Single Sign-On With Logon Tickets 
Use
After users have successfully authenticated to the portal, the portal issues them with a SAP logon ticket. These logon tickets can also be used to allow users to access backend systems without having to re-enter their credentials.
Integration
The backend systems must be able to distinguish between logon tickets from the various tenants. For this reason, you must specify a logon ticket for the client in the Logon Ticket for Client property when you create a new tenant (see Creating a Portal Tenant). This ticket is unique for each tenant and is written as the client of the issuing system in SAP logon tickets issued to users of that tenant. In the ABAP system in the backend, the ACL list contains the system IDs and clients of systems from which the ABAP system accepts logon tickets. In this way, the ABAP system can be set up to accept logon tickets from one tenant, but not from another, even when both tickets are issued by the same portal.
In addition, there is a default value for the client of the portal. Users that do not belong to a specific tenant have this client in their logon tickets. This default client is defined in the UME property login.ticket_client.
We recommend that you use the same client for the logon ticket as the client of the ABAP system that the tenant uses for its user information.
The following tables show the information contained in logon tickets issued by a multitenant portal:
Logon tickets of global users (not belonging to a specific tenant):
Field |
Value |
Portal user |
<user ID> For example: Administrator |
Client |
Same value defined in the UME property login.ticket_client |
SID |
<portal SID> |
User name in ABAP system |
If the user is not mapped to a user in the SAP reference system, then this field contains the user ID of the portal user converted to uppercase letters. If the portal user ID is longer than 12 characters, this field does not contain a user ID. If the user is mapped to a user in the SAP reference system, then this field contains the mapped user. |
Logon tickets of tenant users:
Field |
Value |
Portal user |
<tenant_name>\<user ID> For example: TenantA\smith |
Client |
Client defined for the tenant. This is defined in the field Logon Ticket for Client when you create a new tenant (see Creating a Portal Tenant). |
SID |
<portal SID> |
User name in ABAP system |
<user ID> |
Activities
As a super
administrator, you can configure single sign-on (SSO) with logon tickets
between the portal and the ABAP system as described in 
Single Sign-On with
SAP Logon Tickets. In the step where you add the portal to the ACL of the
ABAP system, define the client as the client of the tenant for which you want
to define SSO.
For additional tenant-specific information, see Setting Up Trust Between SAP Systems.
Do not define a SAP reference system or use user mapping in conjunction with logon tickets in a multitenant portal. Since the multitenant portal gets its user data from an ABAP system, user IDs should be the same in the portal and the backend systems.
Example
You want to configure SSO for all users in the tenant TenantA to the SAP system ABC client 100. In the portal, the tenant TenantA is defined as having the logon ticket client 100. In the system ABC client 100, you enter your portal system ID and client 100 in the ACL.
Although we recommend using the same client for the logon ticket as the client of the user data store in the backend, it is also possible to use different clients. For example, you want to configure SSO for all users in the tenant TenantB to the SAP system ABC client 500. In the portal, the tenant TenantB is defined as having the logon ticket client 800. In the system ABC client 500, you enter your portal system ID and client 800 in the ACL.