SSO Logon Ticket (I think)

So I've noticed an issue that maybe pertaining to a Session cookie or an SSO Logon Ticket. An employee (User A) logs into our SAP Enterprise Portal and accesses Fiori My Inbox from an URL iView tile. After clicking on that tile, a new tab opens which displays the My Inbox App Screen. If User A closes out of the My Inbox tab, their credentials are still somehow stored. This becomes a security issue because a separate user (User B) can logon to the EP and click on the My Inbox tab and can see all of User A's worklists, PCRs, etc. I have tried creating an UI5 iView but the settings and parameters have been a nightmare to try and configure. Is there a way to automatically log a user out of Fiori My Inbox once the tab is closed? Maybe a change on the UME side of the portal, if not a config within the gateway backend ABAP system? Please assist.

Derrick Chandler

BCS Systems Administrator, ERP

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Derrick,

This might occur only if both users are using the same computer, and sharing the same operating system login (and the latter would already be a concern from a security standpoint), correct? 🙂

Regards,

Isaías

Hello Isaias,

Thanks for your reply. We have an environment where multiple users use the same computer but they don't have the same usernames. Their usernames are connected through the portal via LDAP.

This is more of an issue because we have a tile in the NW Enterprise Portal that connects to a Fiori Application on a Backend ABAP System. When you close the Fiori Gateway tab, the cookie is still active. So even when you logout of the enterprise portal, the previous Fiori session is active. Is there a way to logout and invalidate the session cookie by closing the Fiori gateway tab.

Regards,

Derrick

Hello Derrick,

You are welcome!

But do the users share the same login at the operating system level (i.e., Windows)?

Because I do not see how it would be possible for one user (at OS level) to logon with a cookie stored on another user account...

Anyway, how is the logon to the Fiori performed? Do you have SAP Logon tickets configured, so there is SSO between the Portal and Fiori systems?

And what is the URL for the "My Inox" app (you would need to capture an HTTP trace - using the browser developer tools with the F12 key - to see the actual URL, as the URL in the browser would likely still be a Portal URL).

Regards,

Isaías

Hello again, Isaias.

The two users DO NOT share the same Windows login. They have their own AD accounts that are linked to the SAP Enterprise Portal via LDAP.

We are IN FACT using SSO Login Tickets. A user logs into the portal and they click on the tile that points to the fiori application, which opens in a separate tab. When closing the Fiori Gateway tab and logging out of EP, the session cookie in Fiori is still valid.

This is the URL iView:

'https://<host>.<domain>/sap/bc/ui2/flp#WorkflowTask-displayInbox&/detail/RS2_INBOX/000017958866/TaskCollection(SAP__Origin='RS2_INBOX',InstanceID='00001795886'

My manager and I also suggested trying to use an Embedded UI5 iView, but we are having troubles with adding the parameters, especially when part of those parameters are called via an event in R/3.

I know, pretty involved. smh 😞

Derrick

Hello Derrick,

But if each user has his/her own Windows account, it would mean that there is a Windows user profile for each user, and the browser data (including cookies) would be stored on each user profile.

How would one user be accessing the cookies of the other, then...?

Regards,

Isaías

Accepted Solutions (0)

Answers (0)

Ask a Question

Top Q&A Solution Author

User

Count