Show TOC

Authentication Assertion TicketsLocate this document in the navigation structure

Use

Authentication assertion tickets are a form of bearer token used by SAP NetWeaver Application Server (AS) to identify a user to another SAP NetWeaver AS. SAP NetWeaver AS issues the assertion ticket on the behalf of the current user. SAP NetWeaver AS issues assertion tickets for all user types.

Example

A batch job triggers a Web service that calls another SAP NetWeaver AS. SAP NetWeaver AS issues an assertion ticket on the behalf of a user, Giovanni Ricci, and logs on to the second SAP NetWeaver AS in Giovannis name.

The figure below illustrates two systems, System A and System B, in a use case for assertion tickets. System A requests a resource from System B and issues an assertion ticket for the current user. System B reads the assertion ticket from the HTTP header to log the current user on. It does this assuming the assertion ticket is still valid and assuming System B trusts System A.

Figure 1: Architecture of Assertion Ticket Usage Scenario

Assertion tickets are carried in the HTTP header. They differ from logon tickets in the following ways:

  • Logon tickets are used for user-to-system communication, whereas assertion tickets are used for system-to-system communication.

  • Logon tickets are transmitted as cookies, whereas assertion tickets are transported as HTTP headers.

  • Validity of logon tickets is configurable, whereas the validity of assertion tickets is hard-coded (2 minutes).

  • Logon tickets never identify a recipient, as they target multiple systems. Assertion tickets are always issued for a single recipient.

Re-Entry Scenario

SAP NetWeaver AS issues a authentication assertion ticket for itself to enable users logged on with one front end to call the same application server in another front end, albeit with a new session. In this scenario, you do not need to configure trust as SAP NetWeaver AS trusts itself implicitly.

Example

Giovanni Ricci is using SAP GUI to access an AS ABAP. The application calls an interactive Web application. Rather than force Giovanni to log on again, the AS ABAP issues an assertion ticket with the AS ABAP as the issuer and recipient, enabling Giovanni to log on with Single Sign-On.

Security Considerations

This ticket contains the public information necessary to authenticate the user to additional systems without the need to interactively provide a password. The information contained in the assertion ticket includes:

  • User ID

  • The UTC creation date

  • Issuing system, identified by SID and client ID

  • Receiving system, identified by SID and client ID

  • Digital signature

    To guarantee the integrity and authenticity of the assertion ticket, the SAP system that issues the ticket signs the ticket with its own digital signature.

    For more information, see Digital Signatures and Encryption and Network and Transport Layer Security .

Prerequisites

  • AS ABAP systems that issue assertion tickets must be release 6.40.

    For more information, see SAP Note 612670 Information published on SAP site.

  • The system accepting the assertion ticket trusts the system issuing the assertion ticket.

  • The clocks are synched.

    The hard-coded 2 minute validity period leaves little room for tolerance.

  • The user ID of the current user is identical in the accepting and issuing systems.

Activities

To configure authentication assertion tickets, you follow the same procedures for configuring the issuing and acceptance of logon tickets.

For more information, see: