Skip to Content

Securing offline workflow approvals

We are trying to implement offline workflow approvals by activating inbound emails to SAP. Since any email can be 'made to look' as if it came from another person these days, what are the measures that can be implemented to make sure that the email is legit?

Currently, the plan is to embed a key in the email while it is sent out, and to check if the key is present in the reply email.

I read through this document ( Sender authentication part 2: Reading email headers - Terry Zink: Security Talk - Site Home - MSDN Blogs), but the message header that I am getting in SOIN, isn't matching with the one in the document.

Example:

Offline/External Mail Approval Process without using SAP Part-3

Thanks,

Juwin

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Oct 22, 2015 at 09:02 AM

    Hi Juwin,

    That still doesn't stop someone with SAP access from determining the key and spoofing the mail.

    The most reliable way would be digitally signing mails. Your email infrastructure guys would have to ensure digital certificates/signatures are created and set up in all relevant email clients (this is not a bad thing anyway!), and digital signatures would then be verified on the inbound side.

    I know SAP can be made to do that, but unfortunately have never done it myself so currently don't even know where to start.

    Regards,

    Mike

    Add comment
    10|10000 characters needed characters exceeded

    • Mike Pokraka Juwin Pallipat Thomas

      Hi Juwin,

      That's a good question which I'm not knowledgeable enough to answer.

      I would speculate two scenarios:

      1. It should be possible to digitally sign a web based mail using a private key stored on your computer. My reasoning is because other web-based authentication mechanisms are able to use local security.

      2. The private key could be stored on the Exchange server side and used for signing, but that kills the idea of 'private' ... you'd really need to talk to your Exchange gurus for that.

      I would se option 1 as the more likely one, but haven't dug into OWA deep enough to know if it's supported. It's a pretty sensible requirement and digital signing is also run of the mill stuff, so I would imagine it can work.

      Regards,

      Mike