Single Sign-On in a System Landscape (SAP Library - User Authentication and Single Sign-On)

Single Sign-On in a System Landscape

Setting up Single Sign-On (SSO) between two components is relatively straightforward, but how do you go about setting up SSO in a large system landscape with many different types of systems? This section provides an overview of the documentation from various areas and gives you guidelines on how to set up SSO across several systems. It takes a look at a typical system landscape and guides you through the process of setting up SSO with ogon tickets for that scenario.

Authentication

There are many different authentication methods with which users can log on to a system. These depend on the type of system and include user ID and password, client certificates, SAML, and so on. For more information on the types of authentication supported by different systems, see:

● AS ABAP: Authentication on the AS ABAP

● AS Java: Authentication on the AS Java

● Portal: Authentication

Single Sign-On

In a complex system landscape with several components, the only way of guaranteeing SSO between all the components is to use the logon ticket.

When setting up SSO with logon tickets, you need to identify one system as the ticket issuer. After a user logs on to a system using a supported authentication mechanism, the system issues the user a logon ticket. We recommend that you identify one system in your system landscape as the ticket-issuing system and configure all other systems to accept tickets from this system. For example, if you have a portal in your system landscape, you could define this system to be the ticket-issuing system and, as a result, users would have to access all applications and services through the portal to ensure Single Sign-On.

Once you have defined one system to be the ticket-issuing system, you can configure all other components in the system landscape to accept tickets from this system. The following table provides an overview of where you can find documentation on setting up systems as ticket-issuing and ticket-accepting systems.

System	To configure the system as ticket issuer	To configure the system as ticket acceptor
AS ABAP	Configuring the System for Issuing Logon Tickets	If the ticket-issuing system is an AS ABAP: Configuring SAP Web AS ABAP to Accept Logon Tickets from SAP Web AS ABAP If the ticket-issuing system is an AS Java: Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine
AS Java	Adjusting the Login Module Stacks for Using Logon Tickets	Configuring the J2EE Engine to Accept Logon Tickets
Portal	Configuring Portal Server for SSO with SAP Logon Tickets	Configuring the J2EE Engine to Accept Logon Tickets

Example

For a typical scenario involving several systems in which one system is identified as a ticket-issuing system and all other systems accept tickets from this system, see SSO Between Portal, Web Dynpro, and ABAP Systems.