SAP

Logon Ticket
SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP
applications and services through SAPgui and web browsers without further username and password inputs from the
user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon
tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.[1]

Contents
How Does It Work
Composition
Notable Properties
Single Sign-On
Web Server Filter
Integration with Identity & Access Management Platforms
Availability
Dynamic Link Library
Single Sign-On to Microsoft Web Applications
Single Sign-On to Non-SAP Java Environments
Integration into SAP Systems
ABAP
J2EE
Security Features
Security Challenges
Alternatives to SAP Logon Tickets
Secure Network Communications-Based Single Sign-On
Account Aggregation
See also
References
External links

How Does It Work

1. User requests access to a resource on SAP NetWeaver Application Server.
2. Resource requires authentication.
3. SAP NetWeaver Application Server authenticates user, with user ID and password for example.
4. SAP NetWeaver Application Server issues an SAP Logon Ticket to the user.
5. SAP Logon Ticket is stored in the user's browser as a non-persistent HTTP cookie.
6. When user authenticates with another application, the user's client presents the SAP Logon Ticket.

Composition
User ID
Validity date(s)
Issuing system
Digital signature
Authentication method

Notable Properties
Below is a short list of important properties of SAP NetWeaver Application Server Java for SAP Logon Tickets.[2]

login.ticket_client - a three-character numeric string used to indicate the client that is written into the SAP logon
ticket
login.ticket_lifetime - indicates the validity period of the ticket in terms of hours and minutes (i.e., HH:MM)
login.ticket_portalid - yes/no/auto for writing the portal ID into the ticket
ume.login.mdc.hosts - Enables SAP NetWeaver Application Server Java to request logon tickets from hosts outside the
portal domain
ume.logon.httponlycookie - true/false for security against malicious client-side script code such as JavaScript
ume.logon.security.enforce_secure_cookie - Enforces SSL communication
 ume.logon.security.relax_domain.level - Relaxes the subdomains for which the SAP logon ticket is valid

Single Sign-On
SAP Logon Tickets can be used for single sign-on through the SAP Enterprise Portal. SAP provides a Web Server Filter
that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in
3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or
Java.

Web Server Filter

The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the
web-based application support http header variable authentication. The filter authenticates the logon ticket by using
the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and
is written into the http header. Additional configuration to the http header variable can done in the filter's
configuration file (i.e., remote_user_alias).

Integration with Identity & Access Management Platforms

Tivoli Access Manager has developed an authentication service compatible with SAP Logon Tickets[3]
Sun ONE Identity has developed a solution where companies can use the SAP Internet Transaction Server (ITS 2.0)
and SAP Pluggable Authentication Service (PAS) for integration with SAP for single sign-on. This method uses logon
tickets for single sign-on and the SAPCRYPTOLIB (SAP encryption library) for SAP server-to-server encryption. Sun's
solution utilizes the dynamic libraries (DLL) external authentication method.[4]
IBM Lotus Domino can be used as a technical ticket verifier component [5]

Availability

Windows, Microsoft Internet Information Server

Apache HTTP Server
Oracle iPlanet Web Server

Dynamic Link Library

SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source
code of a high level programming language such as Visual Basic, C or Java.

Single Sign-On to Microsoft Web Applications

Microsoft web-based applications usually only support the authentication methods basic authentication or windows
integrated authentication (Kerberos) provided by the Internet Information Server. However, Kerberos does not work
well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in
extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition
using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained
Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web-based
applications in the back end.[6]

Single Sign-On to Non-SAP Java Environments

It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding.[7][8]

Integration into SAP Systems

ABAP
Logon tickets allows for single sign-on into ABAP application servers.[9] However, there are prerequisites:

Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different.
Web browsers need to be configured to accept cookies.
Any web servers for ABAP servers need to be placed on the same DNS
The issuing server must be able to digitally sign logon tickets (i.e., public-key and private-key are required).
Systems that accept logon tickets must have access to the issuing server's public-key certificate.

J2EE
Java servers allows for single sign-on into Java application servers.[10] However, there are prerequisites:
 Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different.
Web browsers need to be configured to accept cookies.
Any web servers for ABAP servers need to be placed on the same DNS
Clocks for accepting tickets are synchronized with the issuing server's clock.
The issuing server must be able to digitally sign logon tickets (i.e., public-key and private-key are required).
Systems that accept logon tickets must have access to the issuing server's public-key certificate.

Security Features
Digitally signed by the SAP portal server
Uses asymmetric cryptography to establish unidirectional trust relationship between users and SAP systems
Protected in transport via SSL
Validity period that can be configured in the security settings of the SAP Enterprise Portal

Security Challenges
SAP Logon Tickets do not utilize Secure Network Communications (SNC)
Typical security-related issues around cookies stored in a web browser. Examples include:[11]
Copying the SAP Logon Ticket via network traffic sniffing or social engineering and storing it on another computer
for access to the SAP Enterprise Portal

Alternatives to SAP Logon Tickets

Account aggregation via SAP NetWeaver
Utilize Secure Network Communications-based single sign-on technology from independent software security
providers

Secure Network Communications-Based Single Sign-On

Account Aggregation
The Enterprise Portal Server maps user information, i.e., user id and password, to allow users to access external
systems. This approach requires that to maintain changes of username and/or password from one backend application
to the portal. This approach is not viable to web-based backend systems because past security updates from Microsoft
no longer support handling of usernames and passwords in HTTP, with or without Secure Sockets Layer (SSL), and
HTTPS URLs in Internet Explorer

The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain
a user id and password for each application that is using account aggregation. If the password in one backend
application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be
used as an option where no other solution might work it causes a significant administrative overhead.

Using account aggregation to access a web based backend system that is configured to use basic authentication results
in sending a URL that contains user name and password. MS04-004,[12] a security update from Microsoft published in
2004, removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or
HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if
this security patch has been applied:

http(s)://username:password@server/resource.ext

See also
Secure Network Communications
Logon Ticket Cache
ABAP
J2EE

References
1. Using SAP Logon Tickets for Single Sign on to Microsoft based web applications (http://www.sdn.sap.com/irj/scn/go/po
rtal/prtroot/docs/library/uuid/47d0cd90-0201-0010-4c86-f81b1c812e50?QuickLink=index&overridelayout=true)
2. Logon Ticket (http://help.sap.com/saphelp_nw70/helpdata/en/5e/473d4124b08739e10000000a1550b0/frameset.htm)
3. Authenticating a SAP login ticket in Tivoli Access Manager e-business WebSEAL (http://www.ibm.com/developerworks/
tivoli/library/t-authsaptam/index.html)
4. Single Sign-On Solution for SAP Internet Transaction Server 2.0 (http://docs.sun.com/source/816-6772-10/sapits.html)
5. Ticket Verifier Technical Components (http://help.sap.com/erp2005_ehp_04/helpdata/EN/22/bf642724ca20418924e57
 5. Ticket Verifier Technical Components (http://help.sap.com/erp2005_ehp_04/helpdata/EN/22/bf642724ca20418924e57
c51412191/frameset.htm)
6. Using SAP Logon Tickets for Single Sign-On (http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/47d0cd
90-0201-0010-4c86-f81b1c812e50?QuickLink=index&overridelayout=true)
7. Validating SAP Logon Tickets with Java (http://trick77.com/2008/02/07/validating-sap-logon-tickets-with-java/)
8. MySAP SSO Support (http://www.zope.org/Members/Dirk.Datzert/MySapSsoSupport/)
9. Using Logon Tickets (http://help.sap.com/erp2005_ehp_04/helpdata/EN/f8/18da3a82f9cc38e10000000a114084/frame
set.htm)
10. Using Logon Tickets for Single Sign-On (http://help.sap.com/erp2005_ehp_04/helpdata/EN/53/695b3ebd564644e1000
0000a114084/frameset.htm)
11. W3 Security FAQ on Browser Cookies (http://www.w3.org/Security/Faq/wwwsf2.html)
12. MS04-004: Cumulative Security Update for Internet Explorer (http://support.microsoft.com/kb/832894)

External links
Configuring SAP Logon Tickets (http://help.sap.com/saphelp_nw04s/helpdata/en/5c/b7d53ae8ab9248e10000000a114
084/frameset.htm)
Sample Login Module Stacks for Using Logon Tickets (http://help.sap.com/erp2005_ehp_04/helpdata/EN/04/120b40c6
c01961e10000000a155106/frameset.htm)
Testing the Use of Logon Tickets (http://help.sap.com/erp2005_ehp_04/helpdata/EN/b4/cb8846dd0e7c45833e10c807
328453/frameset.htm)
Configuring Component Systems for SSO with Logon Tickets (http://help.sap.com/erp2005_ehp_04/helpdata/EN/1c/22
afe3b26011d5993800508b6b8b11/frameset.htm)
Administration When Using Logon Tickets (http://help.sap.com/erp2005_ehp_04/helpdata/EN/47/fd6f9deca159e8e100
00000a42193/frameset.htm)

Retrieved from "https://en.wikipedia.org/w/index.php?title=SAP_Logon_Ticket&oldid=902870707"

This page was last edited on 21 June 2019, at 21:31 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms
of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.