Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML2 SSO configuration on internet

Former Member

‎07-17-2014 7:19 PM

0 Kudos

Hi Experts.

I am configuring SAML2 SSo with ADFS as Identity Provider and SAP ABAP as Service Provider. I am configuring it for FIORI Applications. It is working fine with internal hostname, redirecting, authenticating etc. For example the URL https:/<internal_hostname>:8081/sap/bc/ui5_ui5/ui2/launchpage/index.html?sap-client=100 is going to ADFS and after AD ID/password, it is coming back to URL launchpage and works fine.

Now the issue is when we want to use it through internet. We have a URL external-hostname.domain,com which is pointing to internal launchpage URL listed above. This external URL also redirects to ADFS and after authenticating it is redirecting to INTERNAL URL which I think is the issue.

Since both external and internal hostnames are different, so we are getting error after authenticating. The error is ""No RelayState mapping found for RelayState value ouceytztvrqordzvoreeuoytbyoxufcuyuytuxz""

I understand this is because we access a protected resource using one host name, but identity provider is returning the SAML response to a different host name.

Now I am not sure how to solve this problem. External and Internal hostnames will be different, but how to get it working? Is there any setting we can do?

Is something can be done through internet proxy?

I would appreciate any help on this.

Regards,

Tajinder

4 REPLIES 4

martin_voros
Active Contributor

‎07-18-2014 2:10 AM

0 Kudos

Hi,

you are right about the error. It's a mismatch between host names. My understanding is that ABAP AS sends a relay state to identity provider. IdP redirects a client back to URL provided by ABAP. I can't see a place in config where you could set up different host names for relay state based on client source. So you have two options: amend URL on ADFS side or modify it on ABAP side. I am not sure how to do this but here is a crazy idea for option 2. Note that I do not have access to system that has this set up so there is lots of guessing.

I had a quick look at code that is relevant for SAML2 implementation. There is a utility class CL_SAML20_UTILITY that has a method called GET_APPLICATION_URI. I assume that this is a method is used by SAML to determine relay state. This is my biggest assumption and I can't verify it. This looks like a good spot for enhancement. Basically, you would replace ABAP AS host name to external proxy hostname. You need to do this only for clients coming from external URL. Hence you could define a virtual host in SICF that would be used for external clients only. Your reverse proxy would redirect to virtual host instead of standard host name. The enhancement in GET_APPLICATION_URI would replace virtual host name with reverse proxy host name. It would do nothing for default ABAP AS host name. This still might not work if there is some other stuff going on.

It looks like a interesting problem. Good luck with it.

Cheers

Former Member
In response to martin_voros

‎07-18-2014 7:27 AM

0 Kudos

Hi Martin,

Thanks for you reply.

Unfortunately this option is not feasible for me because client will not agree to any developments or such changes.Do we have any other option?

Anything we can do with internet proxy or firewall?

What if we edit the hostnames in the ABAP metadata file that we upload in ADFS IDP? If we edit the hostnames from internal names to external internet hostnames? Will it work?

Regards,

Tajinder

martin_voros
Active Contributor
In response to martin_voros

‎07-18-2014 9:48 AM

0 Kudos

Hi,

first, I forgot to mention the simplest solution. Force all users to go through external proxy. In case that it's a problem I guess you could do some magic on network layer. Same host name would resolve to two different IPs based on network. Internal users would go to internal proxy that would be accessible only from internal network. I am not sure if this is a good idea.

Regarding reverse proxy, you could try to do some rewriting but it's really hard for me to say if that is going to work. I would suggest to use web developers tools in Chrome or any other browser to trace whole interaction between client and systems. That would give you an idea what interaction is happening  and what needs to be changed.

Regarding manually updating files. I don't know if that is going to help but I thought that you want to have access from both sources: external as well as internal network. If you really need just access from one source than you should not be required to do any black magic. I saw a diagram today and they SAP expects to have reverse proxy in front gateway system.

Cheers

s0002529520
Explorer
In response to martin_voros

‎07-23-2015 7:33 AM

0 Kudos

Hi Tajinder,

We have exactly the same issue as yours in that we also access Fiori from the internet with an external name and on the inside network with an internal name.  The problem is that when accessing from externally ADFS also redirects to the internal name and then the RelayState does not work due to different hostnames.

The internal hostname that ADFS redirects to comes from the Fiori metadata xml that was imported in ADFS, so ADFS will always use that to determine the hostname for redirect.  From internal network access that is fine, but from external it does not work.  And you can also not change the hostname when exporting the Fiori xml metadata.  There is also only a single Local Provider that you can configure in the Fiori SAML2 config.

Did you ever manage to solve this issue?

Regards

Johan