Skip to Content
Technical Articles
Author's profile photo Dong Pan

Single Sign-On from BusinessObject Cloud to HANA – Reverse Proxy Rules for SAP Cloud Identity

In my recent blog article: What’s Changed – Setup Remote HANA Connection with SAML SSO in SAP BusinessObjects Cloud, I provided a sample Apache reverse proxy configuration based on an SAP NetWeaver SSO SAML 2 Identity Provider (IdP). The idea behind the configuration applies to most SAML 2 IdPs, but what about SAP Cloud Identity (SCI)? In this blog post, I’d like to walk you through some of the specifics we need to be aware of when configuring Apache reverse proxy for SCI.

Prerequisite: you need to be running Apache HTTPD server 2.4 or above.

Before I move further, a couple of housekeeping items to keep in mind:

1. This article assumes that the BusinessObjects Cloud (BOC) tenant has already been migrated to Simple URL. But the ideas of the tricks and workaround for SCI stay true even if the BOC tenant has not been migrated to Simple URL yet.

2. For SSO to HANA scenario, a dedicated SAML 2 IdP is required, i.e. the built-in common/shared SCI in BOC cannot be used in that case. However, the tricks in this artcile apply whenever a SAP Cloud Identity tenant is in use, no matter whether it is a shared SCI tenant or a dedicated SCI tenant.

Without further ado, let me explain what’s so special with the SAP Cloud Identity SAML 2 Identity Provider. SCI is very strict about the HTTP request headers sent by the browser and any intermediate server in between, so we need to make sure that Apache reverse proxy does not send any unwanted HTTP headers as the reverse proxy. It has come to our notice that Apache sometimes seems to send unwanted HTTP request headers even when we just add a directive to manipulate HTTP response headers, such as changing cookie path, an essential step when we configure Apache reverse proxy for any SAML 2 IdP.

In order to workaround this Apache quirk, we need to do a few things:
1. Turn off (well, only partially) the behavior to add additional HTTP request headers by the following directive:
ProxyAddHeaders off
2. Make sure to change the IdP’s cookie domain outside of a <Location> block.
3. Avoid changing IdP’s cookie path with the directive ProxyPassReverseCookiePath. Instead, directly edit the Set-Cookie header with the “Header edit” directive. The following is an example:
Header edit Set-Cookie “^(.*; [Pp]ath=/)(.*)$” “$1sci/$2”

Here is a more complete example configuration for your reference:

#Load key modules for reverse proxy
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule headers_module modules/mod_headers.so

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/httpd-proxy-html.conf
</IfModule>

Listen 443 https

<VirtualHost _default_:443>
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  ServerName reverseproxy.customer.com:443
  SSLCertificateFile "${SRVROOT}/conf/ssl/reverseproxy.crt"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/reverseproxy.key"
  DocumentRoot "${SRVROOT}/htdocs"
# DocumentRoot access handled globally in httpd.conf
	CustomLog "${SRVROOT}/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
	<Directory "${SRVROOT}/htdocs">
		Options Indexes Includes FollowSymLinks
		AllowOverride AuthConfig Limit FileInfo
    Require all granted
	</Directory>
  
  #Proxy rules for the Central Redirect Node
  ProxyPass /authn/ https://authn.<region>.hana.ondemand.com/
  ProxyPassReverse /authn/ https://authn.<region>.hana.ondemand.com/
  ProxyPassReverse /authn/ https://authn.<region>.hana.ondemand.com:443/
  <Location /authn/>
    ProxyPassReverse /
	ProxyHTMLEnable on
    SetOutputFilter proxy-html
    ProxyHTMLCharsetOut *
    RequestHeader  unset  Accept-Encoding  
    ProxyHTMLURLMap https://<SAP_Cloud_Identity_Host>/  /sci/
    ProxyHTMLURLMap https://<SAP_Cloud_Identity_Host>:443/  /sci/
    ProxyHTMLURLMap https://customer.<region>.sapbusinessobjects.cloud/  /
    ProxyPassReverseCookiePath / /authn/
  </Location>
  
  #Proxy rules for remote on-premise HANA at https://righana2.yourcompany.corp:4300/
  ProxyPass /righana2/ https://righana2.yourcompany.corp:4300/
  ProxyPassReverse /righana2/ https://righana2.yourcompany.corp:4300/
  <Location /righana2/>
	ProxyPassReverse /
	ProxyPassReverseCookiePath / /righana2
	ProxyPassReverseCookiePath /sap/hana/xs/saml /righana2/sap/hana/xs/saml
  </Location>
  
  #Proxy rules for the SAML 2 Identity Provider at https://<SAP_Cloud_Identity_Host>/
  ProxyAddHeaders off
  ProxyPass /sci/ https://<SAP_Cloud_Identity_Host>/
  ProxyPassReverse /sci/ https://<SAP_Cloud_Identity_Host>/
  ProxyPassReverse /sci/ https:/<SAP_Cloud_Identity_Host>:443/
  ProxyPassReverseCookieDomain <SAP_Cloud_Identity_Host> reverseproxy.customer.com
  <Location /sci/>
		Header edit Set-Cookie "^(.*; [Pp]ath=/)(.*)$" "$1sci/$2"
		ProxyHTMLEnable on
		SetOutputFilter proxy-html
		ProxyHTMLCharsetOut *
		RequestHeader  unset  Accept-Encoding
		ProxyHTMLURLMap /ui/ /sci/ui/
		ProxyHTMLURLMap /universalui/ /sci/universalui/
		ProxyHTMLURLMap /saml2/ /sci/saml2/
		ProxyHTMLURLMap https://authn.<region>.hana.ondemand.com/ /authn/
		ProxyHTMLURLMap https://authn.<region>.hana.ondemand.com:443/ /authn/
		ProxyHTMLURLMap https://righana2.yourcompany.corp:4300  /righana2
  </Location> 
  
  #Proxy rules for BOC (Simple URL) at https://customer.<region>.sapbusinessobjects.cloud/
  ProxyPass / https://customer.<region>.sapbusinessobjects.cloud/
  ProxyPassReverse / https://customer.<region>.sapbusinessobjects.cloud/
  ProxyPassReverse / https://customer.<region>.sapbusinessobjects.cloud:443/
  <LocationMatch "^/$|^/sap/fpa/ui/tenants/.*|^/logout.*">
		ProxyHTMLEnable on
		ProxyHTMLDocType "<!DOCTYPE html>" XML
		SetOutputFilter proxy-html
		ProxyHTMLCharsetOut *
		RequestHeader  unset  Accept-Encoding
		ProxyHTMLURLMap https://authn.<region>.hana.ondemand.com/ /authn/
		ProxyHTMLURLMap https://authn.<region>.hana.ondemand.com:443/ /authn/
  </LocationMatch>
  
</virtualhost>

I hope this post will help you reduce the number of sleepless nights :).

Till next time. Stay tuned!

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Mark Fodor
      Mark Fodor

      Thanks Dong 🙂 Very helpful!

      Author's profile photo Denys van Kempen
      Denys van Kempen

      For those interested,

      here is a step-by-step blog with video tutorials which explains how you can configure Apache SSL reverse proxy for use with SAP Analytics Cloud for Live Connections using CORS to SAP HANA

      This does not include SAML but covers the first steps, setting up Apache, SSL, and Reverse Proxy.