SAP Logon Ticket

Last updated January 11, 2025

Snm short bullet Prufe half full percentage gune alfabetic chart object. nd be question Nun Langui by other description

Operation
Composition
Notable properties
Single sign-on
Web server filter
Integration with identity and access management platforms
Dynamic link library
Single sign-on to Microsoft web applications
Single sign-on to non-SAP Java environments
Integration into SAP systems
ABAP
J2EE
Security features
Security challenges
Alternatives to SAP logon tickets
Secure network communications-based single sign-on
See also
References
External links

Operation

User requests access to a resource on SAP NetWeaver Application Server.
Resource requires authentication.
SAP NetWeaver Application Server authenticates user, with user ID and password for example.
SAP NetWeaver Application Server issues an SAP Logon Ticket to the user.
SAP Logon Ticket is stored in the user's browser as a non-persistent HTTP cookie.
When user authenticates with another application, the user's client presents the SAP Logon Ticket.

Composition

User ID
Validity date(s)
Issuing system
Digital signature
Authentication method

Notable properties

Below is a short list of important properties of SAP NetWeaver Application Server Java for SAP Logon Tickets.^[1]

login.ticket_client - a three-character numeric string used to indicate the client that is written into the SAP logon ticket
login.ticket_lifetime - indicates the validity period of the ticket in terms of hours and minutes (i.e., HH:MM)
login.ticket_portalid - yes/no/auto for writing the portal ID into the ticket
ume.login.mdc.hosts - Enables SAP NetWeaver Application Server Java to request logon tickets from hosts outside the portal domain
ume.logon.httponlycookie - true/false for security against malicious client-side script code such as JavaScript
ume.logon.security.enforce_secure_cookie - Enforces SSL communication
ume.logon.security.relax_domain.level - Relaxes the subdomains for which the SAP logon ticket is valid

Single sign-on

SAP Logon Tickets can be used for single sign-on through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or Java.

Web server filter

The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the web-based application support http header variable authentication. The filter authenticates the logon ticket by using the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and is written into the http header. Additional configuration to the http header variable can done in the filter's configuration file (i.e., remote_user_alias).

Integration with identity and access management platforms

Tivoli Access Manager has developed an authentication service compatible with SAP Logon Tickets^[2]
Sun ONE Identity has developed a solution where companies can use the SAP Internet Transaction Server (ITS 2.0) and SAP Pluggable Authentication Service (PAS) for integration with SAP for single sign-on. This method uses logon tickets for single sign-on and the SAPCRYPTOLIB (SAP encryption library) for SAP server-to-server encryption. Sun's solution utilizes the dynamic libraries (DLL) external authentication method.^[3]
IBM Lotus Domino can be used as a technical ticket verifier component ^[4]

Availability

Dynamic link library

SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source code of a high level programming language such as Visual Basic, C or Java.

Single sign-on to Microsoft web applications

Microsoft web-based applications usually only support the authentication methods basic authentication or windows integrated authentication (Kerberos) provided by the Internet Information Server. However, Kerberos does not work well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web-based applications in the back end.^[5]

Single sign-on to non-SAP Java environments

It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding.^[6]^[7]

Integration into SAP systems

ABAP

Logon tickets allows for single sign-on into ABAP application servers.^[8] However, there are prerequisites:

Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different.
Web browsers need to be configured to accept cookies.
Any web servers for ABAP servers need to be placed on the same DNS
The issuing server must be able to digitally sign logon tickets (i.e., public-key and private-key are required).
Systems that accept logon tickets must have access to the issuing server's public-key certificate.

J2EE

Java servers allows for single sign-on into Java application servers.^[9] However, there are prerequisites:

Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different.
Web browsers need to be configured to accept cookies.
Any web servers for ABAP servers need to be placed on the same DNS
Clocks for accepting tickets are synchronized with the issuing server's clock.
The issuing server must be able to digitally sign logon tickets (i.e., public-key and private-key are required).
Systems that accept logon tickets must have access to the issuing server's public-key certificate.

Security features

Digitally signed by the SAP portal server
Uses asymmetric cryptography to establish unidirectional trust relationship between users and SAP systems
Protected in transport via SSL
Validity period that can be configured in the security settings of the SAP Enterprise Portal

Security challenges

SAP Logon Tickets do not utilize Secure Network Communications (SNC)
Typical security-related issues around cookies stored in a web browser. Examples include:^[10]
- Copying the SAP Logon Ticket via network traffic sniffing or social engineering and storing it on another computer for access to the SAP Enterprise Portal

Alternatives to SAP logon tickets

Account aggregation via SAP NetWeaver
Utilize Secure Network Communications-based single sign-on technology from independent software security providers

Secure network communications-based single sign-on

Account aggregation

The Enterprise Portal Server maps user information, i.e., user id and password, to allow users to access external systems. This approach requires that to maintain changes of username and/or password from one backend application to the portal. This approach is not viable to web-based backend systems because past security updates from Microsoft no longer support handling of usernames and passwords in HTTP, with or without Secure Sockets Layer (SSL), and HTTPS URLs in Internet Explorer

The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain a user id and password for each application that is using account aggregation. If the password in one backend application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be used as an option where no other solution might work it causes a significant administrative overhead.

Using account aggregation to access a web based backend system that is configured to use basic authentication results in sending a URL that contains user name and password. MS04-004,^[11] a security update from Microsoft published in 2004, removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if this security patch has been applied:

http(s)://username:password@server/resource.ext

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single SSO ID to any of several related, yet independent, software systems.

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where <credentials> is the Base64 encoding of ID and password joined by a single colon :.

Lightweight Third-Party Authentication (LTPA), is an authentication technology used in IBM WebSphere and Lotus Domino products. When accessing web servers that use the LTPA technology it is possible for a web user to re-use their login across physical servers.

<span class="mw-page-title-main">SAP Graphical User Interface</span> Component of SAP systems

SAP GUI is the graphical user interface client in SAP ERP's 3-tier architecture of database, application server and client. It is software that runs on a Microsoft Windows, Apple Macintosh or Unix desktop, and allows a user to access SAP functionality in SAP applications such as SAP ERP and SAP Business Information Warehouse (BW). It is used for remote access to the SAP central server in a company network.

Session poisoning is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system, which is governed by Group Policy settings, for which different versions of Windows have different default settings.

SAP NetWeaver Application Server or SAP Web Application Server is a component of SAP NetWeaver which works as a web application server for SAP products. All ABAP application servers including the message server represent the application layer of the multitier architecture of an ABAP-based SAP system. These application servers execute ABAP applications and communicate with the presentation components, the database, and also with each other, using the message server.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

In computer security, logging in is the process by which an individual gains access to a computer system or program by identifying and authenticating themselves.

Oracle Secure Global Desktop (SGD) software provides secure access to both published applications and published desktops running on Microsoft Windows, Unix, mainframe and IBM i systems via a variety of clients ranging from fat PCs to thin clients such as Sun Rays.

A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username . Some software products provide services to other systems and have no direct end users.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection.

Distributed Access Control System (DACS) is a light-weight single sign-on and attribute-based access control system for web servers and server-based software. DACS is primarily used with Apache web servers to provide enhanced access control for web pages, CGI programs and servlets, and other web-based assets, and to federate Apache servers.

Pluggable Authentication Services (PAS) allows a SAP user to be authenticated outside of SAP. When the user is authenticated by an external service, the PAS will issue an SAP Logon Ticket or x.509 Certificate which will be used for future authentication into SAP systems. The PAS is generally regarded as an opportunity for companies to either use a new external authentication system or an existing external authentication system. In some cases, the PAS is used with an external single sign-on system that uses SAP Logon Tickets or x.509 certificates.

A Microsoft account or MSA is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

References

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Logon Ticket

[2] Authenticating a SAP login ticket in Tivoli Access Manager e-business WebSEAL

[3] Single Sign-On Solution for SAP Internet Transaction Server 2.0

[4] Ticket Verifier Technical Components

[5] Using SAP Logon Tickets for Single Sign-On

[6] Validating SAP Logon Tickets with Java

[7] MySAP SSO Support

[8] Using Logon Tickets

[9] Using Logon Tickets for Single Sign-On

[10] W3 Security FAQ on Browser Cookies

[11] MS04-004: Cumulative Security Update for Internet Explorer

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]