Co-existence problem with several SAP Portals and backend systems
Co-existence problem with several SAP Portals and backend systems (JSESSIONID and MYSAPSSO2)
We believe there is a design issue in SAP's implementation for the co-existance of several SAP Portals and that due to changed behaviour in IE8 this problem has grown in extent. It is now a more severe problem for our users.
The root cause of the problem is caused by how SAP Java AS handles authentication through JSESSIONID and MYSAPSSO2 cookies. Especially that SAP Java AS doesn't process the JAAS login stack if it receives a valid JSESSIONID.
A simplified model of our problem scenario is as follows:
- SAP Portal EP1 is connected to ABAP backend system BE1 through trust (STRUSTSSO2).
EP1 has url https://ep1.company.com and BE1 has url https://be1.company.com
- SAP Portal EP3 is connected to ABAP backend system BE3 through trust (STRUSTSSO2).
EP3 has url https://ep3.company.com and BE3 has url https://be3.company.com
There is no trust between the SAP Portal (none is intended) and back-end systems should not trust all portal systems due to security considerations.
From a user perspective EP1 and EP3 represent different applications that can and will be accessed in same browser session.
Whilst SSO to backend works fine when the user accesses EP1 or EP3 in an individual isolated IE session, conflicts occur when they are accessed in the same session. This conflict results in an authentication failure when accessing content from the respective back-end system. This problem is more severe with IE8 since each new tab or window will by default be opened in the same session.
(but even if changed behavior was modified in IE8 through registry change, the problem is still severe)
The following is a script demonstrating how: conflict which occurs
User: Logs on to https://ep1.company.com/irj/portal
Server: EP1 server sends HTTP response to the user browser with two important cookies
MYSAPSSO2 with domain:.company.com
JSESSIONID with "default" domain ie. ep1.company.com
(domain has been changed by implementing note 791765 in order to minimize conflict. The problem is the same if this setting is not done)
User: Accesses iView in EP1 that requires a connection to ABAP backend system BE1 (either through JCO or web) and this correctly sends the MYSAPSSO2 cookie from EP1
Server: BE1 server verifies the validity of the MYSAPSSO2 cookie from EP1 and correctly shows content
User: Navigates to the different EP3 portal https://ep3.company.com in the same browser session
The browser will include the MYSAPSSO2 cookie from EP1 in this request (but not JSESSIONID)
Server: EP3 portal tries to validate the MYSAPSSO2 cookie from EP1, but since there is no trust between EP3 and EP1 this fails as expected. Server will then proceed down the JAAS login stack and perform the authentication against EP3 UME. Once this authentication is done, the EP3 server sends a HTTP response to the user browser with two important cookies
MYSAPSSO2 with domain:.company.com (thereby overwriting the MYSAPSSO2 from EP1)
JSESSIONID with "default" domain ie. ep3.company.com
User: Accesses iView in EP3 that requires a connection to ABAP backend system BE3 (either through JCO or web) and this correctly sends the MYSAPSSO2 cookie from EP3
Server: BE3 server verifies the validity of the MYSAPSSO2 cookie from EP3 and correctly shows content
User: Navigates back to EP1 portal https://ep1.company.com/irj/portal (for example through the home page)
The browser will now send the following cookie in the request
MYSAPSSO2 from EP3
JSESSIONID from EP1
Server: The EP1 server has now received a valid JSESSIONID, but an untrusted MYSAPSSO2. Surprisingly, the server verifies that the JSESSIONID is a valid EP1 session and accepts the logon. Thereby, it ignores the fact the MYSAPSSO2 is from an untrusted system (EP3). It sends no new cookies back to the user
User: Accesses iView in EP1 that requires a connection to ABAP backend system BE1 (either through JCO or web).
Since step 5. didn't perform the authentication as expected, the browser now sends the MYSAPSSO2 cookie which came from EP3
Server: BE1 server fails to verify the validity of the MYSAPSSO2 cookie since it came from EP3 which is not a trusted system (and will not be due to security concerns)
The root cause as seen in step 5. is caused by the fact that if the SAP Java AS receives a valid JSESSIONID, it doesn't process the JAAS login stack which would reject the MYSAPSSO2 cookie. I believe the correct behaviour should be to validate both the JSESSIONID and process the JAAS login stack for each request requiring authentication.
Any ideas on workarounds?