Show TOC

Configuring the AS Java to Accept Logon TicketsLocate this document in the navigation structure


The AS Java uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user's Web browser, the AS Java verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the AS Java authenticates the user.


If you are using authentication assertion tickets for SSO between the AS ABAP and the AS Java, the corresponding module is EvaluateAssertionTicketLoginModule .


To check the validity of a user's logon ticket, the AS Java must be able to verify the issuing server's digital signature.

  • If the AS Java is both the ticket-issuing server and the accepting server, it can automatically verify its own digital signature.

  • If the ticket-issuing server is a different server, that server's public-key certificate must be available in the keystore view that the AS Java uses for verifying logon tickets.


The Start of the navigation path Trusted Systems Next navigation step SSO Wizard End of the navigation path configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the AS Java.

Open the SSO Wizard.

Note the following:

  • If the ticket-accepting system is SAP NetWeaver 7.0 SP14 or higher, you can access the SSO Wizard by choosing Start of the navigation path Configuration Management Next navigation step  Security  Next navigation step  Trusted Systems End of the navigation path.

  • If the ticket-accepting system is SAP NetWeaver 7.0 SP 13 or lower, you must first deploy the SSO Wizard. For more information, see SAP Note 1083421.

    The system which you configure is displayed in the Selected Accepting System section.

    There are two ways to add a trusted system:

  • By connecting to the system and requesting its certificate.


    If the ticket-issuing system is SAP NetWeaver 2004 SP20 or lower, or SAP NetWeaver 7.0 SP13 or lower, you must configure it so it can send a response to the certificate request. For more information, see SAP Note 1083421.

  • By manually uploading the certificate of the system.

Adding a Trusted System by Connecting to It

  1. In the Trusted Systems section, choose Start of the navigation path Add Trusted System Next navigation step  By Querying Trusted System End of the navigation path.

  2. The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK . The connection details for the selected system are displayed automatically.


    If you cannot find the system you want to add, choose Cancel and provide the connection details:

    1. Select the type of the system from the System Type dropdown list.

    2. Enter the necessary connection details.


    If you want to add an AS ABAP system, the field System Number appears. You can get the system number of an ABAP system using its license key, which you received from SAP.

  3. Enter your user name and password in the provided fields and choose Next .

  4. The details about the selected system's certificate appear. To add the system, choose Finish . If you want to make changes, choose Back .

Adding a Trusted System by Manually Uploading its Certificate

Before you start the following procedure, you must export the trusted system's public-key certificate.

  1. In the Trusted Systems section choose Start of the navigation path Add Trusted System Next navigation step By Uploading Certificate Manually End of the navigation path.

  2. Enter the System ID and Client in the relevant fields.

  3. Browse to the location of the system's certificate. Select the certificate and choose Open .

  4. Choose Next . The information about the system and the certificate is displayed. To add the system as trusted, choose Finish . If you want to make changes, choose Back .

Configuring the Login Module Stack

Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule ) to the login module stacks for the AS Java policy configurations of the application components that accept login tickets for SSO.

  1. In the SAP NetWeaver Administrator go to Start of the navigation path Configuration Management  Next navigation step Security  Next navigation step  Authentication and Single Sign-On Next navigation step Authentication End of the navigation path.

  2. Select the policy configuration for the application component to accept logon tickets from the Policy Configuration Name table.

  3. In the Details of policy configuration <name> section, choose the Edit pushbutton.

  4. Choose the Add pushbutton with the quick info text Add login module to the policy configuration .

  5. Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule ) from the Login Module Name list and choose the Add pushbutton. Choose the Save pushbutton.


    If you change the options of a login module in the user store, the changes are inherited by all policy configurations that use this login module.

    If you change the options of a login module in a single policy configuration, the change applies only to that policy configuration. In this case, the login module will no longer inherit its options from the user store. To restore the inheritance, change the options in the policy configuration or in the user store so that they are identical.


After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The AS Java accepts logon tickets that have been issued by the corresponding server.