How Does It Work

User requests access to a resource on SAP NetWeaver Application Server.

Resource requires authentication.
SAP NetWeaver Application Server authenticates user, with user ID and password for
example.
SAP NetWeaver Application Server issues an SAP Logon Ticket to the user.
SAP Logon Ticket is stored in the user's browser as a non-persistent HTTP cookie.
When user authenticates with another application, the user's client presents the
SAP Logon Ticket.
Composition
User ID
Validity date(s)
Issuing system
Digital signature
Authentication method
Notable Properties
Below is a short list of important properties of SAP NetWeaver Application Server
Java for SAP Logon Tickets.[2]

login.ticket_client - a three-character numeric string used to indicate the client

that is written into the SAP logon ticket
login.ticket_lifetime - indicates the validity period of the ticket in terms of
hours and minutes (i.e., HH:MM)
login.ticket_portalid - yes/no/auto for writing the portal ID into the ticket
ume.login.mdc.hosts - Enables SAP NetWeaver Application Server Java to request
logon tickets from hosts outside the portal domain
ume.logon.httponlycookie - true/false for security against malicious client-side
script code such as JavaScript
ume.logon.security.enforce_secure_cookie - Enforces SSL communication
ume.logon.security.relax_domain.level - Relaxes the subdomains for which the SAP
logon ticket is valid
Single Sign-On
SAP Logon Tickets can be used for single sign-on through the SAP Enterprise Portal.
SAP provides a Web Server Filter that can be used for an authentication via http
header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party
software which can be used to provide native support for SAP Logon Tickets in
applications written in C or Java.

Web Server Filter

The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the
filter for single sign-on requires that the web-based application support http
header variable authentication. The filter authenticates the logon ticket by using
the enterprise portal's digital certificate. After authentication, the user's name,
from the logon ticket, is extracted and is written into the http header. Additional
configuration to the http header variable can done in the filter's configuration
file (i.e., remote_user_alias).

Integration with Identity & Access Management Platforms

Tivoli Access Manager has developed an authentication service compatible with SAP
Logon Tickets[3]
Sun ONE Identity has developed a solution where companies can use the SAP Internet
Transaction Server (ITS 2.0) and SAP Pluggable Authentication Service (PAS) for
integration with SAP for single sign-on. This method uses logon tickets for single
sign-on and the SAPCRYPTOLIB (SAP encryption library) for SAP server-to-server
encryption. Sun's solution utilizes the dynamic libraries (DLL) external
authentication method.[4]
IBM Lotus Domino can be used as a technical ticket verifier component [5]
Availability
Windows, Microsoft Internet Information Server
Apache HTTP Server, iPlanet Web Server
Dynamic Link Library
SAP provides Java and C sample files that can provide some hints how the library
can be implemented in the source code of a high level programming language such as
Visual Basic, C or Java.

Single Sign-On to Microsoft Web Applications

Microsoft web-based applications usually only support the authentication methods
basic authentication or windows integrated authentication (Kerberos) provided by
the Internet Information Server. However, Kerberos does not work well over the
internet due to the typical configuration of client-side firewalls. SSO to
Microsoft backend systems in extranet scenarios is limited to the user id password
mechanism. Based on the new feature called protocol transition using constrained
delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a
constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can
be used for SSO to Microsoft web-based applications in the back end.[6]

Single Sign-On to Non-SAP Java Environments

It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor
custom coding.[7][8]

Integration into SAP Systems