Configuring the Use of Logon Tickets
Use
The system’s ticket-issuing application server(s) and corresponding ITS server(s) must be configured to create and accept logon tickets. Systems that should be accessible using Single Sign-On based on the logon ticket must also be configured to accept tickets. See the procedure below for an overview of the configuration.
Procedure
Use the SSO administration wizard (transaction SSO2) to view and maintain the application server’s logon ticket configuration as described in the tables below. Note the following:
) to correct any errors.Configuration on the Ticket-Issuing System’s Application Server
|
Profile Parameter |
Value |
Comment |
|
login/create_sso2_ |
1 or 2 |
Use the value 1 if the server possesses a public-key certificate signed by the SAP CA. Use the value 2 if the certificate is self-signed. If you are not sure, then use the value 2. |
|
login/accept_sso2_ |
1 |
Use the value 1 so that the system will also accept logon tickets. |
|
login/ticket_ |
Desired value |
Default = 60 hours |
Configuration on the Ticket-Issuing System’s ITS
|
Service File Parameter |
Value |
Comment |
|
~login |
(space) |
User information contained in these parameters will override the use of logon tickets for the logon. |
|
~password |
(space) |
|
|
~cookies |
1 |
Enables the storage of cookies. |
|
~mysapcomgetsso2cookie |
1 |
Use the value 1 so that the ITS will request the ticket creation from the application server. |
|
~mysapcomusesso2cookie |
1 |
Use the value 1 so that the ITS will pass an existing logon ticket to the application server. |
|
~mysapcomnosso1cookie |
0 or 1 |
Use the value 0 if you have to use SSO cookies in addition to logon tickets for Single Sign-On (for example, to SAP systems with Release 3.1). Otherwise, use the value 1. |
|
~mysapcomssonoits |
1 |
Use the value 1 if the logon ticket will be used across different SAP system clients. Otherwise, the ticket contains the SAP system client and cannot be used to access a system with a different client. |
Configuration on the Accepting System’s Application Server
|
Profile Parameter |
Value |
Comment |
|
login/accept_sso2_ |
1 |
Use the value 1 so that the server will accept logon tickets. |
|
Access Control List |
Entry |
Comment |
|
Table TWPSSO2ACL |
Issuing system’s ID and client |
The system accepts logon tickets that have been issued by the systems entered in this table. |
|
Certificate List |
Entry |
Comment |
|
Certificate list in server’s system PSE (Personal Security Environment) |
Issuing system’s public-key certificate |
The system can verify logon tickets that have been issued by the system with this public-key certificate. An entry is only necessary if the parameter login/create_sso2_ticket = 2 on the ticket-issuing system. (If login/create_sso2_ ticket = 1 on the ticket-issuing system, then the issuing system’s public-key certificate is sent with the logon ticket.) |
Configuration on the Accepting System’s ITS
|
Service File Parameter |
Value |
Comment |
|
~login |
(space) |
User information contained in these parameters will override the use of logon tickets for the logon. |
|
~password |
(space) |
|
|
~mysapcomusesso2cookie |
1 |
When set to 1, the ITS will pass an existing logon ticket to the application server. |
See also:
Using Logon Tickets in the documentation for SAP Web Application Server Security.
The logon ticket configuration described in the Single Sign-On in the mySAP Workplace document also applies to application servers that are not integrated into the mySAP Workplace.
These documents are available on the SAP Service Marketplace at http://service.sap.com/security.