Show TOC Entering content frame

Function documentation Using Logon Tickets for Single Sign-On Locate the document in its SAP Library structure

Use

The J2EE Engine supports the use of logon tickets for Single Sign-On in an SAP system environment. In this case, the user authenticates him or herself using any of the supported authentication mechanisms. After successful authentication, the system issues the user a logon ticket, which he or she can use for access to successive systems.

The characteristics of a logon ticket include:

·        The logon ticket is stored as a non-persistent cookie in the user’s Web browser with the name MYSAPSSO2. It is deleted when the user logs off or closes his or her Web browser.

·        The maximum life span of the logon ticket is specified in the ticket-issuing system’s parameters.

·        It contains the user’s ID, but not the user’s password. Instead it is digitally signed by the ticket-issuing server. This is digital signature is verified by accepting systems to allow user access.

Integration

When using logon tickets for Single Sign-On, you must set up one system as the ticket-issuing system. This may be the J2EE Engine, or it may be a different SAP system application server. You can then set up your J2EE Engine as well as other systems in your landscape to accept logon tickets.

On the J2EE Engine, you specify the use of logon tickets in the login module stacks for the corresponding applications.

Note

Special Case: Authentication Assertion Ticket

For system connections between the SAP Web AS ABAP and a J2EE Engine using jRFC or HTTP, there is an additional ticket type called the authentication assertion ticket. This ticket is structured the same as the standard logon ticket and is used in a similar manner with the following restrictions:

·         It is to be used for connections between systems where no user interaction is necessary.

·         It is limited to one-time use. Once the ticket has been verified, it is deleted.

·         It has a very limited validity period (a few seconds).

The configuration is the same as with the standard logon ticket with the exception that a specific login module exists for the assertion ticket.

Prerequisites

·        Users have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems.

·        The user has an account in the active user store on the SAP J2EE Engine.

·        The end users’ Web browsers accept cookies.

In Internet Explorer 5.0, accept session cookies for the local intranet zone.

·        Any Web servers or SAP Web AS servers (to include the SAP J2EE Engine) that are to accept the logon ticket as the authentication mechanism are located in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.

·        The clocks for the accepting systems are synchronized with the ticket-issuing system.

If you do not synchronize the clocks, then the accepting system may receive a logon ticket that is not yet valid, which causes an error.

·        The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket.

·        Systems that accept logon tickets must have access to the issuing server's public-key certificate so that they can verify the digital signature provided with the ticket.

Activities

In the following, we describe the processes when the issuing or accepting server is the SAP J2EE Engine. Note however, depending on the scenario you use, other server components may act as the issuer or acceptor.

Receiving a Logon Ticket from the SAP J2EE Engine

...

       1.      The user authenticates him or herself on the SAP J2EE Engine (for example, using user ID and password).

       2.      The SAP J2EE Engine verifies the user's information. If the authentication was successful, then the user is logged on to the server and the server issues him or her a ticket. The ticket is stored in the user's Web browser and used for access to successive systems.

Using the Logon Ticket to Access the SAP J2EE Engine as an Accepting System

When the user accesses the SAP J2EE Engine as an accepting system:

...

       1.      The Web browser sends the user's logon ticket with the access request.

       2.      The SAP J2EE Engine verifies the information contained in the ticket. This includes:

¡        Verifying the issuing server's digital signature.

¡        Making sure the ticket has been issued by a trusted server (either itself or a server listed in the corresponding access control list).

¡        Checking the expiration time.

If the ticket is valid and has been issued by a trusted server, then the user is granted access to system.

For information about the configuration of logon tickets, see Configuring the Use of Logon Tickets.

 

 

Leaving content frame