To enable Single Sign-On (SSO) to servers in other domains, logon tickets must be issued for the other domains. To this end, the Web browser sends the logon ticket issued by the portal to the servers in the other domains. These servers must be able to react to this information and issue the mysapsso2 cookie that contains the logon ticket for a new domain. The information in the tickets stays the same, in particular the tickets are all digitally signed with the portal certificate.
For this, the following components are required:
This portal contains a component that sends the logon ticket to the servers in the other domains. This is a hidden iView integrated in the initial portal page that sends a request to a server in each domain.
To be able to react to the requests, the server must have 'receiver software' that is able to receive a logon ticket and issue the same ticket for the server's domain. Receiver software can be a portal or custom Java Server Pages or Active Server Pages for example.
The following diagram describes how the process works for an example scenario with a portal in the domain mycompany.com where SSO is required for the domains mycompany.ie and mycompany.de.
These tickets are all digitally signed with the public key of the portal. The only difference is the content of the domain field in the ticket.
The tickets are stored as cookies in the user's browser and are sent with each request to the corresponding domain.