The AS Java uses JAAS login modules to support the use of logon tickets for SSO. For this scenario, the user authenticates with a supported mechanism against a ticket-issuing system in your landscape. After successful authentication, the system issues the user a logon ticket, which he or she can use for SSO access to other systems in the SSO environment.
When using logon tickets for Single Sign-On, you must set up one system as the ticket-issuing system. This may be the AS Java, or it may be a different SAP application server or a portal system. You can then configure the AS Java as well as other systems in your landscape to accept logon tickets.
On the AS Java, you enable the use of logon tickets for SSO by configuring the login module stacks for the corresponding applications.
Special Case: Authentication Assertion Ticket
For system connections between the AS ABAP and a AS Java using jRFC or HTTP, you can use a logon ticket called authentication assertion ticket . It is used similarly to logon tickets with the following restrictions:
Used for connections between systems where no user interaction is necessary.
Can only be used for SSO one-time. Once the ticket has been verified, it is deleted.
Has a very limited validity period (a few seconds).
The configuration is the same as with the standard logon ticket with the exception that specific login modules exist to enable the use of authentication assertion tickets.
The Web browsers of the users are configured to accept cookies.
The ticket-accepting systems, including the AS Java and AS ABAP, must be located in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.
The clocks for the accepting systems are synchronized with the ticket-issuing system. If you do not synchronize the clocks, then the accepting system may receive a logon ticket that is not yet valid, which can result in authentication errors.
The issuing server must possess a public and private-key pair and public-key certificate to use for digitally signing the logon ticket. Systems that accept logon tickets must have access to the issuing server's public-key certificate so that they can verify the digital signature provided with the ticket.
When a user is authenticated on the AS Java, the server processes the stack of login modules that apply to the application that the user accesses. To use logon tickets for SSO, you adjust the applications' login module stack to include the login modules enabling SSO with logon tickets.
The AS Java is delivered with the following JAAS login modules for creating and verifying logon tickets.
CreateTicketLoginModule for creating logon tickets
EvaluateTicketLoginModule for verifying logon tickets.
To configure the use of SSO with logon tickets you can also use the authentication stack of the T emplate policy configuration ticket , which contains these modules in the correct order for using logon tickets.
When using authentication assertion ticket for system connections between the AS ABAP and a AS Java, the corresponding login modules you use are called CreateAssertionTicketLoginModule and EvaluateAssertionTicketLoginModule . The corresponding template is evaluate_assertion_ticket .
You can adjust either individual login module stacks or any of the corresponding policy configuration templates. If you change the templates, then the changes will be replicated to all applications that use the templates for their authentication needs. For more information, see Managing Login Modules and Managing Authentication Policy .
For more information about configuring the use of logon tickets for the AS Java, see the following sections:
For an example of the login module stack configurations to enable the use of logon tickets for SSO on the AS Java, see Sample Login Module Stacks for Using Logon Tickets .