SSO Ticket content specification

Former Member · ‎05-21-2008

Hi guys,

is there any specification what a SAP Logon Ticket (MYSAPSSO2 cookie) has to contain? Is it possible to create a valid MYSAPSSO2 cookie without any SAP system? That should work if the cookie contains the correct information and the SAP WAS Servers which should accept that cookie have the right certificate imported, shouldn't it? So does anyone know what this cookie does exactly contain? Are there any specs?

best regards,

Markus

tim_alsop · ‎05-21-2008

Markus,

If it was possible for a developer to create some code to issue an SSO2 cookie/ticket by following a specification and using their own certificate, this would create a big security issue, since this developer could potentially create a ticket for a specific SAP user and logon as that user instead of themselves... I appreciate that you are not trying to attack a SAP system, but I have explained this so you can understand why SAP do not make the cookie content or format public knowledge. The only way to issue an SSO2 ticket is to use SAP server to issue it for you, after you have authenticated to SAP to show that you are trusted to have a ticket for a specific SAP user.

Regards,

Tim

Former Member · ‎11-11-2009

Tim,

your statement is not entirely true - security comes from the technology and processes used to protect the private key of the ticket issuing authority, not from the obscurity of the algorithm used to create the ticket.

I wonder why SAP relies on things like this - afaik, the logon ticket structure has even been reverse engineered already. I suspect the real motives behind not publishing a specification are more of a economic nature - not concerns about security.

Regards, Sebastian

WolfgangJanzen · ‎11-12-2009

>


> Tim,
> 
> your statement is not entirely true - security comes from the technology and processes used to protect the private key of the ticket issuing authority, not from the obscurity of the algorithm used to create the ticket.

Correct - it's essential to protect the private key (which is required to sign a ticket).

> I wonder why SAP relies on things like this - afaik, the logon ticket structure has even been reverse engineered already.

Well, that's a low-brainer. The ticket is just base64-encoded - but not encytped. Furthermore a parser (libary sapssoext) is publically available.

> I suspect the real motives behind not publishing a specification are more of a economic nature - not concerns about security.

Wrong. As stated previously: the syntax is not documented because SAP want's to reserve the right to change it at any time. Only the API will be kept stable (but could be extended - as it did happen in the past, when introducing the assertion ticket).

Notice: the SAP Logon Ticket (as well as the SAP Authentication Assertion Ticket) is a proprietary token. Non-SAP components might consume those tokens (using the provided ticket validation library). But it's highliy recommended to use standard-based solutions, if available (e.g. X.509 client certificates, SAML 2.0 token, etc.). Proprietary tokens are no longer promoted (but should be replaced - in the long term; don't worry: they will continue to exist for a while ...).

WolfgangJanzen · ‎05-21-2008

The SAP Logon Ticket is (as the name clearly indicates) a proprietary security token which is created only in exchange to valid logon data (in the course of an authentication).

It is not desired to enable anyone to create such security tokens, therefore there is no API nor a (publicly available) technical specification.

SAP only offers a library for ticket validation (SAPSSOEXT).

That library abstracts from the token format (which might change).

Regards, Wolfgang