Show TOC

Logon TicketsLocate this document in the navigation structure

Use

To provide Single Sign-On (SSO) to multiple systems, a user can be issued a logon ticket after being authenticated on SAP NetWeaver Application Server (AS) ABAP system. This ticket can then be presented to other systems (SAP or non-SAP) as an authentication token. Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the system has verified the logon ticket.

Prerequisites

The system that issues the logon tickets must be release 4.6C or higher. SAP systems that are to accept the ticket must meet the following release requirements:

  • Release 4.6A/B: 4.6D kernel as of patch level 74

  • Release 4.5: 4.5B kernel as of patch level 459

  • Release 4.0: 4.0B kernel as of patch level 758

For more information, see SAP Note 177895 Information published on SAP site.

Security Measures When Using Logon Tickets

When using logon tickets for authentication, take the following precautions:

  • When using logon tickets for authentication with Web applications, the ticket of the user is stored as a non-persistent cookie in the Web browser of the user. This cookie contains the information necessary to log the user on to additional systems without having to provide an explicit password authentication. Therefore, you should protect the logon ticket from being compromised or manipulated during transfer by using HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) between Internet-enabled components.

    For more information, see Configuring the AS ABAP for Supporting SSL.

  • Due to the nature of cookie technology, the logon ticket is sent to all servers within the DNS domain where the ticket issuing server is located (for example example.com). Therefore, to protect the logon ticket from being sent to servers that should not receive it, we recommend using a separate domain for your productive systems and restrict the possibility to register new servers in this domain.

  • To guarantee the integrity and authenticity of the user's logon ticket, the SAP system that issues the ticket signs the ticket with its own digital signature. Therefore, when using logon tickets for authentication, you should protect the application server's private key as described in Secure Store & Forward Mechanisms (SSF) and Digital Signatures in the topic Protecting the Application Servers' Private Keys.

More Information