Setting up Single Sign-On (SSO) between two components is relatively straightforward, but how do you go about setting up SSO in a large system landscape with many different types of systems? This section provides an overview of the documentation from various areas and gives you guidelines on how to set up SSO across several systems. It takes a look at a typical system landscape and guides you through the process of setting up SSO with ogon tickets for that scenario.
There are many different authentication methods with which users can log on to a system. These depend on the type of system and include user ID and password, client certificates, SAML, and so on. For more information on the types of authentication supported by different systems, see:
● AS ABAP: Authentication on the AS ABAP
● AS Java: Authentication on the AS Java
● Portal: Authentication
In a complex system landscape with several components, the only way of guaranteeing SSO between all the components is to use the logon ticket.
When setting up SSO with logon tickets, you need to identify one system as the ticket issuer. After a user logs on to a system using a supported authentication mechanism, the system issues the user a logon ticket. We recommend that you identify one system in your system landscape as the ticket-issuing system and configure all other systems to accept tickets from this system. For example, if you have a portal in your system landscape, you could define this system to be the ticket-issuing system and, as a result, users would have to access all applications and services through the portal to ensure Single Sign-On.
Once you have defined one system to be the ticket-issuing system, you can configure all other components in the system landscape to accept tickets from this system. The following table provides an overview of where you can find documentation on setting up systems as ticket-issuing and ticket-accepting systems.
System |
To configure the system as ticket issuer |
To configure the system as ticket acceptor |
AS ABAP |
If the ticket-issuing system is an AS ABAP: Configuring SAP Web AS ABAP to Accept Logon Tickets from SAP Web AS ABAP If the ticket-issuing system is an AS Java: Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine |
|
AS Java |
||
Portal |
For a typical scenario involving several systems in which one system is identified as a ticket-issuing system and all other systems accept tickets from this system, see SSO Between Portal, Web Dynpro, and ABAP Systems.