Page tree
Skip to end of metadata
Go to start of metadata


Introduction to SAP Authentication Assertion Tickets


Description of SAP Authentication Assertion Tickets, their uses and a comparison to SAP Logon Tickets 

SAP Authentication Assertion Tickets

An Authentication Assertion Ticket is an authentication token similar to a SAP Logon Ticket and is implemented using the same technology. Assertion tickets have a very similar structure to logon tickets and contain much the same information as logon tickets such as the logon ID, Issuing system ID, validity period etc., but there are differences in how assertion tickets are transmitted and their intended purpose

Comparison with Logon Tickets

  • Unlike logon tickets which are used for end-user authentication and single Sign-On (SSO), assertion tickets are typically used for system to system authentication. In such cases no user interaction is necessary
  • Logon tickets which are typically transmitted in a non-persistent cookie whereas assertion tickets are typically transmitted as an http header
  • Logon tickets are not created with a recipient in mind, once created they can be used to authenticate on any number of appropriately configured systems. In contrast, assertion tickets are created for authentication on a single specific system.
  • Assertion tickets contain an additional field for the recipient system ID, whereas logon tickets contain just the issuing system ID. For an AS ABAP to accept a particular assertion ticket, the recipient ID in the ticket must match the AS ABAP system ID.
  • Assertion tickets have a lifetime of just 2 minutes, which is not configurable. Logon tickets have a lifetime that is configurable, with default of 8 hours
  • Assertion tickets are limited to one-time use. Once the ticket has been verified, it is deleted.
  • The AS Java has specific login modules for evaluating and creating assertion tickets, EvaluateAssertionTicketLoginmodule and CreateAssertionTicketLoginModule respectively, whereas the equivalent login modules for logon tickets are EvaluateTicketLoginmodule and CreateTicketLoginModule

Two sample requests from clients where in the first request an assertion ticket is transmitted as a http header with name 'mysapsso2' and in the second a logon ticket is transmitted in the MYSAPSSO2 cookie

Related Content

Related Documents

Using Logon Tickets

Difference between SAP Authentication Assertion Tickets and SAP Logon Tickets

Related SAP Notes/KBAs

  • No labels