Skip to Content
avatar image
Former Member

Expected behavior in case of SSO

I have deployed two applications namely testapp and irj on SAP Web AS 7.0 on same protection domain i.e sap.com

I have protected these applications with an Authenticate template having two login modules:

1. Custom Login Module u2013 Requisite

2. Create Ticket Login Module -- Required

Now when I try accessing testapp application, my this architecture provides me SSO to testapp. And, in this case I am getting MYSAPSSO2 ticket and JSESSIONID.

The following logs were generated:

LOGIN.OK

User: Administrator

Authentication Stack: <template-name>

Login Module Flag Initialize Login Commit Abort Details

com.<custom-login-module> REQUISITE ok true true

com.sap.security.core.server.jaas.CreateTicketLoginModule REQUIRED ok true true

Central Checks true

And, when I try to access the irj portal in the same browser(which already has MYSAPSSO2 ticket), my Custom Login module is called up again and a new MYSAPSSO2 is again generated by Create Ticket Login Module.

The following logs were generated:

LOGIN.OK

User: Administrator

Authentication Stack: <template-name>

Login Module Flag Initialize Login Commit Abort Details

com.<custom-login-module> REQUISITE ok true true

com.sap.security.core.server.jaas.CreateTicketLoginModule REQUIRED ok true true

Central Checks true

So, my question here is that the behavior I am getting here is the expected one i.e. a new MYSAPSSO2 ticket should be generated again or the existing MYSAPSSO2 ticket should be consumed by the SAP Web AS?

Another scenario is when I add another login module into the stack. Here, the stack has:

1. Evaluate Ticket Login Module u2013 Sufficient

2. Custom Login Module u2013 Requisite

3. Create Ticket Login Module -- Required

In a new browser, when I try to access the testapp application, I got the gollowing logs:

LOGIN.OK

User: Administrator

Authentication Stack: sap.com/testappEar*testapp

Login Module

Flag Initialize Login Commit Abort De

tails

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule

SUFFICIENT ok false false

2.

com.netegrity.siteminder.sap.webas.jaas.SiteMinderLoginModule

REQUISITE ok true true

3. com.sap.s

ecurity.core.server.jaas.CreateTicketLoginModule REQUIRED

ok true true

Central Checks true

And, when I try to access the irj portal in the same browser(which already has MYSAPSSO2 ticket), this time the Evaluate Ticket Login Module invokes and no new MYSAPSSO2 ticket is generated. The following logs were generated:

LOGIN.OK

User: Administrator

Authentication Stack: ticket Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok true true

2. com.<custom-login-module> REQUISITE ok false

3. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUIRED ok false

Central Checks true

So, my question here is that the behavior I am getting here is the expected one i.e. a MYSAPSSO2 ticket should not be generated again and the existing MYSAPSSO2 ticket should be consumed by the SAP Web AS?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Apr 08, 2009 at 02:12 PM

    Yes, the second one is fine, if you already have a logon ticket, use it. Alternatively you can set the 'create ticket login module' to optional. In this case you will still be authenticated, even if the ticket cannot be created.

    1. Evaluate Ticket Login Module u2013 Sufficient

    2. Custom Login Module u2013 Requisite

    3. Create Ticket Login Module -- Optional

    -> if you already have a ticket, you're done (step 1)

    -> if you don't have a ticket, do your custom logon module and if it succeeds, then create a ticket

    [Sample Login Module Stacks for Using Logon Tickets|http://help.sap.com/erp2005_ehp_04/helpdata/EN/04/120b40c6c01961e10000000a155106/frameset.htm]

    [Login Module Stacks|http://help.sap.com/erp2005_ehp_04/helpdata/DE/99/f66e424925c253e10000000a1550b0/frameset.htm]

    Regards, Michael

    Add comment
    10|10000 characters needed characters exceeded