Show TOC

Using Logon TicketsLocate this document in the navigation structure

Use

You can use logon tickets to integrate applications running on SAP and non-SAP systems in SSO environments with SSO based on cookie technology.

For this SSO scenario, you configure a system such as a portal in your landscape to issue digitally signed logon tickets. Users authenticate initially to this system to obtain a logon ticket. After being issued, the logon ticket is stored as a digitally signed cookie in the user's Web browsers and enables the user to logon transparently to trusting systems in the SSO environment.

Prerequisites

  • Users must have the same user ID in all of the systems they access using the logon ticket. If you have a portal, you can use an intermediary mapping system for the user IDs in different systems.

    For more information, see the portal documentation.

  • The Web clients of the application server users must be configured to accept cookies.

  • Systems that accept logon tickets access the issuing server's public-key certificate to verify the digital signature provided with the ticket. SAP NetWeaver Application Servers (AS ABAP and AS Java) receive a key pair and a self-signed public-key certificate during the installation process.

  • The clocks for the accepting systems are synchronized with the ticket-issuing system. If you do not synchronize the clocks, then the accepting system may receive a logon ticket with an invalid time stamp, which causes an error.

Integration

To ensure data integrity and non repudiation, logon tickets are digitally signed by the issuing system. Therefore, to enable SSO, on the accepting system you must establish a trust relationship to the issuing system. SAP NetWeaver Application Server (AS) systems are shipped with the necessary functions and a Personal Storage Environment (PSE) to enable logon ticket verification.

The trusted systems management functions of the SAP NetWeaver Administrator enable you to manage the necessary trust relationships for integrating AS ABAP and AS Java systems in logon ticket-based SSO environments. You can use these functions to facilitate the remote configuration of trust relationships between SAP NetWeaver systems that are registered in System Landscape Directory (SLD) environments.

Note

Logon tickets use cookie technology to save persistency information about the authenticated user on the client. Therefore, for additional security we recommend that you protect the Web client's cookie cache and employ transport layer security mechanisms such as SSL.

Features

Logon tickets enable you to integrate SAP NetWeaver and non-SAP systems in an SSO environment. To use SSO with logon tickets, you configure a system in your landscape to authenticate users and issue a logon ticket upon successful authentication. Subsequently, users can transparently access systems that accept logon tickets for SSO.

For more information about logon tickets depending on the underlying technology of SAP NetWeaver, see the following topics:

Activities

You use the Start of the navigation path Trusted Systems Next navigation step Single Sign-On with SAP Logon Tickets End of the navigation path configuration functions in the SAP NetWeaver Administrator to configure logon ticket-based SSO in landscapes with systems supported by the AS ABAP or AS Java technology stacks of SAP NetWeaver.

For more information, see the following sections:

  1. Configure SAP NetWeaver server system to authenticate users and issue logon tickets

    1. Configure AS ABAP for issuing logon tickets

    2. Configure AS Java for issuing logon tickets

  2. Configure SAP NetWeaver server system to accept logon tickets

    1. Configure AS ABAP to accept logon tickets

    2. Configure AS Java to accept logon tickets