Configuring NEA at the Web Dispatcher – my personal takeaways
I have recently installed and configured a Web Dispatcher test environment with NEA – Network Edge Authentication.
This help.sap.com page provides the parameterization of the Web Dispatcher.
These are my personal takeaways of this experience :o).
- The requests to the authentication system (AUTH_SYSTEM) must go through the Web Dispatcher too.
This was my first mistake :).
At my first configuration attempt, I had defined the AUTH_SERVICE argument pointing it directly to the SSO system, bypassing the Web Dispatcher;
- The default token type is X.509.
The argument “SSO_TOKEN_TYPE=SAPLogonTicket” can be used to change it to “SAP Logon Tickets”, which was what I wanted to use.
However, this argument must be added to the “wdisp/system_X” definition of every backend system, not to the definition of the SSO system (my second mistake :)).
- Adding the “LOGOUT_URL” and “LOGOUT_COOKIE” arguments to the “wdisp/system_X” definition of every backend system makes the NEA session (at the Web Dispatcher) to be removed when the user logs off.
Otherwise, the session stays there until the NEA session timeout is reached (default: 3600, seconds).
- Adding the “MANAGED_SESSION_COOKIES” argument to all the “wdisp/system_X” definitions “hides” the actual session cookies from the client.
The Web Dispatcher manages the cookies internally, and they are not sent back to the client (so, for example, the internet browser does not receive the SAP session cookies like MYSAPSSO2, SAP_SESSIONID, and so on).
Instead of the actual session cookies, the client receives only the “sap-webdisp-session” cookie.
I think this is very cool, from a security perspective.
- In my case, I was using two hostnames (DNS alias) pointing to the Web Dispatcher.
Requests made to the hostname “sso.example.com” would be related to the authentication system.
Requests made to “wdpnea.example.com”, to the other backend systems.
SRCURL was used as an additional selection criterion.
It seems that the Web Dispatcher considers the complete host address as the domain, so it was setting the cookie “sap-webdisp-session” for the host “sso.example.com” only.
This caused a “weird behavior” as the browser was not sending this cookie at the next requests (to “wdpnea.example.com”), after I had authenticated, which caused the Web Dispatcher to try sending me to the authentication system again and finally returning an error to my browser.
I had to add the argument “DOMAIN_RELAX=1” to the “wdisp/system_X” definition of the authentication system, so that the cookie “sap-webdisp-session” was created for “*.example.com”, fixing the issue.
I hope that these few observations can help you in your NEA environment implementations! 😀
Update on May/30: added item 5 🙂