Snm short bullet Prufe half full percentage gune alfabetic chart object. nd be question Nun Langui by other description

Operation

# User requests access to a resource on SAP NetWeaver Application Server. # Resource requires authentication. # SAP NetWeaver Application Server authenticates user, with user ID and password for example. # SAP NetWeaver Application Server issues an SAP Logon Ticket to the user. # SAP Logon Ticket is stored in the user's browser as a non-persistent

HTTP cookie HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small block of data (computing), data created by a web server while a user (computing), user is browsing a website and placed on the user's computer o ...

. # When user authenticates with another application, the user's client presents the SAP Logon Ticket.

Composition

* User ID * Validity date(s) * Issuing system * Digital signature * Authentication method

Notable properties

Below is a short list of important properties of SAP NetWeaver Application Server Java for SAP Logon Tickets. * login.ticket_client - a three-character numeric string used to indicate the client that is written into the SAP logon ticket * login.ticket_lifetime - indicates the validity period of the ticket in terms of hours and minutes (i.e., HH:MM) * login.ticket_portalid - yes/no/auto for writing the portal ID into the ticket * ume.login.mdc.hosts - Enables SAP NetWeaver Application Server Java to request logon tickets from hosts outside the portal domain * ume.logon.httponlycookie - true/false for security against malicious client-side script code such as JavaScript * ume.logon.security.enforce_secure_cookie - Enforces SSL communication * ume.logon.security.relax_domain.level - Relaxes the subdomains for which the SAP logon ticket is valid

Single sign-on

SAP Logon Tickets can be used for single sign-on through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or Java.

Web server filter

The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the web-based application support
header variable
authentication. The filter authenticates the logon ticket by using the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and is written into the http header. Additional configuration to the http header variable can done in the filter's configuration file (i.e., remote_user_alias).

Integration with identity and access management platforms

Tivoli Access Manager Tivoli may refer to: * Tivoli, Lazio, a town in Lazio, Italy, known for historic sites; the inspiration for other places named Tivoli Buildings * Tivoli (Baltimore, Maryland), a mansion built about 1855 * Tivoli Building (Cheyenne, Wyoming), a ...

has developed an authentication service compatible with SAP Logon Tickets *

Sun ONE Identity The Sun is the star at the centre of the Solar System. It is a massive, nearly perfect sphere of hot Plasma (physics), plasma, heated to incandescence by nuclear fusion reactions in its core, radiating the energy from its surface mainly as ...

has developed a solution where companies can use the SAP Internet Transaction Server (ITS 2.0) and SAP Pluggable Authentication Service (PAS) for integration with SAP for single sign-on. This method uses logon tickets for single sign-on and the SAPCRYPTOLIB (SAP encryption library) for SAP server-to-server encryption. Sun's solution utilizes the dynamic libraries (DLL) external authentication method. *

IBM Lotus Domino HCL Notes (formerly Lotus Notes then IBM Notes) is a proprietary collaborative software platform for Unix ( AIX), IBM i, Windows, Linux, and macOS, sold by HCLTech. The client application is called Notes while the server component is branded H ...

can be used as a technical ticket verifier component

Availability

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

, Microsoft Internet Information Server *

Apache HTTP Server The Apache HTTP Server ( ) is a free and open-source software, free and open-source cross-platform web server, released under the terms of Apache License, Apache License 2.0. It is developed and maintained by a community of developers under the ...

Oracle iPlanet Web Server An oracle is a person or thing considered to provide insight, wise counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. If done through occultic means, it is a form of divination. Descript ...

Dynamic link library

SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source code of a high level programming language such as Visual Basic, C or Java.

Single sign-on to Microsoft web applications

Microsoft web-based applications usually only support the authentication methods basic authentication or windows integrated authentication (Kerberos) provided by the Internet Information Server. However, Kerberos does not work well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web-based applications in the back end.

Single sign-on to non-SAP Java environments

It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding.

Integration into SAP systems

ABAP

Logon tickets allows for single sign-on into ABAP application servers. However, there are prerequisites: * Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different. * Web browsers need to be configured to accept cookies. * Any web servers for ABAP servers need to be placed on the same

DNS The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various informatio ...

* The issuing server must be able to digitally sign logon tickets (i.e.,

public-key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

and private-key are required). * Systems that accept logon tickets must have access to the issuing server's public-key certificate.

J2EE

Java servers allows for single sign-on into Java application servers. However, there are prerequisites: * Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different. * Web browsers need to be configured to accept cookies. * Any web servers for ABAP servers need to be placed on the same

* Clocks for accepting tickets are synchronized with the issuing server's clock. * The issuing server must be able to digitally sign logon tickets (i.e.,

and private-key are required). * Systems that accept logon tickets must have access to the issuing server's public-key certificate.

Security features

* Digitally signed by the SAP portal server * Uses asymmetric cryptography to establish unidirectional trust relationship between users and SAP systems * Protected in transport via SSL * Validity period that can be configured in the security settings of the

SAP Enterprise Portal SAP NetWeaver Portal is one of the building blocks in the SAP NetWeaver architecture. With a Web Browser, users can begin work once they have been authenticated in the portal which offers a single point of access to information, enterprise applicati ...

Security challenges

* SAP Logon Tickets do not utilize

Secure Network Communications SAP NetWeaver is a software stack for many of SAP SE's applications. The SAP NetWeaver Application Server, sometimes referred to as WebAS, is the runtime environment for the SAP applications and all of the mySAP Business Suite runs on SAP WebAS: su ...

(SNC) * Typical security-related issues around cookies stored in a web browser. Examples include: **Copying the SAP Logon Ticket via network traffic sniffing or social engineering and storing it on another computer for access to the SAP Enterprise Portal

Alternatives to SAP logon tickets

* Account aggregation via

SAP NetWeaver SAP NetWeaver is a software stack for many of SAP SE's applications. The SAP NetWeaver Application Server, sometimes referred to as WebAS, is the runtime environment for the SAP applications and all of the mySAP Business Suite runs on SAP WebA ...

* Utilize

-based single sign-on technology from independent software security providers

Secure network communications-based single sign-on

Account aggregation

The Enterprise Portal Server maps user information, i.e., user id and password, to allow users to access external systems. This approach requires that to maintain changes of username and/or password from one backend application to the portal. This approach is not viable to web-based backend systems because past security updates from Microsoft no longer support handling of usernames and passwords in HTTP, with or without

Secure Sockets Layer Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, ...

(SSL), and HTTPS URLs in

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a deprecation, retired series of graphical user interface, graphical web browsers developed by Microsoft that were u ...

The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain a user id and password for each application that is using account aggregation. If the password in one backend application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be used as an option where no other solution might work it causes a significant administrative overhead. Using account aggregation to access a web based backend system that is configured to use basic authentication results in sending a URL that contains user name and password. MS04-004,MS04-004: Cumulative Security Update for Internet Explorer
/ref> a security update from Microsoft published in 2004, removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if this security patch has been applied: * http(s)://username:password@server/resource.ext

References

{{reflist

External links

Configuring SAP Logon Tickets

Logon Ticket