cancel
Showing results for 
Search instead for 
Did you mean: 

the MYSAPSSO2 logon ticket is expired as soon as it's issued?

paulvipond
Explorer
0 Kudos

Hello, I'm been configuring my AS Java system to authenticate users with SAML2 and then create a logon ticket (MYSAPSSO2) and redirect users to an ABAP system.

This configuration was completed by following the steps in the Wiki created by Desislawa Petkova, here:
https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0+and+ABAP+Systems+Support...

While nearly all steps have gone well, the problem I'm running into is that while the MYSAPSSO2 logon ticket is created, it also is expired as soon as it's issued and this of course won't allow the user that was authenticated at the Identity Provider get into the ABAP system.

My research did find information about how the MYSAPSSO2 logon ticket is expired, normally as part of a logout process. But no logout process has been initiated in this case. Link to 'MYSAPSSO2 deletion' https://wiki.scn.sap.com/wiki/display/ASJAVA/MYSAPSSO2+-+deletion While this wiki was helpful to identify the missing user ID in the MYSAPSSO2 ticket, and the presence of the sapsso-list cookie that is created, I still can't find the issue and why the logon ticket doesn't contain the authenticated user ID passed in the SAML assertion.

Any ideas?

Here are things I have checked and validated:
- the ticket issuing and accepting systems are on the same domain
- all steps in the original wiki have been followed
- the Java logs were examined and it appears that the SAML assertion is passing the correct user ID in the R3User SAML attribute
- the developer tools in the browser shows that the MYSAPSSO2 ticket is being created, but has an expiry date of 1970, consistent with the 'deletion' wiki mentioned above.
- I found a MYSAPSSO2 cookie decoder on Github that was helpful in showing that the user name was missing. Link here: https://gist.github.com/thomaspatzke/8f3b0a678011ac74c61b#file-mysapsso-decoder-py

Appreciate the help.

Paul

Accepted Solutions (0)

Answers (2)

Answers (2)

jespergk
Explorer
0 Kudos

Hi Paul.

We are facing a similar issue it seems. Sometimes the ticket works fine while other times it is timed out. Could be that the ticket timeout is way to low, how did you resolve your problem?

Thanks

Jesper

AntalP
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Paul,

I suggest capturing an 'Authentication' trace about this logon using the sucurity troubleshooting wizard:

http(s)://host:5nn00/tshw

the trace will help in analyzing what happens.

Best regards,

Antal