- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Portal Security - Validity of SAP Logon tickets - ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Portal Security - Validity of SAP Logon tickets - login.ticket_lifetime
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2010 9:52 AM
Hello,
What value should be set for the SAP Logon tickets - Login.ticket_lifetime (default is 8 hours) parameter?
After reading the Portal Security guide - 2004:
" To reduce the risk of SAP logon tickets being reused in replay attacks, we recommend that you reduce the validity period of the logon ticket. The default validity period is eight hours. To change the validity period, use the user management configuration tool [SAP Library] in the portal."
SAP note 842635 suggests:
Setting security session and SSO timeout :
Please set the timeout value for the security sessions (default 27h) and the timeout value for the SSO ticket (default 8h) to the same value. It should be a value that is higher than the maximum working time of an employee, e.g. 16 hours.
Is there any recommendation? It is quite suprising to see at one instance it is suggesting to reduce the time and on the other it suggests to be higher than the maximum working time of an employee!
Is there a new Portal security guide available? The current 21 pages portal security guide isn't enough!
Thank you in advance.
Best regards,
Dharmi
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2010 10:00 AM
Considering that a couple of minutes might be "enough" I would rather suggest concentrating on the infrastructure security within which the logon tickets are exchanged.
Depending on the application's requirement for a statefull session, try to avoid disruptions for the user or in a worste case loss of data.
You might also want to start looking into other more advanced (and standard) technologies for SSO between systems. SAP now supports more of them.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2010 11:32 AM
Hi Julius,
Thank you for the answer. Would appreciate if you could send the link to "more advanced technologies of SSO."
Regards,
Dharmi
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2010 12:50 PM
Hi,
Take a look in the FAQ thread at the top of the forum. It points to help.sap.com and you can search here and on service.sap.com as well.
Keep an eye out for the term "SAML".
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2010 8:00 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2010 2:34 PM
Hi Julius,
Can you kindly let me know how true is the following?
" The SAP Logon Ticket is used to grant access to systems. First of all to the portal, but in many scenarios also to backend systems. It is important to realize that the logon ticket is only used to determine identity when a user first logs in to the system. After that a session is created and the identity is stored in the session. The Logon Ticket is no longer evaluated UNLESS the session expires and the portal needs to re-assert the identity.
So expiring the Logon Ticket lifetime has no direct effect because a user will still be identified by the running session. When the session expires however, the user is not transparently re-authenticated because the Logon Ticket is no longer valid.
It is probably best to synchronize the expiration times of both."
Would appreciate your response. Thank you in advance.
Best regards,
Dharmi
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2010 11:12 PM
Exactly that is what message level authentication solves - but you might need to size and stress test the hardware first...
But you can toggle the "keep alive" and "session time out" as well. However these are global settings and other (for example SAPGui) users might be irritated by it.
I remember a very interesting thread about this topic from about a year ago. I will try to track it down for you - it was not in this forum but a discussion in the developers forum categories somewhere.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2010 6:29 AM
Hi Julius,
Thank you once again. I need to create a report / recommend on the Lifetime of the logon ticket on basis of the statement in the Portal Security guide:
"To reduce the risk of SAP logon tickets being reused in replay attacks, we recommend that you reduce the validity period of the logon ticket. The default validity period is eight hours. To change the validity period, use the user management configuration tool [SAP Library] in the portal."
I came across this [link|http://jagannathanvaman.wordpress.com/2009/07/22/sap-logon-ticket-vulnerability/] and the statement I send you yesterday. They kind of conflict each other!
Regards,
Dharmi
Edited by: Dharmi Tanna on Apr 1, 2010 7:29 AM
- SAP Managed Tags:
- Security
