Show TOC Anfang des Inhaltsbereichs

Hintergrunddokumentation How it Works  Dokument im Navigationsbaum lokalisieren

Use

To enable Single Sign-On (SSO) to servers in other domains, logon tickets must be issued for the other domains. To this end, the Web browser sends the logon ticket issued by the portal to the servers in the other domains. These servers must be able to react to this information and issue the mysapsso2 cookie that contains the logon ticket for a new domain. The information in the tickets stays the same, in particular the tickets are all digitally signed with the portal certificate.

For this, the following components are required:

      A portal to which users log on first

This portal contains a component that sends the logon ticket to the servers in the other domains. This is a hidden iView integrated in the initial portal page that sends a request to a server in each domain.

      A server with ‘receiver software’ in each of the required domains

To be able to react to the requests, the server must have ‘receiver software’ that is able to receive a logon ticket and issue the same ticket for the server’s domain. Receiver software can be a portal or custom Java Server Pages or Active Server Pages for example.

Prerequisites

      To issue multiple logon tickets, you need at least one server with receiver software in each domain to which you require SSO. A receiver server must be one of the following:

       A portal server

       A Web server with the Web server filter for logon tickets installed. For more information about where to get the Web server filter and how to install it, see SAP Notes 442401 and 723896.

       A server that has custom software to issue logon tickets for its domain.

      On the portal on which users log on first, you have configured the names of the servers with receiver software in the UME property ume.login.mdc.hostsas described in Configuring Logon Tickets for Multiple Domains.

Features

The following diagram describes how the process works for an example scenario with a portal in the domain mycompany.com where SSO is required for the domains mycompany.ie and mycompany.de.

Diese Grafik wird im zugehörigen Text erklärt

       1.      The user sends a request to the portal.

       2.      The portal authenticates the user and issues a logon ticket for the domain mycompany.com.

       3.      A hidden iView in the initial portal page sends a request including the logon ticket to each of the servers defined in the UME property ume.login.mdc.hosts.

       4.      Each of the servers issues the same logon ticket for its domain.

These tickets are all digitally signed with the public key of the portal. The only difference is the content of the domain field in the ticket.

The tickets are stored as cookies in the user’s browser and are sent with each request to the corresponding domain.

 

Ende des Inhaltsbereichs