Technical Articles
Demystifying Approuter , XSUAA and IDP in BTP CF Environment
This blog is continuation of the previous blog , wherein we had provided an introduction to an Approuter and XSUAA components in BTP .
Refer : https://blogs.sap.com/2021/12/11/approuter-and-xsuaa/
Here we will study in depth how a request to the application deployed in BTP CF environment gets served to the user , and also what roles are played by Approuter , XSUAA and IDP while serving the response .
The basic flow can be summarised from the below flow diagram :

Step1: Request to an Approuter
<html>
<head>
<linkrel="shortcut icon"href="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"/>
<script>
document.cookie = "fragmentAfterLogin=" + encodeURIComponent(location.hash) + ";path=/";
document.cookie = "locationAfterLogin=" + encodeURIComponent(location.href.split('#')[0].split(location.host)[1]) + ";path=/";
document.cookie = "signature=<signature>;path=/";
location = "<xsuaa_url>/oauth/authorize?response_type=code&client_id=<xsuaa_clientid>&redirect_uri=<app_url>/login/callback"
</script>
</head>
</html>
This index,html page contains information about:
- xsuaa server
- A path or a file to which it should redirect to after login
- An internal reference to the page (followed by ‘#’)
Example : URL : <app_url>/home.html#demo fragmentAfterLogin = /demo locationAfterLogin = /home.html location = <xsuaa_url>/oauth/authorize?response_type=code&client_id=<xsuaa_clientid>&redirect_uri=<app_url>/login/callback
Note:
The location redirect attribute present in the script tag of index.html page, triggers a client side redirect to the xsuaa server where URL for the xsuaa i.e the authorisation server is taken from the environment variable configuration present in the approuter.
Thus the initial request response can be summarised as: Request : <approuter_url> HTTP Response Code : 302 Redirection : <xsuaa_url>/oauth/authorize?response_type=code&client_id=<xsuaa_clientid>&redirect_uri=<route_of_application>/login/callback
Step2: Request to Authorisation Server
The browser will execute the script tag of the returned html page and hence will trigger a request to xsuaa (authorisation server) . This request does not contain a JWT token hence , the xsuaa server will redirect the request to xsuaa login url.
Request : <xsuaa_url>/oauth/authorize?response_type=code&client_id=<xsuaa_clientid>&redirect_uri=<route_of_application>/login/callback HTTP Response Code : 302 Location Response Header : /login
Step3 : Request to Authorisation Server Login page

Request : <xsuaa_url>/login HTTP Status Code : 200 The redirection url is : https://accounts.sap.com/oauth2/authorize?client_id=<client_id>&response_type=code&redirect_uri=<xsuaa_url>/login/callback/<origin_key>&state=<state>&scope=openid&nonce=<nonce>

Step 4 : SAML request to SAP IDP
Request :https://accounts.sap.com/oauth2/authorize?client_id=<client_id>&response_type=code&redirect_uri=<xsuaa_url>/login/callback/<origin_key>&state=<state>&scope=openid&nonce=<nonce>
HTTP Status Code : 302
Location Response Header :https://accounts.sap.com/saml2/idp/sso?sp=<sp_name>&RelayState=client_id=<client_id>&response_type=code&redirect_uri=<xsuaa_url>/login/callback/<origin_key>&state=<state>&scope=openid&nonce=<nonce>
where sp_name for trial account in Europe Frankfurt region is : uaa-cf-eu10
Step5 : SAML SSO
A SAML SSO request , returns a login form wherein the resource owner (user) will enter his credentials and submit it to the IDP(here it is Gigya).Once the authentication is successful the IDP would return back the saml bearer assertion token to the xsuaa server.
Request :https://accounts.sap.com/saml2/idp/sso?sp=<sp_name>&RelayState=client_id=<client_id>&response_type=code&redirect_uri=<xsuaa_url>/login/callback/<origin_key>&state=<state_id>&scope=openid&nonce=<nonce> HTTP Status Code :200 Response :https://fidm.<region>.gigya.com/saml/v2.0/<code>/idp/sso
Step6 : IDP and SAML Assertion
The IDP validates the users and returns the SAML Assertion token, containing information about the ACS also known as Assertion Consumer Service endpoint where the identity provider will redirect to with its authentication response
Request : https://accounts.sap.com/saml2/idp/acs
HTTP Status Code :200
Response: <xsuaa_url>/login/callback/<origin_key>?code=<code>&state=<state>
Step 7: Redirection to XSUAA
Request :<xsuaa_url>/login/callback/<origin_key>?code=<code>&state=<state> HTTP Status Code : 302 Response :<xsuaa_url>/oauth/authorize?response_type=code&client_id=<client_id>&redirect_uri=<app_url>/login/callback
Step 8: Authorisation Code Generation
In this step xsuaa server generates the authorisation code and sends it back to the client
Request : <xsuaa_url>/oauth/authorize?response_type=code&client_id=<xsuaa_clientid>&redirect_uri=<route_of_application>/login/callback HTTP Status Code : 302 Response :https://<app_url>/login/callback?code=<authorisation_code>
Step 9: JWT Token creation at Approuter
Trial Account: https://<tenant_name>.authentication.<region>.hana.ondemand.com/saml/metadata
For Enterprise: https://<accountid>.authentication.hana.ondemand.com/oauth/token?grant_type=client_credentials
I hope you enjoyed this blog , wherein we learnt in great detail how a request to the applications deployed in BTP gets served to the user securely.
Thank you for nice explanation about that authorization process.
Would you mind to describe how to debug or troubleshoot that process? Tools, actions, best practices how to find whats wrong when I get 401 or some other error because I dont have active session?
Nice blog, that helped me to understand fundamentals that how the app call authenticated!!
Thanks,
Pramod
Very interesting, thanks for the write up