Skip to Content
0

SAP_SESSIONID cookie protection with SAML

Feb 10, 2017 at 10:41 PM

373

avatar image

We have a custom Abap webdynpro that is currently using logon tickets. We are considering switching to saml authentication. I am new to saml so I did some research and there appears to be several safeguards built in to prevent hijacking and replay of the saml token itself.

My question is around what happens in SAP when the token is authenticated and accepted by the Abap server. From the little bit of testing I’ve done it looks like the Abap server stores the token in some SAML table, creates a new security session entry in SM05, then creates the SAP_SESSIONID cookie. I assume this cookie is a reference to the SAML token? What safegaurds are available in the Abap server to prevent hijacking or replay of this cookie ? I will use SSL and have read about the param

icf/set_HTTPonly_flag_on_cookies . Are the other security measures I should take to protect this cookie from being copied to another session?

Thanks,

Rob

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Robert Wagener Feb 22, 2017 at 03:15 PM
0

I just re-read my original post and see that I left out some details. As I mentioned we use logon tickets for the Abap webdynpro.To protect the MYSAPSSO2 cookie we are using a Siteminder product called Session Linker which runs on both the front end Apache server and the back end as-java box. These components work together to ensure the original authenticated siteminder user matches the backend SAP user and also monitors the cookie pair (MSYSAPSSO2 + SM). If one of the cookies change it forces a re-authentication.

With saml authentication it appears that end result is the SAP_SESSIONID cookie stored in the user’s browser. The abap server will use this cookie for authentication in a similar fashion that it uses the MYSAPSSO2. What safegaurds are available in the Abap server to prevent hijacking or replay of this cookie ?

Rob

Share
10 |10000 characters needed characters left characters exceeded