is still valid and assuming System B trusts System A.
Assertion tickets are carried in the HTTP header. They differ from logon tickets in the following ways:
Logon tickets are used for user-to-system communication, whereas assertion tickets are used for system-to-system communication.
Logon tickets are transmitted as cookies, whereas assertion tickets are transported as HTTP headers.
Validity of logon tickets is configurable, whereas the validity of assertion tickets is hard-coded (2 minutes).
Logon tickets never identify a recipient, as they target multiple systems. Assertion tickets are always issued for a single recipient.
SAP NetWeaver AS issues a authentication assertion ticket for itself to enable users logged on with one front end to call the same application server in another front end, albeit with a new session. In this scenario, you do not need to configure trust as SAP NetWeaver AS trusts itself implicitly.
Giovanni Ricci is using SAP GUI to access an AS ABAP. The application calls an interactive Web application. Rather than force Giovanni to log on again, the AS ABAP issues an assertion ticket with the AS ABAP as the issuer and recipient, enabling Giovanni to log on with Single Sign-On.
This ticket contains the public information necessary to authenticate the user to additional systems without the need to interactively provide a password. The information contained in the assertion ticket includes:
The UTC creation date
Issuing system, identified by SID and client ID
Receiving system, identified by SID and client ID
To guarantee the integrity and authenticity of the assertion ticket, the SAP system that issues the ticket signs the ticket with its own digital signature.
AS ABAP systems that issue assertion tickets must be release 6.40.
For more information, see SAP Note 612670 .
The system accepting the assertion ticket trusts the system issuing the assertion ticket.
The clocks are synched.
The hard-coded 2 minute validity period leaves little room for tolerance.
The user ID of the current user is identical in the accepting and issuing systems.