We have a custom Abap webdynpro that is currently
using logon tickets. We are considering
switching to saml authentication. I am
new to saml so I did some research and there appears to be several safeguards
built in to prevent hijacking and replay of the saml token itself.
My question is around what happens in SAP when the
token is authenticated and accepted by the Abap server. From
the little bit of testing I’ve done it
looks like the Abap server stores the token in some SAML table, creates a new
security session entry in SM05, then creates the SAP_SESSIONID cookie. I assume this cookie is a reference to the
SAML token? What safegaurds are
available in the Abap server to prevent hijacking or replay of this cookie ? I will use SSL and have read about the param
icf/set_HTTPonly_flag_on_cookies
. Are the other security measures I should take to protect
this cookie from being copied to another session?
Thanks,
Rob
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.