Configuring Logon Tickets for Multiple
Domains
Use
To configure the portal to issue logon tickets for multiple domains, you must define the servers with receiver software in the User Management Engine (UME) property ume.login.mdc.hosts. This solution is only available with the portal. You cannot use it with a SAP NetWeaver Application Server Java (AS Java) without a SAP NetWeaver Portal installation.
We strongly recommend that you use the Secure Sockets Layer protocol (SSL) for all communication between Web browsers and servers to ensure data is exchanged securely.
Prerequisites
● The portal on which users log on first must be one of the following:
○ SAP Enterprise Portal 6.0 SP6 (SAP NetWeaver SP Stack 04) or higher
○ SAP NetWeaver Portal 7.0 or higher
● To issue multiple logon tickets, you need at least one server with receiver software in each domain to which you require SSO. A receiver server must be one of the following:
○ SAP Enterprise Portal 6.0 SP6 and higher
○ SAP NetWeaver Portal 7.0 and higher
○ A Web server with the Web server filter for logon tickets installed. For more information about where to get the Web server filter and how to install it, see SAP Notes 442401 and 723896.
○ A server that has custom software to issue logon tickets. This software should read the POST parameter with the value <ticket> (the logon ticket). It should set a new cookie for the server’s domain where the cookie’s name is mysapsso2 and its value is <ticket>.
Procedure
On the portal server where users log on first, do the following:
...
1. Edit the UME property ume.login.mdc.hosts.
For more
information about editing UMEproperties, see
Editing UME
Properties. Enter a comma-separated list of host URLs for the servers with
receiver software in the additional domains. You do not need to enter the host
URL for the portal that the user accesses initially.
Each item in the list has the following syntax:
[protocol://]host[:port][path]
¡ The protocol is optional. If you do not specify the protocol, the system uses the protocol used for the current connection. If you do not specify the protocol, the receiving system must listen for both HTTP and HTTPS and only on the default ports.
¡ You must specify the port if it is not equal to the default port; 80 for HTTP or 443 for HTTPS.
¡ Set the path as follows:
Ticket-issuing server |
Path to use |
Portal server |
Do not specify a path. If the path is not
specified, the default path is /irj/servlet/prt/portal/prtroot |
A Web server with the Web server filter for logon tickets installed |
/irj/servlet/prt/portal/prtroot |
A server with custom receiver software |
Path to the custom receiver software, for example /sendSSO2Cookie.asp |
2. Restart the nodes in the AS Java cluster for the changes to take effect.
Result
The user receives an additional logon ticket for each of the domains of the servers listed in ume.login.mdc.hosts. These logon tickets are all digitally signed with the public key of the portal server on which you set the property. The tickets are stored as cookies in the user’s browser and are sent with each request to the corresponding domain.
As a next step, all
systems that are to be accessed using Single Sign-On (SSO) with logon tickets
must be configured to accept logon tickets issued by the portal on which you
set the property ume.login.mdc.hosts. For more information about setting up SSO
between systems, see
User Authentication
and Single Sign-On.
Example
You want the logon ticket to be issued for three additional domains:
...
1. A portal server and you want to use HTTP as the protocol
2. A Web server filter and you want to use the protocol that the user uses to log on
3. A server with customer receiver software
The value of the UME property is as follows:
ume.login.mdc.hosts=http://host1.domain1.net,host2.domain2.net/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.mdc,host3.domain3.net/sendSSO2Cookie.asp