In the SAML scenarios, the end-user has a security session towards both the Identity Provider (SAP NW IdM) and the Service Provider (SAP NW Java AS).
I know that SAML is used as a means for the Service Provider to "trust" the authentication done at the IdP.
But my question is how is the subsequent (post-SAML authentication) security session towards the end-user protected when using SAP?
I assume that the the SAP JAVA AS issues a JSESSIONID cookie representing the HTTP session independently from both the IdP and SP SAP Java AS systems . Therefore, the key question is how secure is the JSESSIONID.
(SAP Logon Ticket could probably also be used though the CreateTicketLoginModule is not mentioned as part of the SAML JAAS login stack in the documentation http://help.sap.com/saphelp_sm32/helpdata/EN/54/8384a1907cea418a9f6f82759b386b/frameset.htm)
For example: If an malicious user has acquired a JSESSIONID of another user, can he then "hijack" the session by inserting the JSESSIONID cookie? Or are the other checks in place on for example the source ip?
This is related to an externally facing SAP NW Java AS system.