Page tree
Skip to end of metadata
Go to start of metadata

Purpose

List and describe the purpose of the UME properties most relevant to SAP logon ticket creation on the AS Java

Overview

The UME properties listed here are the most important for ticket creation. They control what is written to the ticket, the validity of the ticket and influence how the browser handles the MYSAPSSO2 cokie containing the logon ticket

Important parameters for logon ticket creation


login.ticket_client

Its value determines the client number that is written to the logon ticket issued by the Java Application Server.

Default value 000.

Only change this value when configuring SSO between the Java and ABAP stacks of a dual stack WebAS, in any other case the default value will suffice.

The reason for this change is that the system ID and client combination must be unique in order for tickets are to be accepted by an SAP Web AS ABAP system. In a dual stack system the system IDs of the AS ABAP and AS Java are the same so you must change the default client for the J2EE Engine (000) to a client that does not exist on the SAP Web AS ABAP system.

login.ticket_portalid

In a logon ticket issued by an AS Java two users can be written: the R/3 user and the Portal user

As long as the ID used to logon to the Java AS is no longer than 13 characters and user mapping is not configured, the first user called ‘R/3 User’ will have this logon ID as its value. If the logon ID is longer than 13 characters and user mapping is not configured, then R/3 User will be blank. If user mapping is configured, instead of the logon ID being written as the ‘R/3 User’ in the ticket, a certain pre-configured mapped ID is written instead.

ABAP systems always read the ‘R/3 user’ from the ticket when evaluating a received ticket

The value of login.ticket_portalid determines whether or not the second user ‘Portal User’ is written in the ticket.

  • YES = The ‘Portal User’ is always written into the logon ticket.
  • NO = The ‘Portal User’ is never written into the logon ticket.
  • AUTO = If a portal installation is detected, the ‘Portal User’ is written into the logon ticket.

‘Portal User’ has the form ‘portal:<logon id>

ume.logon.security.relax_domain.level

The URL used to request an application deployed on the ticket issuing Java AS should contain the fully qualified domain name of the server if it is intended that the logon ticket is used for SSO to other systems.

By default once authentication succeeds the MYSAPSSO2 cookie will be set with a domain attribute equal to the domain specified in the URL.

The browser uses this domain attribute to decide to which servers the cookie should be sent, i.e. it will usually send the MYSAPSSO2 cookie with all requests to any server in the domain that matches its domain attribute

The UME allows you to specify the number of sub-domains that the Java AS should remove from the domain in the URL when setting the domain attribute of the MYSAPSSO2 cookie

This allows some control over where the browser will send the cookie.

For example, if the value is 1 and the logon ticket is issued by the Java Application Server myserver.mycountry.mycompany.com, the logon ticket is valid for all servers in the domain mycountry.mycompany.com. A value of 2 and the logon ticket is valid for all servers in the domain mycompany.com

login.ticket_lifetime

Number of hours that the logon ticket is valid

Default value is 8.

Typically should be set to a value just greater than the users average working day

Marks the logon ticket as a secure cookie, to enforce that the client browser sends the cookie only when the connection from the browser to the AS Java or reverse proxy/load balancer in front of the AS Java is SSL encrypted

If set to true and there is no SSL connection to the AS, the client will not send the cookie with request to it and authentication will fail

ume.logon.httponlycookie

If TRUE, the MYSAPSSO2 cookie has attribute HttpOnly. This prevents it from being read by malicious client-side script code such as JavaScript

login.authschemes.definition.file

Specifies the name of the file that contains a list of the available authentication schemes. If there are custom authschemes in use the file containing their definition is specified as a value for this parameter

Related Content

Related Documents

Logon Ticket creation in AS Java
Logon Ticket UME parameters

Related SAP Notes/KBAs

  • No labels