Using Logon Tickets with AS ABAP
The AS ABAP enables you to use SSO with logon tickets both in the role of a logon ticket-issuing and -accepting system. After receiving a logon ticket, AS ABAP users can then access other systems in the SSO environment using the logon ticket for authentication instead of having to repeatedly enter their user ID and password.
· Users need to have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems.
· End users need to configure their Web browsers to accept cookies.
· Any systems that accept the logon ticket as the authentication mechanism must be placed in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.
· The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket. The AS Java and AS ABAP receive a key pair and a self-signed public-key certificate during the installation process.
By default, the AS ABAP uses the system Personal Security Environment (system PSE) for storing these keys, however, you may need to use a different PSE in the following cases:
○ If the system has been upgraded from a Release <= 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE.
○ If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used.
· Systems that accept logon tickets must have access to the issuing server's public-key certificate so that they can verify the digital signature provided with the ticket. Therefore, the issuing server’s public-key certificate needs to be added to the accepting system's certificate list.
○ For landscapes that include only AS ABAP systems you can use the SSO administration wizard (transaction SSO2) to automatically establish the configuration for the accepting system.
○
For system
landscapes with AS Java and AS ABAP systems you can use the Trusted Systems → Single Sign-On with SAP
Logon Tickets
configuration functions of the Web-based SAP NetWeaver Administrator (NWA) to
establish trust between a ticket-issuing and a ticket-accepting system,
registered in a
System Landscape
Directory.
You can configure the AS ABAP to act as a ticket-issuing and a ticket-accepting system in your landscape. For more information about the authentication flow, see the following sections:
...
1. The user authenticates him or herself on the AS ABAP (for example, using user ID and password).
2. The AS ABAP verifies the user's information. If the authentication was successful, then the user is logged on to the server and a ticket is issued to him or her.
3. The user's Web browser stores the logon ticket and uses it for authentication on to ticket-accepting systems.
...
1. The Web browser sends the user's logon ticket with the access request.
2. The AS ABAP verifies the information contained in the ticket, as follows:
a. Verifies the issuing server's digital signature based on an established trust relationship with the ticket-issuing system
b. Makes sure the ticket has been issued by a trusted server (either itself or a server listed in the corresponding access control list).
c. Checks the expiration time.
If the ticket is valid and has been issued by a trusted server, then the user is granted access to system.
For more information about configuring the AS ABAP to issue and accept logon tickets, see the following sections:
· Configuring the AS ABAP to issue logon tickets
· Configuring the AS ABAP to accept logon tickets