Hello, I'm been configuring my AS Java system to authenticate users with SAML2 and then create a logon ticket (MYSAPSSO2) and redirect users to an ABAP system.
This configuration was completed by following the steps in the Wiki created by Desislawa Petkova, here:
While nearly all steps have gone well, the problem I'm running into is that while the MYSAPSSO2 logon ticket is created, it also is expired as soon as it's issued and this of course won't allow the user that was authenticated at the Identity Provider get into the ABAP system.
My research did find information about how the MYSAPSSO2 logon ticket is expired, normally as part of a logout process. But no logout process has been initiated in this case. Link to 'MYSAPSSO2 deletion' https://wiki.scn.sap.com/wiki/display/ASJAVA/MYSAPSSO2+-+deletion While this wiki was helpful to identify the missing user ID in the MYSAPSSO2 ticket, and the presence of the sapsso-list cookie that is created, I still can't find the issue and why the logon ticket doesn't contain the authenticated user ID passed in the SAML assertion.
Here are things I have checked and validated:
- the ticket issuing and accepting systems are on the same domain
- all steps in the original wiki have been followed
- the Java logs were examined and it appears that the SAML assertion is passing the correct user ID in the R3User SAML attribute
- the developer tools in the browser shows that the MYSAPSSO2 ticket is being created, but has an expiry date of 1970, consistent with the 'deletion' wiki mentioned above.
- I found a MYSAPSSO2 cookie decoder on Github that was helpful in showing that the user name was missing. Link here: https://gist.github.com/thomaspatzke/8f3b0a678011ac74c61b#file-mysapsso-decoder-py
Appreciate the help.Paul