Skip to Content
0
Jun 28, 2016 at 09:08 AM

MYSAPSSO2 ticket continues live after logout or close the browser (SAML, Service Provider).

1131 Views

Hello.

I installed SSO configuration by the "Single Sign-On with SAML 2.0 and ABAP Systems Supporting SAP Logon Tickets - Security and Identity Management - SCN Wiki" document. It works well. Thank autor.

But my question is how can we manage MYSAPSSO2 ticket on the client side from server side of Service Provider for specific sessions or users.

For example:

1) I login to the standart ABAP backend webgui apllication (/sap/bc/gui/sap/its/webgui?sap-client=250) accross the Identity Provider (IDp) (SAP NW Java 7.5) and Service Provider(SP) (SAP NW Java 7.4). For it, I added link on start page of webgui appl. to SP application (/cpgdemo/saml2/redirect) which redirect me to IDp for authorization (Login\Password).

2) When authorization complite, the IDP redirect me back to webgui application of ABAP system without authorization (by MYSAPSSO2 ticket). Browser gets MYSAPSSO2.


3) For logoff from backend I use "/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/_wd_execute_logout?logoffurl=…" application which delete MYSAPSSO2 and if I try to reenter to backend, I have to registration on IDP again. It is ok.

The problem is related on security:

MYSAPSSO2 has expiration time by default 8 hours. If any attacker stealing the MYSAPSSO2 tiket content (it looks like "AjExMDAgAClwb3J0YWw6TklELV.....uWISsng7elpw%3D%3D" string). He can enter to backend and SP system without password during 8 hours. In case if I login to system again, browser gets new MYSAPSSO2 ticket, but old ticket will be still valid until expiration time parameter.


Our target is make expiration time for MYSAPSSO2 30 days and we want to use it in mobile application.

Now I know only one way to restrict access for specific user. It is lock user. But If I unlock the same user MYSAPSSO2 (string values) can be used again by attacker until expiration time.


I heard about Single Log out (SLO) for SAML landscape.

How can we launch SLO for specific user, that all systems in SAML lanscape would found out that his specific MYSAPSSO2 is invalid and it has to get new ticket.


May be we go by the wrong way )


Best regards Everybody.