Show TOC Start of Content Area

Background documentation Logon Tickets  Locate the document in its SAP Library structure

To provide for Single Sign-On to multiple systems, a user can be issued a logon ticket after being authenticated on the SAP System. This ticket can then be presented to other systems (SAP or non-SAP) as an authentication token. Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the system has verified the logon ticket.

Prerequisites for Using Logon Tickets

The system that issues the logon tickets must be Release 4.6C or higher. SAP systems that are to accept the ticket need to meet the following release requirements:

      Release 4.6A/B: 4.6D kernel as of patch level 74

      Release 4.5: 4.5B kernel as of patch level 459

      Release 4.0: 4.0B kernel as of patch level 758

For more information, see SAP Note 177895.

Security Measures When Using Logon Tickets

When using logon tickets for authentication, you should take the following precautions:

      When using logon tickets for authentication with Web applications, the user's ticket is stored as a non-persistent cookie in the user's Web browser. This cookie contains the information necessary to log the user on to additional systems without having to provide an explicit password authentication. Therefore, you should protect the logon ticket from being compromised or manipulated during transfer by using HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) between Internet-enabled components. See also Transport Layer Security.

      Due to the nature of cookie technology, the logon ticket is sent to all servers within the DNS domain where the ticket issuing server is located (for example mycompany.com). Therefore, to protect the logon ticket from being sent to servers that should not receive it, we recommend using a separate domain for your productive systems and restrict the possibility to register new servers in this domain.

      To guarantee the integrity and authenticity of the user's logon ticket, the SAP system that issues the ticket signs the ticket with its own digital signature. Therefore, when using logon tickets for authentication, you should protect the application server's private key as described in Secure Store & Forward Mechanisms (SSF) and Digital Signatures in the topic Protecting the Application Servers' Private Keys.

 

See also:

Using Logon Tickets

 

 

 

 

 

 

 

 

 

End of Content Area