Skip to Content
1
Dec 01, 2021 at 10:25 AM

How to send Azure AD SAML response to Application-Proxy URL

741 Views

Hello,

I have configured Single Sign-On using Azure AD for SAP Fiori access (via SAP Web Dispatcher). It works fine when accessed on a desktop/laptop connected to the corporate network (through VPN) via SAP Web Dispatcher link/URL.
In addition Azure AD Application-Proxy has been configured so that the system can be accessed on an organisation managed mobile device via Application-Proxy URL. Such access from mobile device fails after user is authenticated against Azure AD.

I think the issue is that while accessing the Azure Application-Proxy (app-proxy.url.net) link, the URL changes to the back-end SAP Web Dispatcher (sap.web.dispatcher.local) after authenticating the user on Azure AD and the SAP Web Dispatcher URL can't be resolved over Internet on the mobile device. It may well be some setting to keep sticking to the same Azure Application-Proxy URL after authenticating the user on Azure AD. If my understanding is correct, I am not sure where that setting is to be done, whether on SAP side or on Azure side. I would appreciate if anyone could assist.

I even tried maintaining an additional Reply URL for corresponding Azure enterprise application: https://app-proxy.url.net/sap/saml2/sp/acs/; but that fails with error:

SAML20 SP (client ): Destination from Response https://app-proxy.url.net/sap/saml2/sp/acs/; must match the actual URL where message was sent - ACS endpoint https://sap.web.dispatcher.local: /sap/saml2/sp/acs/ or application URL(depending on configuration)
SAML20 SP (client <sap-client-number> ): Exception raised:
SAML20 SAML20 CX_SAML20_CORE: Message 'Response' did not arrive at the correct destination. Long text: Message 'Response' did not arrive at the correct destination.

Please let me know if any more information is required.

Thanks.