So you have built a nice CAP application (with IDP authentication) and want to give access to your users. SAP WebDispacther (WD) is the entry point to your IT landscape so it is natural that you want to route your CAP application through WD. We at ConvergentIS just achieved it and wanted to share my learnings from this PoC exercise.
Our CAP application was deployed on the SCP Trial. I also used the trial Azure AD as the IDP. (It is great that with these trial accounts we can do a complete PoC.)
CAP application URL: https://4dy173b3trial-dev-cisfiorifnalyticswithplugin-app.cfapps.eu10.hana.ondemand.com/
WD URL: https://applications.convergentis.com/report/
In my subaccount level, I have used Azure AD as the IDP. You can use SAP IDP or any other IDP of your choice.
Whenever I access URL https://applications.convergentis.com/report/, I want to be authenticated first and then automatically redirected to https://applications.convergentis.com/report/ and the corresponding content from the CAP application should load.
Go to WD and set up a routing rule to SCP app
wdisp/system_0 = SID=CAP, EXTSRV=https://4dy173b3trial-dev-cisfiorifnalyticswithplugin-app.cfapps.eu10.hana.ondemand.com/, SRCURL=/report
Ensure that you do NOT set up SetHeader commands. That is, while requesting the SCP app URL, the HOST header will contain value ‘applications.convergentis.com’. This behavior is automatic and does not need any config.
Based on your routing URLs, configure corresponding URL rewrite rules. I have this.
RegRewriteUrl (.*) $1
Now navigate to https://applications.convergentis.com/report/ in a browser. You will get an error as below.
Here Cloud Foundry is complaining that route applications.convergentis.com does not exist. Let us create it and assign it to our app.
We need to create a domain first.
Goto your VS Code console, and login to CF using command cf login.
Create a domain using the command. Note that 4dy173b3trial is the tenant ID here.
cf create-domain 4dy173b3trial applications.convergentis.com
Now create a route in the above domain and associate it with the app
Execute the command. This command creates and maps.
cf map-route cisfiorifnalyticswithplugin-app applications.convergentis.com --path report
Now run the application again in the browser and you will see that it will navigate to the IDP. We have crossed one hurdle. Upon successful authentication, the browser redirects and you see a new error as below.
The error says two things. It is trying to navigate to a new route that we never created. (‘login/callback’). It also says that it is not registered.
Register this callback URL in your application’s xs-security.json file as below.
Update the service with these URLs using the below command. (You do not have to deploy the application for this).
cf update-service cisfiorifnalyticswithplugin-uaa -c xs-security.json
Now run the application again in the browser and you will see that it will navigate to the IDP. We have crossed one hurdle. Upon successful authentication, the browser redirects and you see the familiar error happen again.
Note that error about ‘registered values’ is gone but this time application has redirected to a new route ‘login/callback’ which does not exist. This is the default callback URL within the CAP framework. You can change it if required using ‘login’ parameter in xs-app.json (app router).
To avoid the above error, create a new route, and point it to the original CAP application.
Execute the command
cf map-route cisfiorifnalyticswithplugin-app applications.convergentis.com --path login/callback
Retry running the application and all should work fine now.
In summary, whenever there is a reverse proxy involved, you need to have a corresponding routing domain and routes created for it to work. In addition, the callback URL has to be registered with the XSUAA service.