SAP Logon Ticket
Encyclopedia
SAP Logon Tickets represent user credentials in SAP
systems. When enabled, users can access multiple SAP applications and services through SAPgui
and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on
across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications .
through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or JAVA.
into ABAP application servers. However, there are prerequisites:
into Java application servers. However, there are prerequisites:
The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain a user id and password for each application that is using account aggregation. If the password in one backend application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be used as an option where no other solution might work it causes a significant administrative overhead.
Using account aggregation to access a web based backend system that is configured to use basic authentication results in sending a URL that contains user name and password. A security update from Microsoft that has been published recently removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if this security patch has been applied.
SAP AG
SAP AG is a German software corporation that makes enterprise software to manage business operations and customer relations. Headquartered in Walldorf, Baden-Württemberg, with regional offices around the world, SAP is the market leader in enterprise application software...
systems. When enabled, users can access multiple SAP applications and services through SAPgui
SAPgui
SAPGUI is the GUI client in SAP R/3's 3-tier architecture of database, application server and client. It is software that runs on a Microsoft Windows, Apple Macintosh or Unix desktop, and allows a user to access SAP functionality in SAP applications such as SAP ERP and SAP Business Information...
and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications .
How Does It Work
- User opens SAP
- User logs on to SAP
- SAP enterprise portal server issues (against user persistence specified in the portal user management engine (UME)) an SAP Logon Ticket to the user
- SAP Logon Ticket is stored in the user's browser as a non-persistent HTTP cookieHTTP cookieA cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
- User gains access to multiple SAP applications and services
Composition
- User ID
- Validity date(s)
- Issuing system
- Digital signature
- Authentication method
Notable Properties
Below is a short list of important properties for SAP Logon Tickets.- login.ticket_client - a three-character numeric string used to indicate the client that is written into the SAP logon ticket
- login.ticket_lifetime - indicates the validity period of the ticket in terms of hours and minutes (i.e., HH:MM)
- login.ticket_portalid - yes/no/auto for writing the portal ID into the ticket
- ume.login.mdc.hosts - allows the enterprise portal to look for logon tickets from servers outside the portal domain
- ume.logon.httponlycooki - true/false for security again malicious client-side script code such as JavaScriptJavaScriptJavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
- ume.logon.security.enforce_secure_cookie - enables SSL communication
- ume.logon.security.relax_domain.level - determines which domains the SAP logon ticket is valid
Single Sign-On
SAP Logon Tickets can be used for single sign-onSingle sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or JAVA.
Web Server Filter
The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the web-based application support http header variable authentication. The filter authenticates the logon ticket by using the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and is written into the http header. Additional configuration to the http header variable can done in the filter's configuration file (i.e., remote_user_alias).Integration with Identity & Access Management Platforms
- Tivoli Access Manager has developed an authentication service compatible with SAP Logon Tickets
- Sun ONE Identity has developed a solution where companies can use the SAP Internet Transaction Server (ITS 2.0) and SAP Pluggable Authentication Service (PAS) for integration with SAP for single sign-on. This method uses logon tickets for single sign-on and the SAPCRYPTOLIB (SAP encryption library) for SAP server-to-server encryption. Sun's solution utilizes the dynamic libraries (DLL) external authentication method.
- IBM Lotus DominoIBM Lotus DominoLotus Domino is an IBM server product that provides enterprise-grade e-mail, collaboration capabilities, and a custom application platform. Domino began life as Lotus Notes Server, the server component of Lotus Development Corporation's client-server messaging technology. It can be used as an...
can be used as a technical ticket verifier component
Availability
- Windows, Microsoft Internet Information Server
- ApacheApacheApache is the collective term for several culturally related groups of Native Americans in the United States originally from the Southwest United States. These indigenous peoples of North America speak a Southern Athabaskan language, which is related linguistically to the languages of Athabaskan...
, iPlanet Web Server
Dynamic Link Library
SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source code of a high level programming language such as Visual Basic, C or JAVA.Single Sign-On to Microsoft Web Applications
Microsoft web based applications usually only support the authentication methods basic authentication or windows integrated authentication (Kerberos) provided by the Internet Information Server. However, Kerberos does not work well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web based applications in the back end..Single Sign-On to Non-SAP Java Environments
It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding.ABAP
Logon tickets allows for single sign-onSingle sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
into ABAP application servers. However, there are prerequisites:
- Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different.
- Web browsers need to be configured to accept cookies.
- Any web servers for ABAP servers need to be placed on the same DNSDomain name systemThe Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
- The issuing server must be able to digitally sign logon tickets (i.e., public-key and private-key are required).
- Systems that accept logon tickets must have access to the issuing server's public-key certificate.
J2EE
Java servers allows for single sign-onSingle sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
into Java application servers. However, there are prerequisites:
- Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different.
- Web browsers need to be configured to accept cookies.
- Any web servers for ABAP servers need to be placed on the same DNSDomain name systemThe Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
- Clocks for accepting tickets are synchronize with the issuing server's clock.
- The issuing server must be able to digitally sign logon tickets (i.e., public-key and private-key are required).
- Systems that accept logon tickets must have access to the issuing server's public-key certificate.
Security Features
- Digitally signed by the SAP portal server
- Uses asymmetric cryptography to establish unidirectional trust relationship between users and SAP systems
- Protected in transport via SSL
- Validity period that can be configured in the security settings of the SAP Enterprise PortalSAP Enterprise PortalSAP NetWeaver Portal is one of the building blocks in the SAP NetWeaver architecture. With only a Web Browser, users can begin work once they have been authenticated in the portal which offers a single point of access to information, enterprise applications, and services both inside and outside an...
Security Challenges
- SAP Logon Tickets do not utilize Secure Network CommunicationsSecure Network CommunicationsSecure Network Communications is a software layer in the SAP system architecture that enables the use of stronger authentication, encryption and single sign-on mechanism. SAP provides SNC for server to server communications only...
(SNC) - Typical security-related issues around cookies stored in a web browser. Examples include:
- Copying the SAP Logon Ticket via network traffic sniffing or social engineeringSocial engineering (security)Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
and storing it on another computer for access to the SAP Enterprise Portal
- Copying the SAP Logon Ticket via network traffic sniffing or social engineering
Alternatives to SAP Logon Tickets
- Account aggregationAccount aggregationAccount aggregation is a method that involves compiling information from different accounts, which may include bank accounts, credit card accounts, investment accounts, and other consumer or business accounts, into a single place...
via SAP NetWeaver - Utilize Secure Network CommunicationsSecure Network CommunicationsSecure Network Communications is a software layer in the SAP system architecture that enables the use of stronger authentication, encryption and single sign-on mechanism. SAP provides SNC for server to server communications only...
-based single sign-on technology from independent software security providers
Account Aggregation
The Enterprise Portal Server maps user information, i.e., user id and password, to allow users to access external systems. This approach requires that to maintain changes of username and/or password from one backend application to the portal. This approach is not viable to web-based backend systems because past security updates from Microsoft no longer support handling of usernames and passwords in HTTP, with or without Secure Sockets Layer (SSL), and HTTPS URLs in Internet ExplorerInternet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain a user id and password for each application that is using account aggregation. If the password in one backend application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be used as an option where no other solution might work it causes a significant administrative overhead.
Using account aggregation to access a web based backend system that is configured to use basic authentication results in sending a URL that contains user name and password. A security update from Microsoft that has been published recently removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if this security patch has been applied.