SAP Logon Tickets represent user credentials in

SAP Sap is a fluid transported in xylem cells (vessel elements or tracheids) or phloem sieve tube elements of a plant. These cells transport water and nutrients throughout the plant. Sap is distinct from latex, resin, or cell sap; it is a separa ...

systems. When enabled, users can access multiple SAP applications and services through

SAP GUI SAP GUI is the graphical user interface client in SAP ERP's 3-tier architecture of database, application server and client. It is software that runs on a Microsoft Windows, Apple Macintosh or Unix desktop, and allows a user to access SAP functi ...

and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling

single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...

across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.

Operation

# User requests access to a resource on SAP NetWeaver Application Server. # Resource requires authentication. # SAP NetWeaver Application Server authenticates user, with user ID and password for example. # SAP NetWeaver Application Server issues an SAP Logon Ticket to the user. # SAP Logon Ticket is stored in the user's browser as a non-persistent

HTTP cookie HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...

. # When user authenticates with another application, the user's client presents the SAP Logon Ticket.

Composition

* User ID * Validity date(s) * Issuing system * Digital signature * Authentication method

Notable properties

Below is a short list of important properties of SAP NetWeaver Application Server Java for SAP Logon Tickets. * login.ticket_client - a three-character numeric string used to indicate the client that is written into the SAP logon ticket * login.ticket_lifetime - indicates the validity period of the ticket in terms of hours and minutes (i.e., HH:MM) * login.ticket_portalid - yes/no/auto for writing the portal ID into the ticket * ume.login.mdc.hosts - Enables SAP NetWeaver Application Server Java to request logon tickets from hosts outside the portal domain * ume.logon.httponlycookie - true/false for security against malicious client-side script code such as JavaScript * ume.logon.security.enforce_secure_cookie - Enforces SSL communication * ume.logon.security.relax_domain.level - Relaxes the subdomains for which the SAP logon ticket is valid

Single sign-on

SAP Logon Tickets can be used for

through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or Java.

Web server filter

The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the web-based application support
header variable
authentication. The filter authenticates the logon ticket by using the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and is written into the http header. Additional configuration to the http header variable can done in the filter's configuration file (i.e., remote_user_alias).

Integration with identity and access management platforms

Tivoli Access Manager Tivoli may refer to: * Tivoli, Lazio, a town in Lazio, Italy, known for historic sites; the inspiration for other places named Tivoli Buildings * Tivoli (Baltimore, Maryland), a mansion built about 1855 * Tivoli Building (Cheyenne, Wyoming), ...

has developed an authentication service compatible with SAP Logon Tickets * Sun ONE Identity has developed a solution where companies can use the

SAP Internet Transaction Server Sap is a fluid transported in xylem cells (vessel elements or tracheids) or phloem sieve tube elements of a plant. These cells transport water and nutrients throughout the plant. Sap is distinct from latex, resin, or cell sap; it is a separa ...

(ITS 2.0) and SAP Pluggable Authentication Service (PAS) for integration with SAP for single sign-on. This method uses logon tickets for single sign-on and the SAPCRYPTOLIB (SAP encryption library) for SAP server-to-server encryption. Sun's solution utilizes the dynamic libraries (DLL) external authentication method. *

IBM Lotus Domino HCL Notes (formerly IBM Notes and Lotus Notes; see Branding below) and HCL Domino (formerly IBM Domino and Lotus Domino) are the client and server, respectively, of a collaborative client-server software platform formerly sold by IBM, now by HCL ...

can be used as a technical ticket verifier component

Availability

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

Microsoft Internet Information Server Internet Information Services (IIS-pronounced 2S, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP. ...

Apache HTTP Server The Apache HTTP Server ( ) is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache So ...

Oracle iPlanet Web Server Oracle iPlanet Web Server (OiWS) is a web server designed for medium and large business applications. Previous versions were marketed as Netscape Enterprise Server, iPlanet Web Server, Sun ONE Web Server, and Sun Java System Web Server. Oracle ...

Dynamic link library

SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source code of a high level programming language such as Visual Basic, C or Java.

Single sign-on to Microsoft web applications

Microsoft web-based applications usually only support the authentication methods basic authentication or windows integrated authentication (Kerberos) provided by the Internet Information Server. However, Kerberos does not work well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web-based applications in the back end.

Single sign-on to non-SAP Java environments

It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding.

Integration into SAP systems

ABAP

Logon tickets allows for

into ABAP application servers. However, there are prerequisites: * Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different. * Web browsers need to be configured to accept cookies. * Any web servers for ABAP servers need to be placed on the same

DNS The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...

* The issuing server must be able to digitally sign logon tickets (i.e.,

public-key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

and private-key are required). * Systems that accept logon tickets must have access to the issuing server's public-key certificate.

J2EE

Java servers allows for

into Java application servers. However, there are prerequisites: * Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different. * Web browsers need to be configured to accept cookies. * Any web servers for ABAP servers need to be placed on the same

* Clocks for accepting tickets are synchronized with the issuing server's clock. * The issuing server must be able to digitally sign logon tickets (i.e.,

and private-key are required). * Systems that accept logon tickets must have access to the issuing server's public-key certificate.

Security features

* Digitally signed by the SAP portal server * Uses asymmetric cryptography to establish unidirectional trust relationship between users and SAP systems * Protected in transport via SSL * Validity period that can be configured in the security settings of the

SAP Enterprise Portal SAP NetWeaver Portal is one of the building blocks in the SAP NetWeaver architecture. With a Web Browser, users can begin work once they have been authenticated in the portal which offers a single point of access to information, enterprise applicati ...

Security challenges

* SAP Logon Tickets do not utilize

Secure Network Communications SAP NetWeaver is a software stack for many of SAP SE's applications. The SAP NetWeaver Application Server, sometimes referred to as WebAS, is the runtime environment for the SAP applications and all of the mySAP Business Suite runs on SAP WebAS: s ...

(SNC) * Typical security-related issues around cookies stored in a web browser. Examples include: **Copying the SAP Logon Ticket via

network traffic sniffing Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...

social engineering Social engineering may refer to: * Social engineering (political science), a means of influencing particular attitudes and social behaviors on a large scale * Social engineering (security), obtaining confidential information by manipulating and/or ...

and storing it on another computer for access to the SAP Enterprise Portal

Alternatives to SAP logon tickets

Account aggregation Account aggregation sometimes also known as financial data aggregation is a method that involves compiling information from different accounts, which may include bank accounts, credit card accounts, investment accounts, and other consumer or busin ...

via

SAP NetWeaver SAP NetWeaver is a software stack for many of SAP SE's applications. The SAP NetWeaver Application Server, sometimes referred to as WebAS, is the runtime environment for the SAP applications and all of the mySAP Business Suite runs on SAP WebAS: s ...

* Utilize

-based single sign-on technology from independent software security providers

Secure network communications-based single sign-on

Account aggregation

The Enterprise Portal Server maps user information, i.e., user id and password, to allow users to access external systems. This approach requires that to maintain changes of username and/or password from one backend application to the portal. This approach is not viable to web-based backend systems because past security updates from Microsoft no longer support handling of usernames and passwords in HTTP, with or without

Secure Sockets Layer Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...

(SSL), and HTTPS URLs in

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...

The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain a user id and password for each application that is using account aggregation. If the password in one backend application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be used as an option where no other solution might work it causes a significant administrative overhead. Using account aggregation to access a web based backend system that is configured to use basic authentication results in sending a URL that contains user name and password. MS04-004,MS04-004: Cumulative Security Update for Internet Explorer
/ref> a security update from Microsoft published in 2004, removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if this security patch has been applied: * http(s)://username:password@server/resource.ext

References

{{reflist

External links

Configuring SAP Logon Tickets

Logon Ticket