Skip to Content
1

ABAP SAML2 - on different hostnames

Feb 10, 2017 at 02:51 PM

50

avatar image

Dear all,

we setup SAML2 and all is working fine.

Now we have the case that we wanna have SAML2 working as long as we use HTTPS://Server_ALIAS.FQDN/sap/bc/....

and no SAML2 ( so old basic style ) when we use HTTP or HTTPS://physical_host.fqdn/sap/bc/...

is that possible ? any hints ?

greetings

Oliver

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Richard Howard Feb 15, 2017 at 03:18 PM
1

I have NOT been able to make this work after several months of trying. We are trying to enable the Fiori App for Approvals in Access Control 10.1. We use a Server_ALIAS for the URL that comes through our firewall, hits a Web Dispatcher in the DMZ and then ultimately connects to our backend system. We've been successful in connecting to the Fiori Launchpad URL with that alias and having SAML2/ADFS handle the authentication. You are prompted for credentials since a call from outside would not know your identity.

Internally when we run the Fiori Launchpad URL with the physical_host.fqdn, we get SAML2 Relay State errors. Argh! I created a DNS Alias inside our network for the Server_ALIAS that points to the IP for the physical_host.fqdn. That worked! SAML 2.0 does the SSO authentication since it knows my identity but it only works for the Fiori Launchpad URL which is static. I guess it would work for any other static URL that I was sharing or saving as a Favorite.

Access Control 10.1, however, is dynamically generating Approval URL's all the time with physical_host.fqdn in the path. That is now broken thanks to the changes I made to accommodate the Server_ALIAS. We are now investigating whether we can change the process that generates those approval URL's to use the Server_ALIAS. But for now, I don't see how to make both physical and virtual work together in SAML2 without getting Relay State errors.

Hopefully, one of the experts will chime in and give some insight. Good luck. If I do make it work, I will post back with what I found.

Share
10 |10000 characters needed characters left characters exceeded