cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How is user session to SAP NW IdM and SAP NW SP protected in SAML scenario

Go to solution
Former Member

on ‎07-21-2010 3:28 PM

0 Kudos

Hi,

In the SAML scenarios, the end-user has a security session towards both the Identity Provider (SAP NW IdM) and the Service Provider (SAP NW Java AS).

I know that SAML is used as a means for the Service Provider to "trust" the authentication done at the IdP.

But my question is how is the subsequent (post-SAML authentication) security session towards the end-user protected when using SAP?

I assume that the the SAP JAVA AS issues a JSESSIONID cookie representing the HTTP session independently from both the IdP and SP SAP Java AS systems . Therefore, the key question is how secure is the JSESSIONID.

(SAP Logon Ticket could probably also be used though the CreateTicketLoginModule is not mentioned as part of the SAML JAAS login stack in the documentation http://help.sap.com/saphelp_sm32/helpdata/EN/54/8384a1907cea418a9f6f82759b386b/frameset.htm)

For example: If an malicious user has acquired a JSESSIONID of another user, can he then "hijack" the session by inserting the JSESSIONID cookie? Or are the other checks in place on for example the source ip?

This is related to an externally facing SAP NW Java AS system.

Regards

Dagfinn

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

MichaelShea
Product and Topic Expert
Product and Topic Expert
‎07-26-2010 9:01 AM
0 Kudos

Hi Dagfinn,

Here is the latest documentation on the topic in the AS Java Security Guide for CE 7.2:

[Session Security Protection|http://help.sap.com/saphelp_nwce72/helpdata/en/44/691ccdce2a3675e10000000a114a6b/frameset.htm]

You can see from the topic that the source IP can be checked. There are features that prevent replay attack. Unfortunately the link to the session fixation topic seems to be broken.

-Michael

Show replies
Show replies
Former Member
‎08-05-2010 1:19 PM
0 Kudos

Hi,

Sorry for the late reply.

Thanks for the tip on "SessionIPProtectionEnabled", this is what I was looking for. It appear this setting is available as part of the web container in NW2004s releases http://help.sap.com/saphelp_nw2004s/helpdata/en/ac/2bc55a78e54d60b561140048eaa80c/frameset.htm

Dagfinn

Answers (1)

Answers (1)

Former Member
‎07-21-2010 8:38 PM
0 Kudos

Hi Please look at this document "SAP NetWeaver Identity Management 7.1 SP5"

SAML 2.0 Identity Provider for SAP NetWeaver

Application Server Java (New)

You can deploy this software on SAP

NetWeaver Application Server (AS) Java release 7.2 SPS 2 with SAP Note 1471322 applied

and AS Java 7.2 SPS3 or later to enable this system to function as a SAML 2.0 identity

provider. As an identity provider, the AS Java can provide cross-domain Single Sign-On (SSO)

in combination with SAML 2.0 service providers and at the same time enable Single Log-Out

(SLO) to close all user sessions in the SAML landscape. SAML 2.0 also enables identity

federation by defining a name ID to be shared between the identity provider and one or more

service providers.

"http://sdn.sap.com/irj/sdn/nw-identitymanagement"

please use the above link for all the steps involved

Also regarding the "userid " I was under the impression that assertion is between Source SITE and DESTINATION SITE

if security assertion is at the transport layer , I am guessing the user(duplicate) will not get an assertion , also I am not sure if he can get the Source Domain & details in the session you mention.

But your question is excellent!

Edited by: Franklin Jayasim on Jul 21, 2010 9:54 PM

Show replies
Show replies
Ask a Question