SAP Logon Ticket

Last updated

SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications. [1]

Contents

Operation

  1. User requests access to a resource on SAP NetWeaver Application Server.
  2. Resource requires authentication.
  3. SAP NetWeaver Application Server authenticates user, with user ID and password for example.
  4. SAP NetWeaver Application Server issues an SAP Logon Ticket to the user.
  5. SAP Logon Ticket is stored in the user's browser as a non-persistent HTTP cookie.
  6. When user authenticates with another application, the user's client presents the SAP Logon Ticket.

Composition

Notable properties

Below is a short list of important properties of SAP NetWeaver Application Server Java for SAP Logon Tickets. [2]

Single sign-on

SAP Logon Tickets can be used for single sign-on through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or Java.

Web server filter

The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the web-based application support http header variable authentication. The filter authenticates the logon ticket by using the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and is written into the http header. Additional configuration to the http header variable can done in the filter's configuration file (i.e., remote_user_alias).

Integration with identity and access management platforms

Availability

SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source code of a high level programming language such as Visual Basic, C or Java.

Single sign-on to Microsoft web applications

Microsoft web-based applications usually only support the authentication methods basic authentication or windows integrated authentication (Kerberos) provided by the Internet Information Server. However, Kerberos does not work well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web-based applications in the back end. [6]

Single sign-on to non-SAP Java environments

It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding. [7] [8]

Integration into SAP systems

ABAP

Logon tickets allows for single sign-on into ABAP application servers. [9] However, there are prerequisites:

J2EE

Java servers allows for single sign-on into Java application servers. [10] However, there are prerequisites:

Security features

Security challenges

Alternatives to SAP logon tickets

Secure network communications-based single sign-on

Account aggregation

The Enterprise Portal Server maps user information, i.e., user id and password, to allow users to access external systems. This approach requires that to maintain changes of username and/or password from one backend application to the portal. This approach is not viable to web-based backend systems because past security updates from Microsoft no longer support handling of usernames and passwords in HTTP, with or without Secure Sockets Layer (SSL), and HTTPS URLs in Internet Explorer

The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain a user id and password for each application that is using account aggregation. If the password in one backend application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be used as an option where no other solution might work it causes a significant administrative overhead.

Using account aggregation to access a web based backend system that is configured to use basic authentication results in sending a URL that contains user name and password. MS04-004, [12] a security update from Microsoft published in 2004, removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if this security patch has been applied:

  • http(s)://username:password@server/resource.ext

See also

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon :.

Lightweight Third-Party Authentication (LTPA), is an authentication technology used in IBM WebSphere and Lotus Domino products. When accessing web servers that use the LTPA technology it is possible for a web user to re-use their login across physical servers.

<span class="mw-page-title-main">SAP Graphical User Interface</span> Component of SAP systems

SAP GUI is the graphical user interface client in SAP ERP's 3-tier architecture of database, application server and client. It is software that runs on a Microsoft Windows, Apple Macintosh or Unix desktop, and allows a user to access SAP functionality in SAP applications such as SAP ERP and SAP Business Information Warehouse (BW). It is used for remote access to the SAP central server in a company network.

Session poisoning is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

SAP NetWeaver Application Server or SAP Web Application Server is a component of SAP NetWeaver which works as a web application server for SAP products. All ABAP application servers including the message server represent the application layer of the multitier architecture of an ABAP-based SAP system. These application servers execute ABAP applications and communicate with the presentation components, the database, and also with each other, using the message server.

A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Password manager can be delivered as a one of or mixed of: computer application, mobile application, web browser extension, web based service, portable software for USB units.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

<span class="mw-page-title-main">Login</span> Process by which an individual gains access to a computer system

In computer security, logging in is the process by which an individual gains access to a computer system by identifying and authenticating themselves. The user credentials are typically some form of username and a matching password, and these credentials themselves are sometimes referred to as alogin. In practice, modern secure systems often require a second factor such as email or SMS confirmation for extra security. Social login allows a user to use existing user credentials from a social networking service to sign in to or create an account on a new website.

Oracle Secure Global Desktop (SGD) software provides secure access to both published applications and published desktops running on Microsoft Windows, Unix, mainframe and IBM i systems via a variety of clients ranging from fat PCs to thin clients such as Sun Rays.

SAP NetWeaver Portal is one of the building blocks in the SAP NetWeaver architecture. With a Web Browser, users can begin work once they have been authenticated in the portal which offers a single point of access to information, enterprise applications, and services both inside and outside an organization. The portal provides access to business processes and information, social collaboration and content management across various consumption channels.

Network Level Authentication (NLA) is a feature of Remote Desktop Services or Remote Desktop Connection that requires the connecting user to authenticate themselves before a session is established with the server.

Distributed Access Control System (DACS) is a light-weight single sign-on and attribute-based access control system for web servers and server-based software. DACS is primarily used with Apache web servers to provide enhanced access control for web pages, CGI programs and servlets, and other web-based assets, and to federate Apache servers.

Pluggable Authentication Services (PAS) allows a SAP user to be authenticated outside of SAP. When the user is authenticated by an external service, the PAS will issue an SAP Logon Ticket or x.509 Certificate which will be used for future authentication into SAP systems. The PAS is generally regarded as an opportunity for companies to either use a new external authentication system or an existing external authentication system. In some cases, the PAS is used with an external single sign-on system that uses SAP Logon Tickets or x.509 certificates.

<span class="mw-page-title-main">Microsoft account</span> User account required for Microsoft-owned services

A Microsoft account or MSA is a single sign-on Microsoft user account for Microsoft customers to log in to Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

References