Configuring the AS Java to Accept Logon Tickets 

Use

The AS Java uses the EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user’s Web browser, the AS Java verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the AS Java authenticates the user.

For the case when you use authentication assertion tickets for SSO between the AS ABAP and the AS Java, the corresponding module is EvaluateAssertionTicketLoginModule.

Prerequisites

●      To use the wizard-based management for configuring logon tickets, the ticket-issuing server must be maintained in a System Landscape Directory (SLD).

●      To check the validity of a user’s logon ticket, the AS Java must be able to verify the issuing server’s digital signature.

○       If the AS Java is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature.

○       If the ticket-issuing server is a different one, then this server’s public-key certificate must be available in the keystore view that the AS Java uses for verifying logon tickets.

 

For cases when the wizard-based configuration cannot meet your requirements, for example, to use configuration for logon tickets that is different from SSO configuration with assertion tickets, see Manual AS Java Configuration for Accepting Logon Tickets.

Procedure

The Trusted Systems → Single Sign-On with SAP Logon Ticket configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the AS Java.

...

       1.      Open the Single Sign-On with Logon Tickets configuration wizard by navigating to Configuration Management → Security Management → Trusted Systems.

       2.      From the Trusted Systems tab, switch to Edit mode.

       3.      Choose Add Trusted Systemto launch the SSO2 Wizard. For each of the wizard screens, proceed as shown below:

Select Ticket Issuing System

                            a.      Select the Landscape Type from the dropdown list and choose Go to show the available systems. You can optionally filter displayed results with the provided text input box.

                            b.      Select the ticket-issuing system from the displayed results and choose Ok to proceed to the next step of the wizard.

Provide Connection Data

...

                            a.      For AS ABAP systems choose the Client to connect to.

                            b.      Provide the Username and Password to use for the connection to the selected system.

The remaining Connection Properties for the selected system are automatically displayed.

                            c.      Choose Next to proceed with the wizard.

Upload Certificate

This step is executed if the AS Java cannot retrieve the certificate for the ticket-issuing system from the SLD.

...

                            a.      Using the provided dialog box upload the X.509 certificate for the ticket-issuing system.

Review and Add Issuing System

...

                            a.      Review the configuration details for the ticket-issuing system and choose Next to proceed or Back to make additional changes.

Final

...

The final result from adding the system is displayed. Choose Close to complete the wizard.

       4.      Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the AS Java policy configurations of the application components that accept login tickets for SSO.

                            a.      From the authentication configuration functions of the NWA, choose the Components tab. For more information, see Managing Authentication Policy.

                            b.      Choose the policy configuration for the application component to accept logon tickets from the Component Policy Configurations table.

                            c.      From the Authentication Stacktab, add the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stack for the policy configuration

Global changes to login module options you make from the Login Module tab of the authentication management functions in NWA are inherited to the login module stacks where the login module is used.

Alternatively, you can change the options for the login module stacks in each of the policy configurations. However, if you do make changes to the policy configurations, then changes in the login module in the user store are no longer inherited to the policy configurations for the applications. In this case, the fully qualified name of the login module is displayed in the login module stack.

Result

After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems Listtable. The AS Java accepts logon tickets that have been issued by the corresponding server.

 

See also:

Testing the Use of Logon Tickets

Sample Login Module Stacks for Using Logon Tickets