Show TOC

Logon TicketsLocate this document in the navigation structure

For user authentication to multiple systems, SAP NetWeaver enables you to configure the use of logon tickets. You can use logon tickets to provide and administer user authentication based on cookie technology for complex system landscapes

For an overview of the authentication process when using logon tickets, see the figure below.

When using logon tickets, one system in your landscape is set up to issue logon tickets to users. Users log on initially to this system to obtain the logon ticket. The issuing system uses cryptographic functions to digitally sign the logon ticket, thus certifying its authenticity. Users can then use the logon ticket to access other systems (SAP or non-SAP) that have an established trust relationship with the issuing system.

Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the accepting system has verified the logon ticket based on its trust relationship with the issuing system.

Security Considerations

When using logon tickets for authentication with Web applications, the user's ticket is stored as a non-persistent cookie in the user's Web browser. This cookie contains the public information necessary to authenticate the user to additional systems without the need to interactively provide a password. The information contained in the logon ticket includes:

  • User ID

    For the case when the user has multiple user IDs for in different systems, you can use a mapping system to map the user IDs in the various systems.

  • Validity period

  • Issuing system

  • Digital signature

    Digital signatures guarantee the integrity and authenticity of the user's logon ticket, the SAP system that issues the ticket signs the ticket with its own digital signature.

Due to the nature of cookie technology, the logon ticket is sent by the user's Web browser to accessed servers within the DNS domain where the ticket issuing server is located, for example to all servers registered in the domain example.com.

Caution

To protect the logon ticket from being sent to servers that should not receive it, we recommend using a separate domain for your ticket accepting systems (SAP and non-SAP) and restricting the possibility to register new servers in this domain.

Therefore, when using logon tickets for authentication, we recommend that you protect the application server's private key.

In addition, we recommend that you also protect the logon ticket from being compromised or manipulated during transfer by using transport layer security solutions.