cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MYSAPSSO2 ticket continues live after logout or close the browser (SAML, Service Provider).

former_member243945
Discoverer

on ‎06-28-2016 10:08 AM

0 Kudos

Hello.

I installed SSO configuration by the "Single Sign-On with SAML 2.0 and ABAP Systems Supporting SAP Logon Tickets - Security and Identity M..." document. It works well. Thank autor.

But my question is how can we manage MYSAPSSO2 ticket on the client side from server side of Service Provider for specific sessions or users.

For example:

1) I login to the standart ABAP backend webgui apllication (/sap/bc/gui/sap/its/webgui?sap-client=250) accross the Identity Provider (IDp) (SAP NW Java 7.5) and Service Provider(SP) (SAP NW Java 7.4). For it, I added link on start page of webgui appl. to SP application (/cpgdemo/saml2/redirect) which redirect me to IDp for authorization (Login\Password).

2) When authorization complite, the IDP redirect me back to webgui application of ABAP system without authorization (by MYSAPSSO2 ticket). Browser gets MYSAPSSO2.


3) For logoff from backend I use  "/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/_wd_execute_logout?logoffurl=…" application which delete MYSAPSSO2 and if I try to reenter to backend, I have to registration on IDP again. It is ok.

The problem is related on security:

MYSAPSSO2 has expiration time by default 8 hours. If any attacker stealing the MYSAPSSO2 tiket content (it looks like "AjExMDAgAClwb3J0YWw6TklELV.....uWISsng7elpw%3D%3D" string). He can enter to backend and SP system without password during 8 hours. In case if I login to system again, browser gets new MYSAPSSO2 ticket, but old ticket will be still valid until expiration time parameter.


Our target is make expiration time for MYSAPSSO2 30 days and we want to use it in mobile application.

Now I know only one way to restrict access for specific user. It is lock user. But If I unlock the same user MYSAPSSO2 (string values) can be used again by attacker until expiration time.


I heard about Single Log out (SLO) for SAML landscape.

How can we launch SLO for specific user, that all systems in SAML lanscape would found out that his specific MYSAPSSO2  is invalid and it has to get new ticket.


May be we go by the wrong way )


Best regards Everybody.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member202592
Participant
‎07-05-2016 6:54 PM
0 Kudos

Hi,

The MYSAPSSO2 cookie is still alive since the parameter that controls the timeout of the cookie is not the same parameter that controls the security session timeout.

The parameter that controls the Logon Tickets expiration time is the "login/ticket_expiration_time" parameter that by default is set to 8 hours. Therefore even though your session is set to expire in 30 minutes the Logon Tickets will be valid for 8 hours.

Cheers,

Filipe Santos

Show replies
Show replies
Ask a Question