Configure SSO using Azure AD from the Internet for SAP Fiori (on prem) via Azure Application Proxy
There are many security considerations when exposing on-premises applications to the internet. Therefore, most clients keep their SAP Fiori apps accessible from the internal network only and provide VPN access for those use cases, when mobile access is required.
However, there might be some use cases for exposing Fiori apps to the internet, for example if you want a to address a wider user group, than those typically having access to the enterprise network ( i.e., business partners). Luckily, plenty of solutions on how to expose Fiori Apps to the internet exist.
One is to make use of proxy apps like Azure AD Application Proxy: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy. The biggest benefit of using Azure app proxy consists in replacing the need for a VPN based access and not requiring to open inbound connections through your firewall for a specific app, as all inbound communication is rooted via the application proxy connector that is located within the enterprise network or rather the DMZ.
When enabling the use of SAP Fiori apps via Azure app proxy, you may also want to enable SSO, as this strengthens the secure access to your apps and reduces complexity for the users. It enables your also to refine your authentication process, for example if you would like to allow conditional access (only registered devices may log in etc.) capabilities or more that one factor to your authentication .
This blogpost does not focus on how to set up Azure app proxy for SAP Fiori, but rather the SSO configuration part, when you already configured Azure app proxy.
However, before explaining how to set configure SSO for Azure app proxy for Fiori, lets look a bit deeper on the authentication flow in this scenario as this helps better understand the final configuration and helps to eliminate configuration mistakes.
This diagram and authentication steps are based on Microsoft docs describing the general SSO mechanism between Azure Proxy App and a generic service provider (=SP) for SP initiated authentication flow (https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-on-premises-apps). An IdP (=Identity service Provider) initiated authentication flow is possible though, but the setup is a bit different than described in this blogpost.
- the user’s client (webbrowser) tries to reach the app proxy
- the application proxy redirects the request to Azure AD for (pre-) authentication
- in case of successful authentication in Azure AD the request is forwarded back to the application proxy
- the application proxy forwards the request to the SAP application server
- the SAML Service on the SAP system generates a SAML request and redirects it to Azure AD in order to fetch a SAML response (the request is proxied trough the app proxy)
- Azure AD returns the SAML response to the SAP application server via the Application Proxy Connector
- the SAML service on the SAP system validates the SAML response and signs in the user to SAP Fiori Launchpad
Now that you are familiar with the authentication flow mechanism, we can start configuring!
Step 1 – Enable SSO for SAP Fiori using Azure AD without app proxy for access form the enterprise network
There are plenty of good blogs for this (i.e. “Single Sign-On (SAML2) Configuration for SAP FIORI Application” or “Configure SAML based Single Sign-on for SAP Fiori and NetWeaver using Azure Active Directory”), so no need to discuss the exact procedure within this blogpost. If SSO for SAP Fiori works fine within the enterprise network, you can be sure that you’ve done the basics correctly and you have a solid configuration foundation for the next steps.
Step 2 – Create an Azure Proxy App for SAP for your SAP Fiori Launchpad
And please do not forget to select “Azure Active Directory” in Pre-Authentication field (red box on the screenshot).
After testing the proxy app from the internet without SSO, you can be sure that your proxy app works before starting the SSO configuration for it. Do not forget that your test URL would be the external URL for the Azure app proxy (https://myfiorilaunchpad-proxy.msappproxy.net) + the root string to your Fiori Launchpad (/sap/bc/ui2/flp): https://myfiorilaunchpad-proxy.msappproxy.net/sap/bc/ui2/flp .
Step 3 – Update External URL in SAML configuration
Now please go back to the SSO configuration in Azure AD you did in Step 1 in order to update the Reply URL. For this you will need to use the external URL from your app proxy that you have configured in Step 2.
If your External URL (Step 2) is https://myfiorilaunchpad-proxy.msappproxy.net and the Reply URL was https://<server>:<port>/sap/saml2/sp/acs/200 you have to update the Reply URL to https://myfiorilaunchpad-proxy.msappproxy.net/sap/saml2/sp/acs/200 .
After completing Step 3 you are ready to test your SSO configuration from the internet.
Please do not forget to test in a private browser window to verify that you’ve succeeded to set it all up correctly and not only used the stored cookies in your browser session 🙂 !