Show TOC

7.3 Logon Tickets and Assertion TicketsLocate this document in the navigation structure


Using Single Sign-On (SSO), users can authenticate themselves once and then log on to all of those systems that operate in the Single Sign-On environment without further intervention. This is based on the use of an HTTP cookie ( MYSAPSSO2 cookie or logon ticket) that stores the user's identity.

Once the user has been authenticated, and if the server is appropriately configured, a logon ticket that is typically valid for the complete domain is set. The server can also be configured to set the cookie to be returned only to the specific server. Now, on all subsequent HTTP requests, the browser sends the cookie with the HTTP request. The targeted server can use the information within the cookie as credentials to authenticate the user.

SAP NetWeaver Business Client (NWBC) is a shell that can start different content areas, based on different UI technologies, for example, SAP GUI or HTML. Each of these content types has its own communication channel to the underlying server and needs authentication information to access the server. To pass authentication information securely from the shell to the different content types, you must configure the server to use logon tickets (MYSAPSSO2 cookies) or assertion tickets. Logon tickets also enable NWBC to start applications against multiple systems and multiple clients.


The activation and correct configuration of logon tickets is a prerequisite for using NWBC with any server.

It is important for NWBC that all users must be dialog users, which can be configured in transaction User Maintenance ( SU01). This is a prerequisite for NWBC to enable the HTTP framework to issue a logon ticket and to enable NWBC to display transactions based on SAP GUI.

Testing Logon Tickets with a Browser

Log on to a test system with a browser. If logon tickets are configured incorrectly, the following error message appears, which means that there is still a configuration error:

SSO logon not possible; browser logon ticket cannot be accepted

To log on, choose Log On and enter your user name and password in the usual logon screen that appears.

Testing Logon Tickets with NWBC

Log on to a test system with NWBC. In the usual logon screen , enter your user name and password and choose Log On. If logon tickets are configured incorrectly, an error message appears indicating that you need to check your SSO2 configuration settings.

Assertion Tickets

Assertion tickets are carried in the HTTP header. They differ from logon tickets in the following ways:
  • Logon tickets are used for user-to-system communication, whereas assertion tickets are used for system-to-system communication.
  • Logon tickets are transmitted as cookies, whereas assertion tickets are transported as HTTP headers.
  • Validity of logon tickets is configurable, whereas the validity of assertion tickets is hard-coded (2 minutes).
  • Logon tickets never identify a recipient, as they target multiple systems. Assertion tickets are always issued for a single recipient.

These restrictions show that in a scenario without a logon ticket one authentication is needed per system and per client. For more information about how to avoid manual logon steps, see 7.2 Use of Digital Certificates. You need to test a certificate-based logon against each system and client in the browser first. It works for NWBC only if it works in Microsoft Internet Explorer.

More Information

For more information, see SAP Library for SAP NetWeaver on SAP Help Portal at Under Security Information, open Security Guide and choose Start of the navigation path User Administration and Authentication Next navigation step User Authentication and Single Sign-On Next navigation step SAP NetWeaver Single Sign-On Next navigation step Authentication Concepts Next navigation step Authentication for Communication between Systems Next navigation step Authentication Assertion Tickets End of the navigation path.