Skip to Content

How to Provide Logon Ticket to non SAP (J2E) system (SAPSSOEXT)

Hello Forum,

we need to provide SAP logon ticket to a non SAP, J2E based system in order to implement Single Sign On.

The external J2E system will use SAPSSOEXT to encrypt the ticket.

The external application will be called through a Web Dynpro application integrated in SAP Portal.

Since we also have to display some web content we would have to go with Exit Plugs, Call External Window or similar.

My question is: how, under the given situation, can be the sap logon ticket provided to the partner system?

Ideally, the ICM should handle the task transparent to me?

But if not, what options do we have? I am tinking about, but not limited to:

- send http request by RFC destination, which has send logon ticket enabled (SM59). How is the ticket included in the request that way?

- extract the ticket with some public ABAP API and send it manually

- ...

Thanks in advance for any advice.

Carsten

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Jan 25, 2009 at 12:37 AM

    Perhaps I am misunderstanding your requirement, but I don't think this is the intended scenario for logon tickets...

    I think you might have licensing issues as well.

    Have you looked into other authentication mechanisms?

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 25, 2009 at 07:31 PM

    The Logon Ticket is sent in a cookie called MYSAPSSO2. You just have to read the cookie and use the external library SAPSSOEXT to verify the logon ticket. This is perfectly legal and the way SAP intended it to be.

    You also have to make sure that the user is first authenticated by SAP Portal (so he gets the logon ticket) and that the ticket is sent to the external application (via the correct DNS name).

    SAP Logon Tickets are not very secure. Please make sure that they are only transported using encrypted links and that all users have up to date anti malware software on their systems.

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 29, 2009 at 09:33 PM

    >

    > - send http request by RFC destination, which has send logon ticket enabled (SM59). How is the ticket included in the request that way?

    > Carsten

    That indicates that we are actually talking of "SAP (Authentication) Assertion Tickets" (and it discloses that you are using an ABAP system with SAP_BASIS release 6.40 or higher). Don't get confused by the wrong description in SM59: this is no SAP Logon Ticket but an Assertion Ticket.

    If you are using NWAS 7.0 then you could also consider to use Web Service calls and SAML Tokens for authentication. That would be much more appropriete when communicating with non-SAP components.

    Add comment
    10|10000 characters needed characters exceeded

    • Hello,

      thanks for all your answers and sorry, I was some time on a different topic.

      I also remembered (and looked it up) that there are different approaches to specifiy the logon method via a Portal iView.

      Right now we consider two different solutions

      1) Make the call in ABAP, via HTTP Request, e.g. with SM59.

      2) Let the Portal iView make the request, using the athentication method provided by the linked System object.

      We prefer 2 kind of for implementation reasons.

      The Portal System object "http system", which we would use with the URL iView for example, offers different options like user/password (GET/POST), basic and so on.

      Does any of these solutions transfer the "assertion ticket" automaticaly?

      There is also the option custom authentication service. This has to be implemented via a Java Service on the Portal. Is such a service needed to implement the SAML/Web Service approach also?

      Regards

      Carsten