Using Logon Tickets

Use

For authentication on the SAP Web ASthat allows for Single Sign-On (SSO) to other systems as well, you can have the system issue logon tickets to the users. The user can then access other systems using the logon ticket as the authentication token instead of having to repeatedly enter his or her user ID and password.

Prerequisites

· Users need to have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems.

· End users need to configure their Web browsers to accept cookies.

In Internet Explorer 5.0, accept session cookies for the local intranet zone.

· Any Web servers or SAP Web ASservers that are to accept the logon ticket as the authentication mechanism must be placed in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain.

· The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket.

SAP System application servers (to include the SAP Web AS) receive a key pair and a self-signed public-key certificate during the installation process. By default, the system uses the system Personal Security Environment (system PSE) for storing these keys, however, you may need to use a different PSE in the following cases:

○ If the system has been upgraded from a Release <= 4.6B, then the PSE used for logon tickets is the SAPSSO2 PSE.

○ If you have defined an explicit PSE to use for logon tickets, then this PSE (as specified in the table SSFARGS) is used.

· Systems that accept logon tickets must have access to the issuing server's public-key certificate so that they can verify the digital signature provided with the ticket.

Depending on the type of certificate you use, the server's certificate is either sent with the logon ticket to the accepting system or the information is entered in the accepting system's certificate list. We provide a configuration tool, the SSO administration wizard (transaction SSO2), that automatically establishes the appropriate configuration for the accepting system.

Activities

In the following, we describe the processes when the issuing or accepting server is an SAP Web AS. Note however, depending on the scenario you use, other server components may act as the issuer or acceptor.

Receiving a Logon Ticket from the SAP Web AS

...

1. The user authenticates him or herself on the SAP Web AS (for example, using user ID and password).

2. The SAP Web AS verifies the user's information. If the authentication was successful, then the user is logged on to the server and a ticket is issued to him or her. The ticket is stored in the user's Web browser and used for authentication on successive systems.

Using the Logon Ticket to Access the SAP Web AS as an Accepting System

When the user accesses the SAP Web AS as an accepting system:

...

1. The Web browser sends the user's logon ticket with the access request.

2. The SAP Web AS verifies the information contained in the ticket. This includes:

¡ Verifying the issuing server's digital signature.

¡ Making sure the ticket has been issued by a trusted server (either itself or a server listed in the corresponding access control list).

¡ Checking the expiration time.

If the ticket is valid and has been issued by a trusted server, then the user is granted access to system.