on 09-16-2004 8:53 AM
Hell all,
while investigating Single Sign On with SAP Logon Tickets instead of SSO with User ID/Pwd to connect to SAP backend systems, some security issues came up. Do you have any ideas how to handle this?
<b>1. No change logs for user mappings</b>
Portal user administrator must map the user ID of the portal to the user ID on the SAP backbend systems (R/3, APO, ..) if they are different. As there is no other check, administrator can assign every user ID which may potentially a security risk.
As no change log with detailed information (date/time, which assignment portal user <=> SAP backend user) exists, this is a serious security issue for our internal audtit.
<b>2. Each user administrator can do mappings</b>
Each user administrator may do the user mappings for SAP logons. As this may be risk (see 1.), this function should be more limited (without restricting other functions for other user administrators)
<b>3. Password aging on SAP systems</b>
For security reasons, we have a password aging implemented (Password change required all 60 days). With SSO with SAP Logon Tickets, no password check is done, so no password can be changed, even if password is inital or already expired.
I would be interested if you experienced same problems and how do you handle this (own tools, changes in internal security guidelines etc.)
Best regards,
Albert
Hi Albert,
I'm wondering somewhat about the user mapping you are worried about. You said that you have set up SAP Logon Ticktes for R/3 access, is that correct? If so, then you are probably dealing the the problem of setting up user mapping on the R/3 reference system.
In this case, a portal administrator is not able to simply map a portal user to any chosen R/3 user ID (on the reference system) as druing initialization of the user mapping, the password for the R/3 user must be specified. (Note that this password won't be saved but used only once for verifying that you are allowed to map to that user ID).
So this should fix issue 1 and 2. Additionally, you should configure your system object for the R/3 reference system that editing user mapping information is set to "user" instead of "admin,user" or "admin". This way, only ordinary users can setup user mapping for their own portal accounts.
Regarding issue 3, you are right that with SAP Logon Tickets no checks for expired passwords are performed on the target system. The target system completely trusts the SAP Logon Ticket-issuing system. Thus, if for security reaons you still want to use password-aging, you should set an appropiate policy on the portal server.
Note that, whenever a user connects directly to one of the integrated systems, the R/3's security policies still apply as usual.
I hope this answers your questions / worries.
Regards,
Dominik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| User | Count |
|---|---|
| 3 | |
| 3 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.