When you start a new browser session from within NWBC, the combinations of possible server and client configurations and the effect they have on SSO are explained in the following. For some of these combinations, an additional logon is required, while for some other combinations, SSO is sufficient. For example, no additional logon to a remote system is required when the logon system creates logon tickets that are trusted by the remote system. However, an additional logon is required when a user starts a session in a remote system using assertion tickets in the logon system.

The table gives an overview of the possible server and client configurations that have an effect on SSO when you start a new browser session from within NWBC:

^[TRUST]: Trusted relationship between the two systems must be configured correctly. The remote system must accept the MYSAPSSO2 issued by the logon system.

^[DOMCOOK]: If the MYSAPSSO2 cookie is issued for the domain that is not for the server, and both systems are in the same domain, the cookie is sent to both systems. This might lead to the error “The system is unable to interpret the SSO2 ticket received” or to a similar error after the cookie has been issued. Therefore, you should configure the logon ticket to be issued for the server only in such hybrid scenarios. You need to configure the RZ11 parameter login/ticket_only_to_host.