on 02-10-2017 10:41 PM
We have a custom Abap webdynpro that is currently using logon tickets. We are considering switching to saml authentication. I am new to saml so I did some research and there appears to be several safeguards built in to prevent hijacking and replay of the saml token itself.
My question is around what happens in SAP when the token is authenticated and accepted by the Abap server. From the little bit of testing I’ve done it looks like the Abap server stores the token in some SAML table, creates a new security session entry in SM05, then creates the SAP_SESSIONID cookie. I assume this cookie is a reference to the SAML token? What safegaurds are available in the Abap server to prevent hijacking or replay of this cookie ? I will use SSL and have read about the param
icf/set_HTTPonly_flag_on_cookies . Are the other security measures I should take to protect this cookie from being copied to another session?
Thanks,
Rob
I just re-read my original post and see that I left out some details. As I mentioned we use logon tickets for the Abap webdynpro.To protect the MYSAPSSO2 cookie we are using a Siteminder product called Session Linker which runs on both the front end Apache server and the back end as-java box. These components work together to ensure the original authenticated siteminder user matches the backend SAP user and also monitors the cookie pair (MSYSAPSSO2 + SM). If one of the cookies change it forces a re-authentication.
With saml authentication it appears that end result is the SAP_SESSIONID cookie stored in the user’s browser. The abap server will use this cookie for authentication in a similar fashion that it uses the MYSAPSSO2. What safegaurds are available in the Abap server to prevent hijacking or replay of this cookie ?
Rob
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.