Single Sign-On in a Complex System Landscape (SAP Library - User Authentication and Single Sign-On)

Single Sign-On in a Complex System Landscape

Setting up Single Sign-On (SSO) between two components is relatively straightforward, but how do you go about setting up SSO in a large system landscape with many different types of systems? This section provides an overview of the documentation from various areas and gives you guidelines on how to set up SSO across several systems. It takes a look at a typical scenario and guides you through the process of setting up SSO with SAP logon tickets for that scenario.

Authentication

There are many different authentication methods with which users can log on to a system. These depend on the type of system and include user ID and password, client certificates, SAML, and so on. For more information on the types of authentication supported by different systems, see:

· SAP Web AS ABAP: Authentication on the SAP Web Application Server ABAP.

· SAP Web AS Java: Authentication on J2EE Engine.

· SAP Enterprise Portal: Structure link Authentication.

Single Sign-On

In a complex system landscape with several components, the only way of guaranteeing SSO between all the components is to use the SAP logon ticket.

When setting up SSO with logon tickets, you need to identify one system as the ticket issuer. After a user logs on to a system using a supported authentication mechanism, the system issues the user a SAP logon ticket. We recommend that you identify one system in your system landscape as the ticket-issuing system and configure all other systems to accept tickets from this system. For example, if you have a portal in your system landscape, you could define this system to be the ticket-issuing system and, as a result, users would have to access all applications and services through the portal to ensure Single Sign-On.

Once you have defined one system to be the ticket-issuing system, you can configure all other components in the system landscape to accept tickets from this system. The following table provides an overview of where you can find documentation on setting up systems as ticket-issuing and ticket-accepting systems.

System	To configure the system as ticket issuer	To configure the system as ticket acceptor
SAP Web AS ABAP	Configuring the System for Issuing Logon Tickets	If the ticket-issuing system is an ABAP system: Configuring SAP Web AS ABAP to Accept Logon Tickets from SAP Web AS ABAP If the ticket-issuing system is a Web AS Java: Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine
SAP Web AS Java	Adjusting the Login Module Stacks for Using Logon Tickets	Configuring the J2EE Engine to Accept Logon Tickets
SAP Enterprise Portal	Configuring Portal Server for SSO with SAP Logon Tickets	Configuring the J2EE Engine to Accept Logon Tickets

Example

For a typical scenario involving several systems in which one system is identified as a ticket-issuing system and all other systems accept tickets from this system, see Scenario: SSO Between Portal, Web Dynpro, and ABAP Systems.