SSO with Logon-Ticket

The following article describes the process of running extractions using Single-Sign-On (SSO) with SAP Logon-Ticket. For more information on using SSO with Board Connector (BC), see Documentation: SAP Single-Sign-On.

Requirements

• The Board Connector server must be set up to use HTTPS, see SSO with Kerberos SNC.
• The Board Connector service must run under an BC Service Account.
• The BC service account must be configured for Constrained Delegation to the SPN of the AS Java in AD.
• An Application Server Java (AS Java) must be set up as a Ticket Issuing System, see SAP Help: Configuring the AS Java to Issue Logon Tickets.
• The AS Java must be configured for SPNEGO/Kerberos.
• A mapping between Windows AD users and SAP identities must be configured in the AS Java. The AS Java must be configured to generate SAP Logon Tickets. Consult with your SAP Basis team for more information.
• The SAP AS ABAP must be configured to trust SAP Logon Tickets from the AS Java, see SAP Help: Using Logon Tickets with AS ABAP.

Process of Authentication

The following graphic illustrates the process of calling an extraction with SSO via Ticket Issuer:

1. The BI tool user starts an extraction by calling the BC web service. They authenticate against the BC web service with their Active Directory identity, using HTTPS and SPNEGO.
   
2. The BC server contacts the Active Directory Domain Controller via Kerberos and tries to impersonate the web service caller (BI tool user) against the SAP AS Java (ticket issuer).
3. The BC server receives a Kerberos ticket from the DC that allows it to impersonate the caller against the AS Java.
   
4. The BC server uses the Kerberos ticket from 3. to authenticate against the AS Java as the caller via HTTPS and SPNEGO.
   Prerequisite: The AS Java has been configured for SPNEGO/Kerberos.
5. The AS Java maps the caller's AD identity to an SAP user and generates an SAP Logon Ticket for this SAP user. The AS Java sends the SAP Logon Ticket to the BC server via HTTPS as the value of the MYSAPSSO2 cookie.
   
6. The BC server takes the SAP Logon Ticket that it has received from the AS Java and uses it to authenticate against the AS ABAP as the caller via RFC.
   
7. The BC server extracts data from the AS ABAP using the identity and privileges of the caller (BI tool user) via RFC.
8. The BC server sends the extracted data from 7. to the caller.

Related Links

• Set Up an BC Service Account
• SAP Help: Kerberos and SAP NetWeaver AS for Java
• SAP Help: Using Logon Tickets with AS ABAP
• Youtube-Tutorial: Kerberos-Based Single Sign-On to Application Server Java Unlisted