SAP Logon Ticket

SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.

Operation

 * 1) User requests access to a resource on SAP NetWeaver Application Server.
 * 2) Resource requires authentication.
 * 3) SAP NetWeaver Application Server authenticates user, with user ID and password for example.
 * 4) SAP NetWeaver Application Server issues an SAP Logon Ticket to the user.
 * 5) SAP Logon Ticket is stored in the user's browser as a non-persistent HTTP cookie.
 * 6) When user authenticates with another application, the user's client presents the SAP Logon Ticket.

Composition

 * User ID
 * Validity date(s)
 * Issuing system
 * Digital signature
 * Authentication method

Notable properties
Below is a short list of important properties of SAP NetWeaver Application Server Java for SAP Logon Tickets.
 * login.ticket_client - a three-character numeric string used to indicate the client that is written into the SAP logon ticket
 * login.ticket_lifetime - indicates the validity period of the ticket in terms of hours and minutes (i.e., HH:MM)
 * login.ticket_portalid - yes/no/auto for writing the portal ID into the ticket
 * ume.login.mdc.hosts - Enables SAP NetWeaver Application Server Java to request logon tickets from hosts outside the portal domain
 * ume.logon.httponlycookie - true/false for security against malicious client-side script code such as JavaScript
 * ume.logon.security.enforce_secure_cookie - Enforces SSL communication
 * ume.logon.security.relax_domain.level - Relaxes the subdomains for which the SAP logon ticket is valid

Single sign-on
SAP Logon Tickets can be used for single sign-on through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or Java.

Web server filter
The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the web-based application support http header variable authentication. The filter authenticates the logon ticket by using the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and is written into the http header. Additional configuration to the http header variable can done in the filter's configuration file (i.e., remote_user_alias).

Integration with identity and access management platforms

 * Tivoli Access Manager has developed an authentication service compatible with SAP Logon Tickets
 * Sun ONE Identity has developed a solution where companies can use the SAP Internet Transaction Server (ITS 2.0) and SAP Pluggable Authentication Service (PAS) for integration with SAP for single sign-on. This method uses logon tickets for single sign-on and the SAPCRYPTOLIB (SAP encryption library) for SAP server-to-server encryption. Sun's solution utilizes the dynamic libraries (DLL) external authentication method.
 * IBM Lotus Domino can be used as a technical ticket verifier component

Availability

 * Windows, Microsoft Internet Information Server
 * Apache HTTP Server
 * Oracle iPlanet Web Server

Dynamic link library
SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source code of a high level programming language such as Visual Basic, C or Java.

Single sign-on to Microsoft web applications
Microsoft web-based applications usually only support the authentication methods basic authentication or windows integrated authentication (Kerberos) provided by the Internet Information Server. However, Kerberos does not work well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web-based applications in the back end.

Single sign-on to non-SAP Java environments
It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding.

ABAP
Logon tickets allows for single sign-on into ABAP application servers. However, there are prerequisites:
 * Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different.
 * Web browsers need to be configured to accept cookies.
 * Any web servers for ABAP servers need to be placed on the same DNS
 * The issuing server must be able to digitally sign logon tickets (i.e., public-key and private-key are required).
 * Systems that accept logon tickets must have access to the issuing server's public-key certificate.

J2EE
Java servers allows for single sign-on into Java application servers. However, there are prerequisites:
 * Usernames need to be the same for all SAP system that the user wants single sign-on for. Passwords can be different.
 * Web browsers need to be configured to accept cookies.
 * Any web servers for ABAP servers need to be placed on the same DNS
 * Clocks for accepting tickets are synchronized with the issuing server's clock.
 * The issuing server must be able to digitally sign logon tickets (i.e., public-key and private-key are required).
 * Systems that accept logon tickets must have access to the issuing server's public-key certificate.

Security features

 * Digitally signed by the SAP portal server
 * Uses asymmetric cryptography to establish unidirectional trust relationship between users and SAP systems
 * Protected in transport via SSL
 * Validity period that can be configured in the security settings of the SAP Enterprise Portal

Security challenges

 * SAP Logon Tickets do not utilize Secure Network Communications (SNC)
 * Typical security-related issues around cookies stored in a web browser. Examples include:
 * Copying the SAP Logon Ticket via network traffic sniffing or social engineering and storing it on another computer for access to the SAP Enterprise Portal

Alternatives to SAP logon tickets

 * Account aggregation via SAP NetWeaver
 * Utilize Secure Network Communications-based single sign-on technology from independent software security providers

Account aggregation
The Enterprise Portal Server maps user information, i.e., user id and password, to allow users to access external systems. This approach requires that to maintain changes of username and/or password from one backend application to the portal. This approach is not viable to web-based backend systems because past security updates from Microsoft no longer support handling of usernames and passwords in HTTP, with or without Secure Sockets Layer (SSL), and HTTPS URLs in Internet Explorer

The usage of account aggregation has several drawbacks. First of all it requires that a SAP portal user has to maintain a user id and password for each application that is using account aggregation. If the password in one backend application changes the SAP portal user has to maintain the stored credentials too. Though account aggregation can be used as an option where no other solution might work it causes a significant administrative overhead.

Using account aggregation to access a web based backend system that is configured to use basic authentication results in sending a URL that contains user name and password. MS04-004, a security update from Microsoft published in 2004, removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer if this security patch has been applied:
 * http(s)://username:password@server/resource.ext