Skip to Content

Single Sign-On to Non-SAP Java Applictions with SAPSSOEXT

Hi folks.
Just recently I had to implement SSO to a tomcat-based JSP application, so that a portal user doesn’t have to logon twice. As you all know, SAP’s standard technology to implement SSO is the use of a cookie called SAP Logonticket. You may also know, that there are two supported ways to implement SSO to Non-SAP applications, using a native library for ticket verification or using a web server filter. ( )

I decided to use the library SAPSSOEXT. On my search for documentation, I found out, that the guide I knew from SDN disappeared and the rest of the official documentation is,.. uh, let’s say a bit rudimental.

So, here is a brief instruction from my side, maybe some of you will need it as well.

1. Get the required dynamic link libraries.

Go to -> Entry by Application Group -> Additional Components
Get the versions of SAPSECULIB and com.mysap.sso.SSO2Ticket

package com.mysap.sso;

import java.util.ArrayList;

import java.util.List;

import javax.servlet.http.Cookie;

import javax.servlet.http.HttpServletRequest;

public class SSO2Ticket {

     public static final int ISSUER_CERT_SUBJECT = 0;

     public static final int ISSUER_CERT_ISSUER = 1;

     public static final int ISSUER_CERT_SERIALNO = 2;

     private static boolean initialized = false;

     public static String SECLIBRARY;

     public static String SSO2TICKETLIBRARY = “sapssoext”;


     private static List pseudoACL;

     static {

          pseudoACL = new ArrayList();

          pseudoACL.add(“EP7|000|OU=J2EE, CN=S1D|OU=J2EE, CN=EP7|00”);


          if (System.getProperty(“”).startsWith(“Win”)) {

               SECLIBRARY = “sapsecu.dll”;

          } else {

               SECLIBRARY = “”;


          try {


               System.out.println(“SAPSSOEXT loaded.”);

          } catch (Throwable e) {

               System.out.println(“Error during initialization of SSO2TICKET:\n”+ e.getMessage());





  • Initialization



  • @param seclib location of ssf-implemenation



  • @return true/false whether initailisation was ok


     protected static native synchronized boolean init(String seclib);



  • Returns internal version.



  • @return version


     public static native synchronized String getVersion();



  • eval ticket



  • @param ticket        the ticket


  • @param pab           location of pab


  • @param pab_password  password for access the pab



  • @return Object array with:


  •         = (String)user, = (String)sysid, = (String)client , = (byte[])certificate


  •         = (String)portalUser, = (String)authSchema, = validity



     public static native synchronized Object[] evalLogonTicket(String ticket,String pab,String pab_password) throws Exception;



  • Parse certificate


  • @param cert                Certificate received from evalLogonTicket


  • @param info_id       One of the requst id´s



  • @return Info string from certificate



     public static native synchronized String parseCertificate(byte[] cert,int info_id);




  • @param request          HttpServletRequest


  • @param pathToPSE          Path to PSE


  • @return String array with:


  •                                SAP system user


  •                                Id of the issuing system


  •                                Client of the issuing system


  •                                Portal user


  •                                Authscheme


  •                                Validity in seconds


  •                                Subject


  •                                Issuer


  •                                Serial number


  • @throws LogonTicketException


     public static synchronized String[] verify(HttpServletRequest request, String pathToPSE) throws LogonTicketException


          String[] ticketContent = null;

          if(!initialized) {


               initialized = true;


          String ticket = null;

          Cookie[] all_Cookies = request.getCookies();

          int i = 0;

          int j = 0;

          if (all_Cookies != null) j = all_Cookies.length;

          for (i = 0; i < j; i++) {

               //Get MYSAPSSO2 cookie from request context…

               if (“MYSAPSSO2”.equals(all_Cookies[i].getName())) {

                    ticket = all_Cookies[i].getValue();




          if(ticket==null) throw new LogonTicketException(LogonTicketException.NO_TICKET_FOUND); // mysapsso2 cookie not found

          Object[] o = null;

          try {

               o = SSO2Ticket.evalLogonTicket(ticket, pathToPSE, null);

               byte[] cert_ = (byte[]) o[3];

               ticketContent = new String[9];               

               ticketContent[0] = (String)o[0]; //First element is the SAP system user

               ticketContent[1] = (String)o[1]; //Second element is the id of the issuing system

               ticketContent[2] = (String)o[2]; //Third element is the client of the issuing system

               ticketContent[3] = (String)o[4]; //Portal user

               ticketContent[4] = (String)o[5]; //Authscheme

               ticketContent[5] = (String)o[6]; //Validity in seconds

               ticketContent[6] = SSO2Ticket.parseCertificate(cert_, SSO2Ticket.ISSUER_CERT_SUBJECT);

               ticketContent[7] = SSO2Ticket.parseCertificate(cert_, SSO2Ticket.ISSUER_CERT_ISSUER);

               ticketContent[8] = SSO2Ticket.parseCertificate(cert_, SSO2Ticket.ISSUER_CERT_SERIALNO);


               String aclStr = ticketContent[1]“|”ticketContent[2]“|”ticketContent[6]“|”ticketContent[7]“|”ticketContent[8];

               if(!pseudoACL.contains(aclStr)) throw new LogonTicketException(LogonTicketException.TICKET_ISSUER_NOT_TRUSTED);

          } catch (Exception e) {

               LogonTicketException ex = new LogonTicketException(LogonTicketException.TICKET_VERIFICATION_FAILED);


               throw ex;


          return ticketContent;





package com.mysap.sso;


  • @author Karsten Geiseler


public class LogonTicketException extends Exception {

public static final String NO_TICKET_FOUND = “No ticket found”;

public static final String TICKET_VERIFICATION_FAILED = “Ticket verification failed”;

public static final String TICKET_ISSUER_NOT_TRUSTED = “Ticket Issuer not trusted”;

     public LogonTicketException() {



     public LogonTicketException(String message) {



     public LogonTicketException(Throwable cause) {



     public LogonTicketException(String message, Throwable cause) {

          super(message, cause);



Now modify the SSO2Ticket class according to your needs.
I demonstrated a simple access control list to list trusted ticket issuers. Add your trusted issuers there or implement a more sophisticated solution.
Feel free to add your own logging implementation.
Do not move the classes to a different package!

4. Get your issuing portal’s certificate in a pse file

Log on to your portal, go to System Administration -> System Configuration -> Keystore Administration and download the verify.pse file.

On your non-SAP system, put the file somewhere on the filesystem. The path to the file is an input variable for SSO2Ticket.verify(HttpServletRequest request, String pathToPSE). In my example the path will be C:
If you want to verify tickets of more than one issuing system, you have to store the X.509 certificates of each issuing system in a pse file. How this can be accomplished is described in SAP Note 722072.

5. Now you can call SSO2Ticket.verify(HttpServletRequest request, String pathToPSE)

Here is a jsp sniplet to show the usage of the classes:




               String[] ticketContent = com.mysap.sso.SSO2Ticket.verify(request,”C:


          } catch (com.mysap.sso.LogonTicketException e)
          { %>
          <% } %>

</textarea> <p>That’s it. The verify method returns the ticket content as a String array, the portal’s userId is ticketContent[3].</p><p>Cheers, Karsten</p>

You must be Logged on to comment or reply to a post.
  • good blog,

    I need an info.
    I have EP 7.0, how have I to define the non-SAP HTTP system on the portal to connect it and to use Logon Ticket?



    • Hi Mario.

      You don’t have to define a system per definition. What you need is a URL iView or an iView based on the generic appintegrator component.
      And of course, your remote application has to be in the same domain. So check with HttpWatch if the LogonTicket is sent to the application.

      For connecting systems with the generic AppIntegrator iView you might have a look at the HowTo Guide I’ve sent you via email.
      Hope this helps!

      Regards, Karsten
  • Karsten,

    We have a Tomcat-based web application (written in Java) in which we want to use SSO access through Enterprise Portal 7.0.

    We implemented the test code your provided in your post and we get the following error:  Ticket verification failed 
    In the code we see that you are trying to validate against the following parameters:    pseudoACL.add(“EP7|000|OU=J2EE, CN=S1D|OU=J2EE, CN=EP7|00”);

    We don’t feel that this approach prevents unauthrorized users from gaining access to our web application.  Is there a way to get the portal role (either through the cookie or some other means) that has been assigned for access to our Non-SAP web application?

    Thanks for your assistance.


    • Hi Ted.

      If the exception says “ticket verification failed” it has nothing to do with my pseudoACL which should of course only be an example that you have to check wether the ticket issuing is somehow known and trusted. Since the ticket is signed with a certificate I consider this as secure.
      Your question for the user’s role assigments is rather a matter of authorization, not authentication.
      Cheers, Karsten

  • Karsten,

    Here I am getting error below please tell me how to resolve it
    I have a Tomcat-based web application (written in Java)

    > I modified your source for catch exception.
      The method evalLogonTicket throws an Exception

    try {
      o = SSO2Ticket.evalLogonTicket(ticket, pathToPSE, null);
    } catch (Exception e) {
      System.out.println( e.toString () );
    } catch (Throwable te) {
      System.out.println( te.toString () );

    > I see following error

    SAPSSOEXT loaded.
    java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 5, ssf error
    = 26

    Thanks for your help.

  • Karsten,
    We used the code that you gave in the blog to verify the SAP ticket and it gave an error Ticket Verification Failed Standard Error= 9 and SSF Error = 0. Will you be able to give us some clue as to why this failure is occuring?
    We are using Java Struts with Weblogic Server.
  • First, thanks to the author for writing such a helpful blog.

    I have written a small Servlet which calls the “verify” method here. It works perfectly, ie prints out the MYSAPSSO2 cookie contents.

    However, I am just getting one problem of UnsatisfiedLinkError : init when I re-deploy the servlet.

    I have to restart the server0 to get rid of this error. All works fine till I re-deploy again.

    Please let me know why this error comes when I re-deploy the servlet.