Show TOC Start of Content Area

Function documentation Using Logon Tickets  Locate the document in its SAP Library structure

Use

For authentication on the AS ABAP that allows for Single Sign-On (SSO) to other systems as well, you can have the system issue logon tickets to the users. The user can then access other systems using the logon ticket as the authentication token instead of having to repeatedly enter his or her user ID and password.

Prerequisites

·        Users need to have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems.

·        The users are dialog users. The AS ABAP does not issue logon tickets for system or service users.

Note

System users receive an authentication assertion ticket, which is structured the same as the logon ticket, but has a limited use (one-time) and a limited validity period (a few seconds). The configuration for the issuing of logon tickets also applies for the issuing of authentication assertion tickets.

·        End users need to configure their Web browsers to accept cookies.

·        Any Web servers or AS ABAP servers that are to accept the logon ticket as the authentication mechanism must be placed in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.

·        The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket.

SAP system application servers (to include the AS ABAP) receive a key pair and a self-signed public-key certificate during the installation process. By default, the system uses the system Personal Security Environment (system PSE) for storing these keys, however, you may need to use a different PSE in the following cases:

       If the system has been upgraded from a Release <= 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE.

       If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used.

·        Systems that accept logon tickets must have access to the issuing server's public-key certificate so that they can verify the digital signature provided with the ticket.

Depending on the type of certificate you use, the server's certificate is either sent with the logon ticket to the accepting system or the information is entered in the accepting system's certificate list. We provide a configuration tool, the SSO administration wizard (transaction SSO2), that automatically establishes the appropriate configuration for the accepting system.

Activities

In the following, we describe the processes when the issuing or accepting server is an AS ABAP. Note however, depending on the scenario you use, other server components may act as the issuer or acceptor.

Receiving a Logon Ticket from the AS ABAP

...

       1.      The user authenticates him or herself on the AS ABAP (for example, using user ID and password).

       2.      The AS ABAP verifies the user's information. If the authentication was successful, then the user is logged on to the server and a ticket is issued to him or her. The ticket is stored in the user's Web browser and used for authentication on successive systems.

Using the Logon Ticket to Access the AS ABAP as an Accepting System

When the user accesses the AS ABAP as an accepting system:

...

       1.      The Web browser sends the user's logon ticket with the access request.

       2.      The AS ABAP verifies the information contained in the ticket. This includes:

¡        Verifying the issuing server's digital signature.

¡        Making sure the ticket has been issued by a trusted server (either itself or a server listed in the corresponding access control list).

¡        Checking the expiration time.

If the ticket is valid and has been issued by a trusted server, then the user is granted access to system.

 

 

 

End of Content Area