Show TOC Start of Content Area

Function documentation Using Logon Tickets  Locate the document in its SAP Library structure

Use

You can use logon tickets to integrate applications running on SAP and non-SAP systems in SSO environments with SSO based on cookie technology.

For this SSO scenario, you configure a system in your landscape to issue digitally signed logon tickets. Users authenticate initially to this system to obtain a logon ticket. After being issued, the logon ticket is stored as a digitally signed cookie in the user’s Web browsers and enables the user to logon transparently to trusting systems in the SSO environment.

Integration

To ensure data integrity and non-repudiation, logon tickets are digitally signed by the issuing system. Therefore, to enable SSO, on the accepting system you must establish a trust relationship to the issuing system. SAP NetWeaver application server systems are shipped with the necessary functions and a Personal Storage Environment (PSE) to enable logon ticket verification.

The Trusted Systemsmanagement functions of the SAP NetWeaver Administrator enable you to manage the necessary trust relationships for integrating AS ABAP and AS Java systems in logon ticket-based SSO environments. You can use these functions to facilitate the remote configuration of trust relationships between SAP NetWeaver systems that are registered in System Landscape Directory (SLD) environments.

Note

Logon tickets use cookie technology to save persistency information about the authenticated user on the client. Therefore, for additional security we recommend that you protect the Web client’s cookie cache and employ transport layer security mechanisms such as SSL.

Prerequisites

      Users must have the same user ID in all of the systems they access using the logon ticket. In the case where users have different user IDs, you have to use an intermediary mapping system for the user IDs in different systems.

For more information, see Configuring User Mapping with Tickets for SSO.

      The Web clients of the application server users must be configured to accept cookies.

      Systems that accept logon tickets access the issuing server's public-key certificate to verify the digital signature provided with the ticket. SAP NetWeaver application servers (AS ABAP and AS Java) receive a key pair and a self-signed public-key certificate during the installation process.

      The clocks for the accepting systems are synchronized with the ticket-issuing system. If you do not synchronize the clocks, then the accepting system may receive a logon ticket with an invalid timestamp, which causes an error.

Features

Logon tickets enable you to integrate SAP NetWeaver and non-SAP systems in an SSO environment. To use SSO with logon tickets, you configure a system in your landscape to authenticate users and issue a logon ticket upon successful authentication. Subsequently, users can transparently access systems that accept logon tickets for SSO.

For more information about logon tickets depending on the underlying technology of SAP NetWeaver, see Using Logon Tickets with AS Java.

For information about configuring a portal system to issue and accept logon tickets, see Configuring the Portal for SSO with Logon Tickets.

The portal primarily uses the supporting functions of the AS Java for SSO purposes with additional configurations to correspond to its role in your system landscape.

Activities

You use the Trusted Systems Single Sign-On with SAP Logon Tickets configuration functions in the SAP NetWeaver Administrator to configure logon ticket-based SSO in landscapes with systems supported by the AS ABAP or AS Java technology stacks of SAP NetWeaver.

For more information, see the following sections:

      Configuring the AS Java to Issue Logon Tickets 

      Configuring the AS Java to Accept Logon Tickets 

 

 

End of Content Area