Show TOC

Using Logon Tickets with AS ABAPLocate this document in the navigation structure


SAP NetWeaver Application Server (AS) ABAP enables you to use Single Sign-On (SSO) with logon tickets both in the role of a logon ticket-issuing and logon ticket-accepting system. After receiving a logon ticket, AS ABAP users can access other systems in the SSO environment using the logon ticket for authentication instead of having to repeatedly enter their user ID and password.

  • Users must have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems. If users have different user IDs, you also have to use a reference system for user mapping.

    For more information, see the portal documentation.

  • The users are dialog users. AS ABAP does not issue logon tickets for system or service users.


    For system to system communication, the AS ABAP issues an authentication assertion ticket. The assertion ticket is structured the same as the logon ticket, but has a limited validity period (2 minutes). The configuration for issuing and accepting logon tickets also applies to the issuing and accepting of authentication assertion tickets.

  • Business users must configure their Web browsers to accept cookies.

  • Any systems that accept the logon ticket as the authentication mechanism must be placed in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.

  • The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket. The AS ABAP receives a key pair and a self-signed public-key certificate during the installation process.

    By default, the AS ABAP uses the system Personal Security Environment (PSE) for storing these keys; however, you may need to use a different PSE in the following cases:

    • If the system has been upgraded from a release less than or equal to 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE.

    • If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used.

  • Systems that accept logon tickets must have access to the public-key certificate of the issuing server so that they can verify the digital signature provided with the ticket. Therefore, the public-key certificate of the issuing server must be added to the certificate list of the accepting system.

    • For landscapes that include only AS ABAP systems, you can use the SSO administration wizard (transaction SSO2) to automatically establish the configuration for the accepting system.

    • For system landscapes with AS Java and AS ABAP systems you can use the Start of the navigation path Trusted Systems Next navigation step Single Sign-On with SAP Logon Tickets End of the navigation path configuration functions of the SAP NetWeaver Administrator to establish trust between a ticket-issuing and a ticket-accepting system, registered in a system landscape directory.


You can configure the AS ABAP to act as a ticket-issuing and a ticket-accepting system in your landscape. For more information about the authentication flow, see the following sections.

Issuing Logon Tickets

  1. The user authenticates him or herself on the AS ABAP (for example, using user ID and password).

  2. The AS ABAP verifies the information from the user. If the authentication was successful, then the user is logged on to the server and a ticket is issued to him or her.

  3. The Web browser of the user stores the logon ticket and uses it for authentication on to ticket-accepting systems.

Accepting Logon Tickets

  1. The Web browser sends the logon ticket of the user logon ticket with the access request.

  2. The AS ABAP verifies the information contained in the ticket, as follows:

    1. Verifies the digital signature of the issuing server based on an established trust relationship with the ticket-issuing system.

    2. Makes sure the ticket has been issued by a trusted server (either itself or a server listed in the corresponding access control list).

    3. Checks the expiration time.

If the ticket is valid and has been issued by a trusted server, then the AS ABAP grants the user access to the system.


For more information about configuring the AS ABAP to issue and accept logon tickets, see the following: