cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Open SAP WebGUI in a browser which is launched from SSO enabled SAP Enterprise Portal

Go to solution
Former Member

on ‎09-02-2014 12:00 PM

0 Kudos

  

Environment : SSO Enabled  SAP Enterprise portal.

    Scenario : The time we  login into the SAP Enterprise portal a cookie get generated.

                         We have an iView within the same SAP Enterprise portal through which we are opening following  SAP WebGUI URL

                         "http://SAP Host Name:HTTP Port/sap/bc/gui/sap/its/webgui/!?sap-client=XXX".

Requirement : We want to open the SAP WebGUI in a different Browser and want to use the same cookie which is

                           generated for SAP  Enterprise portal.to authenticate against SAP WebGUI.

                           So that we are able to login into the SAP WebGUI opened in a new Web Browser using same Cookie which

                           is already generated for SAP Enterprise Portal.

              

                           Can any one guide us that "How to use the already generated cookie and how it will be transfered from

                           SAP  Entereprise portal to the new browser in which SAP WebGUI is opened"


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

donka_dimitrova
Contributor
‎09-03-2014 10:11 AM
0 Kudos

Hello Tanvi,

The "solution" you are looking for (using the same cookie) is in conflict with the security principals.

Our recommendation for your scenario and the respective requirement is to implement SSL client authentication instead. Look at the documentation here:Using X.509 Client Certificates

Best regards,

Donka Dimitrova

Show replies
Show replies
Former Member
‎09-05-2014 8:04 AM
0 Kudos

Dear Donka,

First of all thanks for the quick reply.

Can you please explain the  security principals conflicts in the scenario explained above.

Also please suggest if the same security conflicts will be there if  :

a) Cookie is HTTP only.

b) SAP EP and 3rd party application is in the same domain.

c) Secure Protocol like HTTPS is used to open SAP WebGUI.
d) Also this scenario is with in the client's intranet.

tim_alsop
Active Contributor
‎09-05-2014 10:57 AM
0 Kudos

In my experience it is quite common for a user to authenticate and get issues with an SSO2 logon ticket (stored as a cookie in browser) and then use this cookie to access other applications (e.g. Web GUI). For this to work the SSO2 trust needs to be setup so the SSO2 ticket can be verified by the SAP system. You need to export the SSO2 certificate on Java stack and import into ACL on ABAP stack using STRUSTSSO2 transaction.

Thanks

Tim

donka_dimitrova
Contributor
‎09-05-2014 1:45 PM
0 Kudos

Hello Tanvi,

The problem is that the cookie technology is designed explicitly for The session(browser).

Yes, it is secure if:

a) Cookie is HTTP only. And cookie is set with flag secure

b) SAP EP and 3rd party application is in the same domain.

c) Secure Protocol like HTTPS is used to open SAP WebGUI.
d) Also this scenario is with in the client's intranet.

BUT this is valid only for The session for which the cookie has been issued.

All these requirements are there to make sure that The cookie will stay with This session (browser).

Pulling OUT the cookie from This session(browser) and re-using it for another one is already a security issue because this is relevant to stealing The identity.

You can consider this as a limitation of the cookie technology for your scenario.


Scenario described by you is simply supported by SSL and this is why we recommend SSL client authentication instead.


Best regards,

Donka Dimitrova

donka_dimitrova
Contributor
‎09-05-2014 1:47 PM
0 Kudos

Hello Tim,

This implementation is working only when the session/browser is the same but Tanvi is looking for a solution where the token is used also for a different session/browser.

Best regards,

Donka Dimitrova

tim_alsop
Active Contributor
‎09-05-2014 1:53 PM
0 Kudos

Thank you. When I read the requirement and it mentioned "new browser" I was thinking he means that a new instance of the same browser is being used. For example, he might logon to Windows, open Internet Explorer, login to portal and then open another instance of IE and access WebGUI. However, from your response it sounds like he is not doing this, and wants to use a completely different browser for one of the applications, e.g. use IE for portal and Firefox/Chrome for WebGUI. In this case, sharing cookies between browsers won't work unless the browser supports that capability, and as far as I know, they don't share cookies (DNS domain session cookies).

Former Member
‎09-10-2014 11:13 AM
0 Kudos

First of all thanks for sharing the information and guiding us..

Dear Donka/Tim,

After having SAP EP and our portal(third party portal) in the same domain we are able to view the MYSAPSSO2 cookie in the instance of the same broswer in whihch SAP EP is opened..

Now we are hoping that the MYSAPSSO2 cookie in the  instance of the same browser will help us in accessing the SAPWebGUI calling the following URL without SAP credential :-

"http://SAP Host Name:HTTP Port/sap/bc/gui/sap/its/webgui/!?sap-client=XXX"

Can you please again guide if there is any security violation issue exist if :-

a) We are opening our portal in the instance of the same browser in which the EP is opened.

b) Cookie is HTTP only.

c) SAP EP and 3rd party application is in the same domain.

d) Secure Protocol like HTTPS is used to open SAP WebGUI.
e) Also this scenario is with in the client's intranet.

tim_alsop
Active Contributor
‎09-10-2014 3:54 PM
0 Kudos

So, it sounds like I did understand your requirement correctly. Please refer to my previous answer. you just need to setup SSO2 trust. The solution is secure and widely used by SAP customers.

Thanks

Tim

Answers (0)

Ask a Question