Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to pass Azure proxy pre-authentication and access the Odata from SAP server

Chenyang
Contributor
0 Kudos

Hello Expert,

We have a mobile application (using Xamarin development tool) and want to consume Odata service from a SAP server which is protected by the Azure application proxy. We are having some problem passing the proxy pre-authentication and reach to the SAP server. I need some input/advice how we are able to get through?

This is quite complex environment, so please allow me to give some background in the beginning.

Systems involved

  • SAP FEX is a SAP Fiori server. It provides some Odata services. The SAP OAuth token is also issued from here. It accepts SAML authentication from ADFS.
  • ADFS – the IDP for SAP FEX. The trust is built between FEX and ADFS. The browser SSO is working properly.
  • Azure AD – Azure AD, provide authentication service for accessing from the internet, for instance MFA (multi factor authentication). It uses ADFS as the authentication proxy.
  • Azure Application proxy – proxy service to protect SAP resources. It accepts Azure AD authentication result, in other word, Azure AD JWT access_token.

Intranet scenario

Internet scenario

We followed the SAP document from the link below. And we are able to get the Odata service within the intranet, that without Azure AD and Azure application proxy in the picture.

https://help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.51.6/en-US/01043cc6765b48cfbc1564a983...

We are also able to get access token from Azure AD via a Microsoft ADAL library and that token can be accepted by the proxy server. We added the access_token in the authorization header of the http request and the request reached to SAP system and we get a http 401 error from the SAP system, because the request didn’t carry the authentication SAP requires.

However, if we carry the SAP authentication into the authorization header of the http request, we cannot pass the proxy authentication. We are not able to carry two authorization header in the same request either because it does not allow me to do so.

So the question is how we can pass both proxy authentication and the SAP authentication in the internet scenario and reach to the Odata service? Does any one have similar experience before and share with me some thoughts?

BTW the browser access to the Odata service seems working properly from the internet. So I believe there must be a way to make it work in the mobile app.

Thanks

Chenyang

5 REPLIES 5

Chenyang
Contributor
0 Kudos

I followed the document below and it works correctly in intranet scenario.

https://wiki.scn.sap.com/wiki/display/Security/Leave+Request+Approvals+on+Android+-+OAuth+2.0+powere...

tongzheng
Advisor
Advisor
0 Kudos

Hi Chenyang,

Please check this thread from stackoverflow: https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers

where it talks about putting multiple values into HTTP authorization header. There is mixed results so I am not sure if this is supported by Azure and SAP. However in your diagram step 3&4 already present a solution to this issue. Did you manage to get SAP access token during step 4? What error did you get? During step 4 there is no need to carry two authorization headers into one request as at this point you already passed Azure proxy authentication and as long as the request carries Azure session cookie it should fine.

Tong

0 Kudos

Hi Tony,

Yes I did try to add both authorization headers mentioned in the stackoverflow post. It is not supported by proxy.

I am able to get the SAP access token and get the Odata from the intranet, but not from the internet.

The internet scenario is from my assumption only, and it is not proved yet.

In step 3 of Internet diagram, I am able to hit the SAP system and get a 401 error, because I didn't carry SAP authorization header required by Oauth token service. I am able to get two Azure cookies from the call though. But a browser based simulation gets three Azure cookies. The step 4 failed and it was rejected by proxy server and didn't reach to SAP. I guess it is because the third cookie is missing.

  • AzureAppProxyUserSessionCookie
  • AzureAppProxyAnalyticCookie
  • AzureAppProxyAccessCookie --- this cookie is missing

0 Kudos

Hi Chenyang,

If you are using Azure AD Application Proxy check this link: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-single-sign-on and try to disable SSO on AP. Then retry step 4 and handle the basic authentication in mobile app. The other option is to change the logon mechanism of the OAuth authorization end point in SICF from basic to SAML or SPNEGO and use federated SSO from AP. Also make sure there is proper authorization in Azure for the AD user to be able to access the backend app.

Tong

0 Kudos

Hi Tony,

Appreciate your help indeed. Yes I am using Azure application proxy.

I am not able to follow your first suggestion. Both Azure proxy and my sap aplication need authentication. Why I need to disable AP SSO?

for the second suggestion, the logon method of token SICF service cannot be modified. Please check screen below.

This service supports basic auth and SSL cert authentication only.