I have NOT been able to make this work after several months of trying. We are trying to enable the Fiori App for Approvals in Access Control 10.1. We use a Server_ALIAS for the URL that comes through our firewall, hits a Web Dispatcher in the DMZ and then ultimately connects to our backend system. We've been successful in connecting to the Fiori Launchpad URL with that alias and having SAML2/ADFS handle the authentication. You are prompted for credentials since a call from outside would not know your identity.

Internally when we run the Fiori Launchpad URL with the physical_host.fqdn, we get SAML2 Relay State errors. Argh! I created a DNS Alias inside our network for the Server_ALIAS that points to the IP for the physical_host.fqdn. That worked! SAML 2.0 does the SSO authentication since it knows my identity but it only works for the Fiori Launchpad URL which is static. I guess it would work for any other static URL that I was sharing or saving as a Favorite.

Access Control 10.1, however, is dynamically generating Approval URL's all the time with physical_host.fqdn in the path. That is now broken thanks to the changes I made to accommodate the Server_ALIAS. We are now investigating whether we can change the process that generates those approval URL's to use the Server_ALIAS. But for now, I don't see how to make both physical and virtual work together in SAML2 without getting Relay State errors.

Hopefully, one of the experts will chime in and give some insight. Good luck. If I do make it work, I will post back with what I found.