Using Logon Tickets with the Portal

Logon tickets represent the user credentials. The portal server issues a logon ticket to a user after successful initial authentication. The logon ticket itself is stored as a cookie on the client and is sent with each request of that client. It can then be used to authenticate the portal user to those external applications without further user logons.

You can use this section for portal specific configuration to enable SSO with logon tickets.

Logon tickets contain information about the authenticated user. They do not contain any passwords. Specifically, logon tickets contain the following items:

Portal user ID and one mapped user ID for SSO access with user mapping

Authentication scheme

Validity period

Information identifying the issuing system

Digital signature

When using logon tickets, one system must be the ticket-issuing system. This can either be the portal or another system. We recommend using the portal as the ticket-issuing system, since the portal can be a user's single point of access to all applications.

Technically, Single Sign-On (SSO) with logon tickets works as follows:

If the portal is the ticket-issuing system:

1. The first time the portal server starts, it generates a cryptographic key pair. The private part of this key is used for ticket generation (for the digital signature).
2. Once the user has been successfully authenticated in the portal, the underlying AS Java of the portal issues a logon ticket to the user. This logon ticket is stored as a non-persistent cookie in the browser on the client.
3. Each time the user tries to access an external system from the portal, the portal sends the logon ticket with the request to the external system.
4. The external system checks that the logon ticket is valid by verifying the digital signature of the portal server. It uses the public key contained in the digital certificate of the portal server to verify this.
5. If the logon ticket is valid, the external system extracts the user ID for that system from the logon ticket.
6. The user is logged on to the external system without having to enter his or her user ID and password.

If another system is the ticket-issuing system:

1. The Web browser sends the user's logon ticket with the access request.
2. The underlying AS Java of the portal verifies the information contained in the ticket.
3. If the ticket is valid and has been issued by a trusted server, then the user is granted SSO access to the portal.

The portal AS issues a logon ticket for the Internet domain or a subdomain of the portal only.

To allow SSO using logon tickets between the portal and its component systems you perform the following steps:

1. Configure the portal server to allow SSO with logon tickets. See Configuring Portal Server for SSO with Logon Tickets .
2. Configure the component systems to accept and verify logon tickets. See Configuring Component Systems to Accept Portal Logon Tickets .