Skip to Content
0
Mar 29, 2016 at 02:17 PM

Web Dispatcher Reverse Proxy configuration for SAML SSO multi-domain public internet setup so that mobile fiori client app can access fiori launchpad

735 Views

Hi, we are implementing mobile fiori app client to connect to our Fiori launchpad. The way we are trying to expose our Fiori Launchpad (installed in standalone gateway frontend, central hub installation approach) is with SAML SSO with the following SAP reccomended method:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d066cce7-b7b8-3010-428c-bcef3cf76cac?QuickLink=index&overridelayout=true&58475979904845

Based on that document, in order to expose the launchpad with SSO, we need to implement SAML and use a reverse proxy to expose Fiori Launchpad to mobile devices in the public internet.

In our case, the URL for the fiori launchpad is:

https://<instancename>.xxx.xxx:8100/sap/bc/ui2/flp?sap-client=100#Shell-home

Our gateway system, is located behind our firewall, thus we are using a webdispatcher located in the same domain as the gateway system but on a separate box as a reverse proxy. Then this will point to ournetscaler which does the hardware loadbalancing. Thus, our public URL for the launchpad is hosted on the netscaler which is:

https://launchpaddev.xxxxx.com with HTTPS port 443

This will expose the specific fiori launchpad URL to the public internet so that users can access on their mobile fiori client app.

We have Ping Federate as our IDP and we have configured our gateway system as a service provider. SAML sso is working internally, but now we need to make it work externally so we have followed the SAML configuration specified in the SAP document.

However, the document does not specify how to configure the SAP webdispatcher to re-direct the URLs to the IDP and redirect the URLs to the gateway system including when .x509 certificates and SAML Artifacts are involved. We are using a netscaler to hardware loadbalance our web dispatcher.

Can anyone please advise on web dispatcher configuration?

Also, how do we ensure webdispatcher will forward on the saml artifact to our GWD system after the IDP issues it to the mobile client?

Basically our flow is this:

fiori mobile client outside of corporate network (https://launchpad.xxxxx.com) -> webdispatcher -> gateway system

then gateway -> webdispatcher -> mobile client -> web dispatcher -> IDP

then IDP -> web dispatcher -> mobile client (for .x509 cert request)


then mobile client -> web dispatcher -> IDP (after entering AD credentials and thus signing the .x509 certificate)

then IDP -> web dispatcher -> mobile client (SAML Artifact is given)

then mobile client -> web dispatcher -> Gateway (SAML artifiact is given to gateway system)

then gateway -> web dispatcher -> IDP (Resolve artifiact)

then IDP -> web dispatcher -> gateway (SAML assertion is sent)

then Gateway -> web dispatcher -> mobile client (connection is established)


how do we configure web dispatcher to route URLs so that it can follow that logic?

We have already referenced How to Setup SAP Web Dispatcher for Fiori Applications which talks about HTTP, SSL Termination, SSL re-Encryption, and X.509 client certificate but not SAML.