Show TOC

How it WorksLocate this document in the navigation structure

Use

To enable Single Sign-On (SSO) to servers in other domains, logon tickets must be issued for the other domains. To this end, the Web browser sends the logon ticket issued by the portal to the servers in the other domains. These servers must be able to react to this information and issue the mysapsso2 cookie that contains the logon ticket for a new domain. The information in the tickets stays the same, in particular the tickets are all digitally signed with the portal certificate.

For this, the following components are required:

  • A portal to which users log on first

    This portal contains a component that sends the logon ticket to the servers in the other domains. This is a hidden iView integrated in the initial portal page that sends a request to a server in each domain.

  • A server with 'receiver software' in each of the required domains

    To be able to react to the requests, the server must have 'receiver software' that is able to receive a logon ticket and issue the same ticket for the server's domain. Receiver software can be a portal or custom Java Server Pages or Active Server Pages for example.

Prerequisites
  • To issue multiple logon tickets, you need at least one server with receiver software in each domain to which you require SSO. A receiver server must be one of the following:
    • A portal server
    • A Web server with the Web server filter for logon tickets installed. For more information about where to get the Web server filter and how to install it, see SAP Notes 442401 and 723896.
    • A server that has custom software to issue logon tickets for its domain.
  • On the portal on which users log on first, you have configured the names of the servers with receiver software in the UMEproperty ume.login.mdc.hosts as described in Configuring Logon Tickets for Multiple Domains .
Features

The following diagram describes how the process works for an example scenario with a portal in the domain mycompany.com where SSO is required for the domains mycompany.ie and mycompany.de.

  1. The user sends a request to the portal.
  2. The portal authenticates the user and issues a logon ticket for the domain mycompany.com.
  3. A hidden iView in the initial portal page sends a request including the logon ticket to each of the servers defined in the UMEproperty ume.login.mdc.hosts .
  4. Each of the servers issues the same logon ticket for its domain.

    These tickets are all digitally signed with the public key of the portal. The only difference is the content of the domain field in the ticket.

    The tickets are stored as cookies in the user's browser and are sent with each request to the corresponding domain.