Creating an End-to-end SSO Experience to SAP BusinessObjects Cloud and HANA with Client Certificate and SAML Authentication

In my previous blog Creating an End-to-end SSO Experience to SAP BusinessObjects Cloud and HANA with Kerberos and SAML, I walked you through an end-to-end SSO solution for BOC and remote HANA based on SAML 2 and Kerberos/SPNego. In this blog, I will explore another option to achieve the same experience based on SAML 2 and X.509 Client Certificate authentication instead.

At a high level, we would like to setup X.509 Client Certificate authentication between Web browser and the SAML 2 Identity Provider (IdP), and SAML 2 authentication for BOC and HANA. In this way, the end user can simply click on the BOC URL in the Web browser’s bookmarks, and log straight into BOC without having to enter username and password manually.

Unfortunately this setup is not as straightforward as Kerberos/SPNego which I blogged earlier. Client Certificate authentication is part of the SSL protocol, and since there is a reverse proxy that terminates the SSL connection, native Client Certificate authentication cannot happen between the Web browser and the SAML 2 IdP. However, the solution can still work if the following conditions are met:

1. The reverse proxy is capable of wrapping the client certificate into HTTP headers and pass them onto the SAML 2 IdP
2. The SAML 2 IdP is capable of authenticating a user based on HTTP headers that contain the user’s client certificate

Apparently this would become a custom/proprietary solution, and not all SAML 2 IdPs support this custom client certificate authentication mechanism. And more importantly, as this custom client certificate authentication process is not part of the SSL handshake mechanism anymore, it loses the strong verification of the user’s certificate. Therefore from the security perspective, it is very important for the SAML 2 IdP to accept client certificates from a trustworthy reverse proxy only, in this case, the BOC system’s reverse proxy.

The following diagram illustrates how it works. Hopefully this is straightforward enough, but I’d like to point out the pros and cons of this solution:

Pros:
– This end-to-end SSO solution works on both Intranet and Internet

Cons
– Needs a PKI infrastructure in place to distribute and manage user’s client certificate.
– Not all SAML 2 IdP and reverse proxy support this custom client certificate authentication mechanism.
– Performance is slightly slower than Kerberos/SPNego.

SAP NetWeaver SSO SAML 2 IdP supports such a custom client certificate authentication mechanism. To configure it, perform the following steps:
1. Configure X.509 Client Certificate authentication on the SAML 2 IdP’s underlying AS Java engine: Using X.509 Client Certificates on SAP NetWeaver AS for Java.
2. Enable the custom client certificate authentication mechanism via reverse proxy by performing the additional steps: Using Client Certificates via an Intermediary Server.
3. Add Client Certificate authentication into the SAML 2 IdP’s list of authentication contexts: Adding Custom Authentication Contexts.

On the Apache reverse proxy, we need to configure it to perform the following things:
1. Enable Client Certificate authentication
2. Wrap the client certificate information into HTTP headers, and forward them onto the SAML IdP. Note that these headers can be pretty long, so we need to carefully configure the Apache rules so that they are forwarded to the SAML 2 IdP system only, not to BOC or HANA, for performance reasons.

Here is a sample configuration:

#Load key modules for reverse proxy
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule headers_module modules/mod_headers.so

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/httpd-proxy-html.conf
</IfModule>

Listen 443 https

<VirtualHost _default_:443>
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  ServerName reverseproxy.customer.com:443
  SSLCertificateFile "${SRVROOT}/conf/ssl/reverseproxy.crt"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/reverseproxy.key"

  #Configure client cerificate authentication
  SSLCACertificateFile  "${SRVROOT}/conf/ssl/sso_ca.crt"
  SSLVerifyClient optional
  SSLVerifyDepth 2

  DocumentRoot "${SRVROOT}/htdocs"
# DocumentRoot access handled globally in httpd.conf
	CustomLog "${SRVROOT}/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
	<Directory "${SRVROOT}/htdocs">
		Options Indexes Includes FollowSymLinks
		AllowOverride AuthConfig Limit FileInfo
    Require all granted
	</Directory>
  
  #Proxy rules for the Central Redirect Node (US1 data center in this example)
  ProxyPass /authn/ https://authn.us1.hana.ondemand.com/
  ProxyPassReverse /authn/ https://authn.us1.hana.ondemand.com/
  ProxyPassReverse /authn/ https://authn.us1.hana.ondemand.com:443/
  <Location /authn/>
    ProxyPassReverse /
	ProxyHTMLEnable on
    SetOutputFilter proxy-html
    ProxyHTMLCharsetOut *
    RequestHeader  unset  Accept-Encoding  
    ProxyHTMLURLMap https://nwidp.yourcompany.corp:50001/  /
    ProxyHTMLURLMap https://customer.us1.sapbusinessobjects.cloud/  /
    ProxyPassReverseCookiePath / /authn/
  </Location>
  
  #Proxy rules for remote on-premise HANA at https://righana2.yourcompany.corp:4300/
  ProxyPass /righana2/ https://righana2.yourcompany.corp:4300/
  ProxyPassReverse /righana2/ https://righana2.yourcompany.corp:4300/
  <Location /righana2/>
	ProxyPassReverse /
	ProxyPassReverseCookiePath / /righana2
	ProxyPassReverseCookiePath /sap/hana/xs/saml /righana2/sap/hana/xs/saml
  </Location>
  
  #Resetting the client certificate headers
  RequestHeader set SSL_CLIENT_CERT  ""
  RequestHeader set SSL_CIPHER_USEKEYSIZE ""
  RequestHeader set SSL_CIPHER_SUITE ""

  #Proxy rules for the SAML 2 Identity Provider at https://nwidp.yourcompany.corp:50001/saml2/
  ProxyPass /saml2/ https://nwidp.yourcompany.corp:50001/saml2/
  ProxyPassReverse /saml2/ https://nwidp.yourcompany.corp:50001/saml2/
  <Location /saml2/>
		#Wrapping the client certificate into HTTP headers. This is done in the /saml2 location
                # so that the headers are only sent to the SAML 2 IdP
                RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
		RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
		RequestHeader set SSL_CIPHER_SUITE "%{SSL_CIPHER_SUITE}s"

                ProxyPassReverse /saml2/
		ProxyPassReverseCookiePath  "/"  "/saml2/"
		ProxyHTMLEnable on
		SetOutputFilter proxy-html
		ProxyHTMLCharsetOut *
		RequestHeader  unset  Accept-Encoding
		ProxyHTMLURLMap https://authn.us1.hana.ondemand.com/ /authn/
		ProxyHTMLURLMap https://authn.us1.hana.ondemand.com:443/ /authn/
		ProxyHTMLURLMap https://righana2.yourcompany.corp:4300  /righana2
  </Location>
  ProxyPass /logon_ui_resources/ https://nwidp.yourcompany.corp:50001/logon_ui_resources/
  ProxyPassReverse /logon_ui_resources/ https://nwidp.yourcompany.corp:50001/logon_ui_resources/  
  
  #Proxy rules for BOC (Simple URL) at https://customer.us1.sapbusinessobjects.cloud/
  ProxyPass / https://customer.us1.sapbusinessobjects.cloud/
  ProxyPassReverse / https://customer.us1.sapbusinessobjects.cloud/
  ProxyPassReverse / https://customer.us1.sapbusinessobjects.cloud:443/
  <LocationMatch "^/$|^/sap/fpa/ui/tenants/.*|^/logout.*">
		ProxyHTMLEnable on
		ProxyHTMLDocType "<!DOCTYPE html>" XML
		SetOutputFilter proxy-html
		ProxyHTMLCharsetOut *
		RequestHeader  unset  Accept-Encoding
		ProxyHTMLURLMap https://authn.us1.hana.ondemand.com/ /authn/
		ProxyHTMLURLMap https://authn.us1.hana.ondemand.com:443/ /authn/
		Header edit Set-Cookie "^JSESSIONID=(.*)" "JSESSIONID_SAC=$1"
  </LocationMatch>
  
  <LocationMatch "^/$|^/sap/.*|^/t/.*|^/logout.*">
        RequestHeader edit Cookie JSESSIONID_SAC JSESSIONID
  </LocationMatch>

</virtualhost>

Enjoy browsing in BOC and HANA without typing in user ID and password, ever:)!

Till next time.