To provide Single Sign-On (SSO) to multiple systems, a user can be issued a logon ticket after being authenticated on SAP NetWeaver Application Server (AS) ABAP system. This ticket can then be presented to other systems (SAP or non-SAP) as an authentication token. Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the system has verified the logon ticket.
The system that issues the logon tickets must be release 4.6C or higher. SAP systems that are to accept the ticket must meet the following release requirements:
Release 4.6A/B: 4.6D kernel as of patch level 74
Release 4.5: 4.5B kernel as of patch level 459
Release 4.0: 4.0B kernel as of patch level 758
For more information, see SAP Note 177895 .
Security Measures When Using Logon Tickets
When using logon tickets for authentication, take the following precautions:
When using logon tickets for authentication with Web applications, the ticket of the user is stored as a non-persistent cookie in the Web browser of the user. This cookie contains the information necessary to log the user on to additional systems without having to provide an explicit password authentication. Therefore, you should protect the logon ticket from being compromised or manipulated during transfer by using HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) between Internet-enabled components.
For more information, see Configuring the AS ABAP for Supporting SSL.
Due to the nature of cookie technology, the logon ticket is sent to all servers within the DNS domain where the ticket issuing server is located (for example example.com). Therefore, to protect the logon ticket from being sent to servers that should not receive it, we recommend using a separate domain for your productive systems and restrict the possibility to register new servers in this domain.
To guarantee the integrity and authenticity of the user's logon ticket, the SAP system that issues the ticket signs the ticket with its own digital signature. Therefore, when using logon tickets for authentication, you should protect the application server's private key as described in Secure Store & Forward Mechanisms (SSF) and Digital Signatures in the topic Protecting the Application Servers' Private Keys.