on 2022 Jun 19 8:47 PM
Since Internet Explorer is EOL we have configured most of our LOB apps including SRM OCI Punch out shops to work in Compatible mode by adding respective shop urls it to the IE Mode list. This will ensure business continuity whiles we look for a long term solution. Upon doing this we stumbled upon a problem i.e. seamless login doesn't seem to work in Edge chromium even though the site renders as expected after configuration. The sites keeps asking for username and password or credentials are not working even though when reproduced in IE works as expected.
After inspecting the session traffic via Edge F12 tools could it be that it is not possible to share session cookies ids etc. between IE and Edge until you instruct both browsers to do so in the configuration file?
Will there be a need to add snippet in the ie--mode .xml file instructing both browsers to allow this or configured via the Server or SAP backend? Recommendations and workarounds will be appreciated.
Request clarification before answering.
timea.geczi Below will be my proposed workaround as a sys admin to the various stakeholders.
The issue can be attributed to a security change in modern browsers, specifically Chromium, where a new feature has been introduced that flags all cross-browser requests as SameSite=lax, rather than SameSite=None as was the case in previous browsers. This flag is enabled regardless of whether protection against CSRF has been enabled on the server side. According to SAP, this protection is enabled by default on the server side. You can find more information in the following article. https://blogs.sap.com/2020/02/14/handling-google-chrome-samesite-cookie-change-in-sap-on-prem-applic...
SOFTWARE\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabledForDomainList\1 = "www.example.com"
SOFTWARE\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabledForDomainList\2 = "[*.]example.edu"
3. Hardening Firefox ESR and testing afterwards? Since many webshops, intranets and extranets work in conjunction with the SAP Portal Single Sign On solution in (Edge -> IE compatible mode), I think an interim solution with the above setting is not a bad idea.
Let me know what you think of this as a proposal to various SRM OCI Punchshop etc. stakeholders.You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi John,
Indeed, the issue is caused by the changed SameSite behavior of latest Chrome/Edge browsers.
The details and the solution has been described in SAP Note 2887651 (see the server-side solution).
The server-side solution reverts to the previous behavior by explicitly setting the SameSite=None and Secure attribute to all cookies issued by the SAP system.
Best regards,
Timea
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Timea,
Thanks for the reply :). As you can see below I dont have access to that SAP Note link you sent me since i am registered as a P User with a universal ID which limits me to the basic SAP support areas.
I think the solution you sent can be accessed via the SAP ONE Support Launchpad which i dont have access to. Will appreciate if you can copy and paste the solution here since this could go a long way to help a lot of businesses and users encountering the same problem after migration due to IE end of life. tnx
I'm afraid I can't copy and paste the whole text.
Try to set the following profile parameter to enable setting of the SameSite=None cookie attribute in SAP Web Dispatcher, AS ABAP or AS Java: icm/HTTP/samesite = None
Ensure that HTTPS is used, it will not work with HTTP.
For further help please contact a local consultant or create a SAP ticket.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.