Show TOC

Logon TicketsLocate this document in the navigation structure

For user authentication to multiple systems, SAP NetWeaver enables you to configure the use of logon tickets. You can use logon tickets to provide and administer user authentication based on cookie technology for complex system landscapes

For an overview of the authentication process when using logon tickets, see the figure below.

Authentication with Logon Tickets

When using logon tickets, one system in your landscape is set up to issue logon tickets to users. Users log on initially to this system to obtain the logon ticket. The issuing system uses cryptographic functions to digitally sign the logon ticket, thus certifying its authenticity. Users can then use the logon ticket to access other systems (SAP or non-SAP) that have an established trust relationship with the issuing system.

Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the accepting system has verified the logon ticket based on its trust relationship with the issuing system.

Prerequisites

AS ABAP systems that issue the logon tickets must be Release 4.6C or higher. SAP systems that are to accept the ticket have to meet the following release requirements:

  • Release 4.6A/B: 4.6D kernel as of patch level 74
  • Release 4.5: 4.5B kernel as of patch level 459
  • Release 4.0: 4.0B kernel as of patch level 758

For more information, see SAP Note 177895.

Security Considerations

When using logon tickets for authentication with Web applications, the user's ticket is stored as a non-persistent cookie in the user's Web browser. This cookie contains the public information necessary to authenticate the user to additional systems without the need to interactively provide a password. The information contained in the logon ticket includes:

  • User ID - for the case when the user has multiple user IDs for in different systems, you can use a mapping system to map the user IDs in the various systems. For more information, see Accessing Back-End Systems with a Different User ID .
  • Validity period
  • Issuing system
  • Digital signature - to guarantee the integrity and authenticity of the user's logon ticket, the SAP system that issues the ticket signs the ticket with its own digital signature.

Due to the nature of cookie technology, the logon ticket is sent by the user's Web browser to accessed servers within the DNS domain where the ticket issuing server is located, for example to all servers registered in the domain mycompany.com.

Caution

To protect the logon ticket from being sent to servers that should not receive it, we recommend using a separate domain for your ticket accepting systems (SAP and non-SAP) and restricting the possibility to register new servers in this domain.

Therefore, when using logon tickets for authentication, we recommend that you protect the application server's private key.

For more information, see Digital Signatures and Encryption .

In addition, we recommend that you also protect the logon ticket from being compromised or manipulated during transfer by using transport layer security solutions.

For more information, see Network and Transport Layer Security .

Configuration

For more information about configuring SAP NetWeaver systems to use logon tickets for authentication, see Using Logon Tickets .