Authentication Assertion Tickets
Authentication assertion tickets are a form of bearer token used by SAP NetWeaver Application Server (SAP NetWeaver Application Server) to identify a user to another SAP NetWeaver Application Server. SAP NetWeaver Application Server issues the assertion ticket on the behalf of the current user. SAP NetWeaver Application Server issues assertion tickets for all user types.
A batch job triggers a web service that calls another SAP NetWeaver Application Server. SAP NetWeaver Application Server issues an assertion ticket on the behalf of a user, Giovanni Ricci, and logs on to the second SAP NetWeaver Application Server in Giovanni's name.
The figure below illustrates two systems, System A and System B, in a use case for assertion tickets. System A requests a resource from System B and issues an assertion ticket for the current user. System B reads the assertion ticket from the HTTP header to log the current user on. It does this assuming the assertion ticket is still valid and assuming System B trusts System A.
Assertion tickets are carried in the HTTP header. They differ from logon tickets in the following ways:
-
Logon tickets are used for user-to-system communication, whereas assertion tickets are used for system-to-system communication.
-
Logon tickets are transmitted as cookies, whereas assertion tickets are transported as HTTP headers.
-
Validity of logon tickets is configurable, whereas the validity of assertion tickets is hard-coded (2 minutes).
-
Logon tickets never identify a recipient, as they target multiple systems. Assertion tickets are always issued for a single recipient.
SAP NetWeaver Application Server issues an authentication assertion ticket for itself to enable users logged on with one front end to call the same application server in another front end, albeit with a new session. In this scenario, you do not need to configure trust as SAP NetWeaver Application Server trusts itself implicitly.
Giovanni Ricci is using SAP GUI to access SAP NetWeaver Application Server for ABAP. The application calls an interactive Web application. Rather than force Giovanni to log on again, SAP NetWeaver Application Server for ABAP issues an assertion ticket with the SAP NetWeaver Application Server for ABAP as the issuer and recipient, enabling Giovanni to log on with single sign-on.
This ticket contains the public information necessary to authenticate the user to additional systems without the need to interactively provide a password. The information contained in the assertion ticket includes:
-
User ID
-
The UTC creation date
-
Issuing system, identified by SID and client ID
-
Receiving system, identified by SID and client ID
-
Digital signature
To guarantee the integrity and authenticity of the assertion ticket, the SAP system that issues the ticket signs the ticket with its own digital signature.
For more information, see Digital Signatures and Encryption and Network and Transport Layer Security.
-
SAP NetWeaver Application Server for ABAP systems that issue assertion tickets must be release 6.40.
For more information, see SAP Note 612670
. -
The system accepting the assertion ticket trusts the system issuing the assertion ticket.
-
The clocks are synched.
The hard-coded, 2-minute validity period leaves little room for tolerance.
-
The user ID of the current user is identical in the accepting and issuing systems.
To configure authentication assertion tickets, you follow the same procedures for configuring the issuing and acceptance of logon tickets.