I am looking to a simple way to put a staticfile buildpack based app online but protected by my enterprise sso. So far I have the static file app deployed as a public resource. I then did some googling and found a blog on setting up the app router with SAML sso - resulting in a two service solution - the frontend is an instance app router and the backend plain html served via the staticfile buildpack and the enterprise authentication worked.

Where I have so far failed is to find a solution to hide the static file from internet queries - I found two approaches and neither worked out:

1. Using JWT - the front end can create the token, but I don't think a staticfile based app can handle that on the backend.

2. Use internal routes.
I created two routes and mappings:
myspace approuter cfapps.eu10.hana.ondemand.com approuter
myspace app apps.internal app

The approuter's manifest.yml has a destination to backend app via app.internal.apps but is not authorized:

"GET request to / completed with status 502 - error while forwarding request to https://app.apps.internal/: connect ECONNREFUSED 10.xxx.xxx.xxx:443"}

Where to go from here?

Can a static file based site be protected by enterprise signon?

Is there some additional set up required to use internal.apps?

best

Steve