Show TOC

Using Logon TicketsLocate this document in the navigation structure

You can use logon tickets to integrate applications running on SAP and non-SAP systems in SSO environments with SSO based on cookie technology.

For this SSO scenario, you configure a system such as a portal in your landscape to issue digitally signed logon tickets. Users authenticate initially to this system to obtain a logon ticket. After being issued, the logon ticket is stored as a digitally signed cookie in the user's Web browsers and enables the user to logon transparently to trusting systems in the SSO environment.

  • Users must have the same user ID in all of the systems they access using the logon ticket. If you have a portal, you can use an intermediary mapping system for the user IDs in different systems.

    For more information, see the portal documentation.

  • The Web clients of the application server users must be configured to accept cookies.

  • Systems that accept logon tickets access the issuing server's public-key certificate to verify the digital signature provided with the ticket. SAP NetWeaver Application Server (SAP NetWeaver AS) receives a key pair and a self-signed public-key certificate during the installation process.

  • The clocks for the accepting systems are synchronized with the ticket-issuing system. If you do not synchronize the clocks, then the accepting system may receive a logon ticket with an invalid time stamp, which causes an error.


To ensure data integrity and non repudiation, logon tickets are digitally signed by the issuing system. Therefore, to enable SSO, on the accepting system you must establish a trust relationship to the issuing system. SAP NetWeaver AS systems are shipped with the necessary functions and a Personal Storage Environment (PSE) to enable logon ticket verification.

The trusted systems management functions of the SAP NetWeaver Administrator enable you to manage the necessary trust relationships for integrating ABAP and Java systems in logon ticket-based SSO environments. You can use these functions to facilitate the remote configuration of trust relationships between SAP NetWeaver systems that are registered in System Landscape Directory (SLD) environments.


Logon tickets use cookie technology to save persistency information about the authenticated user on the client. Therefore, for additional security we recommend that you protect the Web client's cookie cache and employ transport layer security mechanisms such as SSL.


Logon tickets enable you to integrate SAP NetWeaver and non-SAP systems in an SSO environment. To use SSO with logon tickets, you configure a system in your landscape to authenticate users and issue a logon ticket upon successful authentication. Subsequently, users can transparently access systems that accept logon tickets for SSO.


You use the Start of the navigation path Trusted Systems Next navigation step Single Sign-On with SAP Logon Tickets End of the navigation path configuration functions in the SAP NetWeaver Administrator to configure logon ticket-based SSO in landscapes with systems supported by the ABAP or Java technology stacks of SAP NetWeaver.

  1. Configure SAP NetWeaver server system to authenticate users and issue logon tickets

  2. Configure SAP NetWeaver server system to accept logon tickets