SAP Logon Ticket


SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.

Operation

  1. User requests access to a resource on SAP NetWeaver Application Server.
  2. Resource requires authentication.
  3. SAP NetWeaver Application Server authenticates user, with user ID and password for example.
  4. SAP NetWeaver Application Server issues an SAP Logon Ticket to the user.
  5. SAP Logon Ticket is stored in the user's browser as a non-persistent HTTP cookie.
  6. When user authenticates with another application, the user's client presents the SAP Logon Ticket.

    Composition

Below is a short list of important properties of SAP NetWeaver Application Server Java for SAP Logon Tickets.
SAP Logon Tickets can be used for single sign-on through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or Java.

Web server filter

The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the web-based application support http header variable authentication. The filter authenticates the logon ticket by using the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and is written into the http header. Additional configuration to the http header variable can done in the filter's configuration file.

Integration with identity and access management platforms

SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source code of a high level programming language such as Visual Basic, C or Java.

Single sign-on to Microsoft web applications

Microsoft web-based applications usually only support the authentication methods basic authentication or windows integrated authentication provided by the Internet Information Server. However, Kerberos does not work well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web-based applications in the back end.

Single sign-on to non-SAP Java environments

It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding.

Integration into SAP systems

ABAP

Logon tickets allows for single sign-on into ABAP application servers. However, there are prerequisites:
Java servers allows for single sign-on into Java application servers. However, there are prerequisites:

Account aggregation

The Enterprise Portal Server maps user information, i.e., user id and password, to allow users to access external systems. This approach requires that to maintain changes of username and/or password from one backend application to the portal. This approach is not viable to web-based backend systems because past security updates from Microsoft no longer support handling of usernames and passwords in HTTP, with or without Secure Sockets Layer, and HTTPS URLs in Internet Explorer
The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain a user id and password for each application that is using account aggregation. If the password in one backend application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be used as an option where no other solution might work it causes a significant administrative overhead.
Using account aggregation to access a web based backend system that is configured to use basic authentication results in sending a URL that contains user name and password. MS04-004, a security update from Microsoft published in 2004, removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if this security patch has been applied: