SSO Cookies

Former Member · ‎08-01-2007

Hello every body,

I have a question about the SSO logon cookies, when a user tries to connect to ECC system in the Back-n, does the cookies stay in the header until he or she disconnect or the cookie became absent after the first authentication?

Any help! It will be aprreciated and rewarded. Thanks in advance,

Sincerly

Former Member · ‎08-01-2007

When you have the SSO implemented regardless of the method you implement.,

- Logon tickets will be created using CreateTicketLoginModule and EvaluateTicketLoginModule

- The lifetime of the ticket is defined by the property login.ticket_lifetime

- The user name will be stored in the ticket as long as the session is active or based property login.ticket_lifetime whichever is true @ given time.

However no further authentication takes place after the initial authentication unless or otherwise the specific application demands for.

Further authentication (this is required for some highly sensitive data) will be done against the user data store irrespective whether you have SSO or not.

We have a typical example for this, the application Access Enforcer. The initial login for AE is through SSO and further it wont ask for any login until the ticket or session is valid, but @ the same time during approval Reaffirm process it prompts for passowrd again and this will be verified against the user data store.

Regards,

Muthu Kumaran KG

tim_alsop · ‎08-22-2007

> We have a typical example for this, the application

> Access Enforcer. The initial login for AE is through

> SSO and further it wont ask for any login until the

> ticket or session is valid, but @ the same time

> during approval Reaffirm process it prompts for

> passowrd again and this will be verified against the

> user data store.

So, what happens when AE is used, and the user does not know their SAP password because they are normally authenticating using external authentication method and/or the SAP password is deactivated ?

I am asking because we have recently noticed that we can logon to AE using an SSO2 ticket, but the user login screen is still shown before the list of requests is given. At the user login screen we can enter any information, e.g. userid = xyz, password = 1234. What ever we enter seems to be ignored and the user is logged in using their SSO2 ticekt. Is there a way to remove the login screen, since it is not required when using SSO2 tickets ?

Former Member · ‎08-22-2007

Make the login module definition like this.

EvaluateTicketLoginModule Sufficient

HeaderVariableLoginModule Optional

CreateTicketLoginModule Sufficient

BasicPasswordLoginModule Required

CreateTicketLoginModule Optional

Given the above definition if the Header module is success then you will be logged into the application. If it fails then you get the basic UserName password page through which you can login.

In my example, the user data store for AE is defined as LDAP and the password is of LDAP and it will verified using third party IDM tool. Once authenticated user can enter the application. If it fails then user will be prompted basic login screen.

Regards,

Muthu Kumaran KG

tim_alsop · ‎08-23-2007

Muthu,

We have already configured the authentication stack similar to how you suggested and it is working very well for other apps on the same system. The problem we have is understanding how/why AE is different and requires its own login screen. It appears that when we logon to AE we get authenticated (using the login stack configured under "ticket" in visual admin), but AE still displays the AE user login screen afterwards.

If AE has ability to change the user data store, then perhaps it is trying to authenticate user again even though they have already authenticated ?

Does this help ?

Thanks again,

Tim

Former Member · ‎08-23-2007

Tim,

How it works.,

1. We have third party IDM tool authenticating the user

2. The tool passes the user name as the header variable

3. AE is defined with LDAP as data source for user and user details

4. After authenticating in AE home page, Click on Request Access and in the right pane select the type of account (New, Change or Delete)

5. It opens a page with user name and you have to select whether the account is for this user or check the box requesting for other user

Note : Since we have header variable authentication enabled this screen will not prompt for password and moreover the user name field is hard coded

6. If user login option is clicked in the home page it directly takes to the configuration screen (Access Enforcer, Informer and Configuration)

It is only the approval reaffirm in AE which prompts for the password again (we have this enabled since it is our requirement). This password will be verified against the user data source irrespective of SSO.

The point of interest and another topic to discuss is approval reaffirm which writes the password in clear text in the web logs (we are using Apache instead of WAS). It writes the password in clear text @ both the level.

The technical reason why it writes the password in clear text is being AE uses GET method for this authentication instead of POST method.

Using the POST method is recommended by SAP itself in Secure Java Programming but unfortunately SAP product itself is against the recommendations.

We have a open ticket with SAP for this issue and as of now we deferred the reaffirm requirement since we cannot have the password stored in clear text (the password being enterprise directory password which can be used for accessing any resources in our landscape).

Does this clarifies ???

Regards,

Muthu Kumaran KG

tim_alsop · ‎08-23-2007

Muthu,

We are using a login module which does not have a login screen. It is similar to the SAP SPNEGO login module, which uses Kerberos credentials of user at workstation who is logged on. The user normally accesses an application and they are authenticated without having to enter any password.

With above in mind, it seems you are using header login module instead, and I need to understand the implications of this difference.

In your explanation, in item 4 you say "After authenticating in AE home page" - can you explain this some more ? Since we are using a login module which has already authenticated the user and an SSO2 ticket has been issued we don't want any home page or any additional authentication to be required.

Thankyou again for your help. I very much appreciate it.

Regards,

Tim

Former Member · ‎11-29-2007

Hi Tim,

Did you get any further with this? We are having a similar issue where we can authenticate using spnego for useradmin etc which gives us the an sso cookie..once we have the cookie it then allows us access to AE. However if we go directly to user login in AE it always prompts for a password.

Have you managed to configure AE to use the logon module stack directly?

WolfgangJanzen · ‎11-29-2007

Most likely the application is performing a programmatic authentication.

Since you have already reported this problem to SAP, I'd suggest to wait for the response. In case, you do not obtain a satisfying reply, you might consider to proceed on the escalation path ... (I personally agree with you that using GET instead of POST is awful).