cancel
Showing results for 
Search instead for 
Did you mean: 

SRM OCI - Punchout Websites Seemless Sign on issues (Edge Chromium - IE Mode)

sharkbone
Discoverer
0 Kudos

Since Internet Explorer is EOL we have configured most of our LOB apps including SRM OCI Punch out shops to work in Compatible mode by adding respective shop urls it to the IE Mode list. This will ensure business continuity whiles we look for a long term solution. Upon doing this we stumbled upon a problem i.e. seamless login doesn't seem to work in Edge chromium even though the site renders as expected after configuration. The sites keeps asking for username and password or credentials are not working even though when reproduced in IE works as expected.

After inspecting the session traffic via Edge F12 tools could it be that it is not possible to share session cookies ids etc. between IE and Edge until you instruct both browsers to do so in the configuration file?

Will there be a need to add snippet in the ie--mode .xml file instructing both browsers to allow this or configured via the Server or SAP backend? Recommendations and workarounds will be appreciated.

Accepted Solutions (0)

Answers (2)

Answers (2)

sharkbone
Discoverer
0 Kudos

timea.geczi Below will be my proposed workaround as a sys admin to the various stakeholders.

The issue can be attributed to a security change in modern browsers, specifically Chromium, where a new feature has been introduced that flags all cross-browser requests as SameSite=lax, rather than SameSite=None as was the case in previous browsers. This flag is enabled regardless of whether protection against CSRF has been enabled on the server side. According to SAP, this protection is enabled by default on the server side. You can find more information in the following article. https://blogs.sap.com/2020/02/14/handling-google-chrome-samesite-cookie-change-in-sap-on-prem-applic...


This leaves us with 3 options: The first option is to fix the problem on the server side(SAP Backend), the second option on the browser side(Edge Chromium Group Policies) and the third long term option is using Firefox ESR once we are sure it is hardened enough for our enterprise environment.

1. If we choose option 1, we need to involve SAP Team to set the following in the Web Dispatcher in the OCI configuration.
Set the following profile parameter to set the cookie attribute SameSite=None in SAP Web Dispatcher, AS ABAP or AS Java: icm/HTTP/samesite = None. You have to make sure that HTTPS is used, it does not work with HTTP.

OR
2. We can also configure it on the browser side by resetting this cookie handling to legacy mode for certain websites by using this setting https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies/. The equivalent in Edge is this https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#legacysamesitecookiebehaviorenab...

Example Reg Key syntax
SOFTWARE\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabledForDomainList\1 = "www.example.com"
SOFTWARE\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabledForDomainList\2 = "[*.]example.edu"

OR

3. Hardening Firefox ESR and testing afterwards? Since many webshops, intranets and extranets work in conjunction with the SAP Portal Single Sign On solution in (Edge -> IE compatible mode), I think an interim solution with the above setting is not a bad idea.

Let me know what you think of this as a proposal to various SRM OCI Punchshop etc. stakeholders.
timea_geczi
Active Participant
0 Kudos

Hi John,

Indeed, the issue is caused by the changed SameSite behavior of latest Chrome/Edge browsers.

The details and the solution has been described in SAP Note 2887651 (see the server-side solution).

The server-side solution reverts to the previous behavior by explicitly setting the SameSite=None and Secure attribute to all cookies issued by the SAP system.

Best regards,

Timea

sharkbone
Discoverer
0 Kudos

HI Timea,

Thanks for the reply :). As you can see below I dont have access to that SAP Note link you sent me since i am registered as a P User with a universal ID which limits me to the basic SAP support areas.

I think the solution you sent can be accessed via the SAP ONE Support Launchpad which i dont have access to. Will appreciate if you can copy and paste the solution here since this could go a long way to help a lot of businesses and users encountering the same problem after migration due to IE end of life. tnx

timea_geczi
Active Participant
0 Kudos

I'm afraid I can't copy and paste the whole text.

Try to set the following profile parameter to enable setting of the SameSite=None cookie attribute in SAP Web Dispatcher, AS ABAP or AS Java: icm/HTTP/samesite = None

Ensure that HTTPS is used, it will not work with HTTP.

For further help please contact a local consultant or create a SAP ticket.