Week 3: Security & Troubleshooting

Unit 2: Logon Procedures: Part 1

Logon Procedures: Part 1
Supported logon procedures of the AS Java

Standard Java Authentication and Authorization Service

(JAAS) is implemented in SAP NetWeaver Application
Server for Java for different logon procedures

Most important procedures are:

▪ Anonymous logon
▪ User ID and password
▪ Logon ticket
▪ Assertion ticket
▪ Windows logon (Kerberos SPNEGO)
▪ Digital certificates (X.509 client certificates)
▪ SAML 2.0 assertions

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Logon Procedures: Part 1
Policy configuration and possible changes

▪ To maintain: SAP NetWeaver Administrator →

Configuration → Security → Authentication and
Single Sign-On
▪ All applications that are programmed in Web
Dynpro Java are configured using a single servlet
(sap.com/tc~wd~dispwda*webdynpro_ dispatcher)
▪ Most common logon procedure: “ticket”
▪ Custom-built login modules in accordance with the
JAAS standard are also supported

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

Logon Procedures: Part 1
Standard login modules

Most important login modules:

▪ BasicPasswordLoginModule
▪ DigestLoginModule
▪ ClientCertificateLoginModule
▪ CreateTicketLoginModule
▪ EvaluateTicketLoginModule
▪ SPNegoLoginModule
▪ SAML2LoginModule

NOTE: SAP KBA 2273981 lists some

example configurations. Also redirect
application, as mentioned in
SAP Note 1250795, can be used.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Logon Procedures: Part 1
Logon ticket

▪ A logon ticket represents the user credentials. It

does not contain any passwords.
▪ It is stored as a non-persistent cookie with the
name MYSAPSSO2.
▪ The authentication stack “ticket” (by default) first
checks whether there is a valid logon ticket
(EvaluateTicketLoginModule). If not, the user
must enter his/her user ID and password
(BasicPasswordLoginModule). A logon ticket is
then issued if the entries are correct
(CreateTicketLoginModule).
▪ Successive authentication takes place using the
logon ticket.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

Logon Procedures: Part 1
Logon ticket: simple scenario diagram

SSO on a single SAP AS Java (SSO

between applications on the same system):
1. A user tries to access an application which
requires basic authentication.
2. After successful authentication, the server
issues a logon ticket.
3. The user tries to access the application which
expects a logon ticket from the user.
4. Since the user already has a logon ticket, the
access to the second application is granted.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

Logon Procedures: Part 1
Logon ticket: two SAP systems in the same domain

▪ The client communicates with only one of the

systems, and that system communicates with
another AS Java.
▪ The communication with the second server is
done with the logon ticket. The session cookie
contains the following attributes:
Domain – the cookie will be sent ONLY if the
user is requesting access to a system within
the sofl.sap.corp domain.
Note that further domain relaxation is
possible.
Path – determines for which applications the
cookie will be sent from the browser to the
server.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7

Logon Procedures: Part 1
Assertion ticket

Assertion ticket is an extension of the logon

ticket. The main differences between logon
tickets and assertion tickets:
▪ Lifetime/Validity:
Logon ticket lifetime: 8 hours (default)
Assertion ticket lifetime: 2 minutes (default)
▪ Acceptance range (system level): Logon ticket
can be used multiple times whereas assertion
tickets have one-time usage
▪ Logon tickets are transmitted as cookies,
whereas assertion tickets are transported as
Two sample requests from clients, wherein the first
HTTP headers
request is an assertion ticket (transmitted as an HTTP
▪ Special login modules exists for assertion tickets: header with name MYSAPSSO2), and second is a
EvaluateAssertionTicketLoginmodule and logon ticket (transmitted as a MYSAPSSO2 session
CreateAssertionTicketLoginModule cookie)

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8

Logon Procedures: Part 1
Sample ticket usage

Possible Scenarios:
▪ AS Java to ABAP: The logon/assertion ticket is
created on the Java side and sent to the ABAP
system. The ABAP server should be able to
evaluate the ticket using the AS Java server
public certificate.
▪ ABAP to Java: The assertion ticket is created
on the ABAP side. The Java server evaluates
the ticket using the ABAP server certificate.
▪ AS Java to AS Java: The logon ticket is created
on the issuing server and evaluated on the
receiving server. The evaluating server should
use the issuing server certificate to evaluate the
ticket.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

Logon Procedures: Part 1
Troubleshooting: logon/assertion tickets

Steps for end-to-end tracing (example scenario: SSO between AS Java and AS ABAP fails):
▪ Activate security tracing on AS ABAP
▪ Activate the troubleshooting wizard (SAP Note ##1332726) on the AS Java
▪ Start the troubleshooting wizard, reproduce the issue, and collect the traces on both servers
▪ Take a browser HTTP/HTTPS traffic trace (using tools like HTTPWATCH/ Live HTTP header)

Check SAP KBA 2551642 for the most common SSO (AS Java to AS ABAP) issues, solutions, and
for further troubleshooting steps

More info: https://wiki.scn.sap.com/wiki/display/ASJAVA/Single+Sign-On+with+SAP+Logon+Tickets

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10

Thank you.
Contact information:

open@sap.com
© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks
and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and
they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.