on 09-02-2014 12:00 PM
Environment : SSO Enabled SAP Enterprise portal.
Scenario : The time we login into the SAP Enterprise portal a cookie get generated.
We have an iView within the same SAP Enterprise portal through which we are opening following SAP WebGUI URL
"http://SAP Host Name:HTTP Port/sap/bc/gui/sap/its/webgui/!?sap-client=XXX".
Requirement : We want to open the SAP WebGUI in a different Browser and want to use the same cookie which is
generated for SAP Enterprise portal.to authenticate against SAP WebGUI.
So that we are able to login into the SAP WebGUI opened in a new Web Browser using same Cookie which
is already generated for SAP Enterprise Portal.
Can any one guide us that "How to use the already generated cookie and how it will be transfered from
SAP Entereprise portal to the new browser in which SAP WebGUI is opened"
Hello Tanvi,
The "solution" you are looking for (using the same cookie) is in conflict with the security principals.
Our recommendation for your scenario and the respective requirement is to implement SSL client authentication instead. Look at the documentation here:Using X.509 Client Certificates
Best regards,
Donka Dimitrova
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Donka,
First of all thanks for the quick reply.
Can you please explain the security principals conflicts in the scenario explained above.
Also please suggest if the same security conflicts will be there if :
a) Cookie is HTTP only.
b) SAP EP and 3rd party application is in the same domain.
c) Secure Protocol like HTTPS is used to open SAP WebGUI.
d) Also this scenario is with in the client's intranet.
In my experience it is quite common for a user to authenticate and get issues with an SSO2 logon ticket (stored as a cookie in browser) and then use this cookie to access other applications (e.g. Web GUI). For this to work the SSO2 trust needs to be setup so the SSO2 ticket can be verified by the SAP system. You need to export the SSO2 certificate on Java stack and import into ACL on ABAP stack using STRUSTSSO2 transaction.
Thanks
Tim
Hello Tanvi,
The problem is that the cookie technology is designed explicitly for The session(browser).
Yes, it is secure if:
a) Cookie is HTTP only. And cookie is set with flag secure
b) SAP EP and 3rd party application is in the same domain.
c) Secure Protocol like HTTPS is used to open SAP WebGUI.
d) Also this scenario is with in the client's intranet.
BUT this is valid only for The session for which the cookie has been issued.
All these requirements are there to make sure that The cookie will stay with This session (browser).
Pulling OUT the cookie from This session(browser) and re-using it for another one is already a security issue because this is relevant to stealing The identity.
You can consider this as a limitation of the cookie technology for your scenario.
Scenario described by you is simply supported by SSL and this is why we recommend SSL client authentication instead.
Best regards,
Donka Dimitrova
Thank you. When I read the requirement and it mentioned "new browser" I was thinking he means that a new instance of the same browser is being used. For example, he might logon to Windows, open Internet Explorer, login to portal and then open another instance of IE and access WebGUI. However, from your response it sounds like he is not doing this, and wants to use a completely different browser for one of the applications, e.g. use IE for portal and Firefox/Chrome for WebGUI. In this case, sharing cookies between browsers won't work unless the browser supports that capability, and as far as I know, they don't share cookies (DNS domain session cookies).
First of all thanks for sharing the information and guiding us..
Dear Donka/Tim,
After having SAP EP and our portal(third party portal) in the same domain we are able to view the MYSAPSSO2 cookie in the instance of the same broswer in whihch SAP EP is opened..
Now we are hoping that the MYSAPSSO2 cookie in the instance of the same browser will help us in accessing the SAPWebGUI calling the following URL without SAP credential :-
"http://SAP Host Name:HTTP Port/sap/bc/gui/sap/its/webgui/!?sap-client=XXX"
Can you please again guide if there is any security violation issue exist if :-
a) We are opening our portal in the instance of the same browser in which the EP is opened.
b) Cookie is HTTP only.
c) SAP EP and 3rd party application is in the same domain.
d) Secure Protocol like HTTPS is used to open SAP WebGUI.
e) Also this scenario is with in the client's intranet.
User | Count |
---|---|
78 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.