Show TOC

Procedure documentationMaintaining SSO with Logon Tickets for SAP HANA XS Applications Locate this document in the navigation structure


SAP HANA applications can use single sign-on (SSO) authentication with logon tickets to confirm the logon credentials of the user calling an application service.

To enable SAP HANA applications to use single sign-on (SSO) authentication with logon tickets to confirm the logon credentials of a user requesting an application service, you must ensure that an SAP server is available that can issue logon tickets. You also need to maintain the trust store saplogon.pse, which holds the logon tickets that are presented when a user logs on to the SAP HANA XS application.


To configure SAP HANA to use logon tickets authenticate users who log on with SSO, note the following prerequisites:

  • You need administrator access to the SAP HANA system hosting the applications to which you want to enable access with logon tickets.

    Note Note

    To maintain security and authentication settings for SAP HANA XS applications, the user also needs the privileges granted by the SAP HANA XS role RuntimeConfAdministrator.

    End of the note.
  • Administrator access to an ABAP system where you need to maintain the trust store used for the logon tickets

  • The SAP encryption library is installed and available.

  • The SAP logon trust store (saplogon.pse) is available on the SAP HANA system.


  1. Maintain the trust store that contains the logon tickets.

    The trust store saplogon.pse is used to hold the logon tickets; you maintain this trust store with the ABAP transaction STRUST, rename the trust store and copy the resulting saplogon.pse file to the SAP HANA directory /usr/sap/<SAPHANAInstance>/HDB<InstNo>/<Hostname>/sec/.

    1. Logon to the ABAP system as <SID>adm and start the Trust Manager with the transaction STRUST

    2. Create a trust store.

      Choose   System PSE   Veri.PSE  .

    3. Add your own certificate to the new trust store.

      In the Trust Manager dialog, choose Yes.

    4. Name the new trust store for the logon tickets.

      In the Personal Security Environment dialog, enter saplogon in the File name field and choose Save.

      Note Note

      Make sure you save the saplogon trust store as file type PSE (.pse).

      End of the note.
    5. Save the new trust store to a location of your choice.

  2. In SAP HANA, maintain details of the server that issues logon tickets.

    1. Start SAP HANA studio and open the Administration perspective.

    2. In the Configuration tab, expand (or add) the section   xsengine.ini   authentication  .

    3. Set (or add) the parameter: logonticket_redirect_url. Enter the following URL: https://<SAPHANAhostname>:44333/sap/bc/zredirectwlogon?sap-client=<SAPClientNr>.

  3. Maintain the runtime configuration for the application that you want to use logon tickets to authenticate users.

    You can use the Web-based SAP HANA XS Administration Tool to complete this step. The tool is available on the SAP HANA XS Web server at the following URL: http://<WebServerHost>:80<SAPHANAInstance>/sap/hana/xs/admin/.