How to send Azure AD SAML response to Application-Proxy URL

Kashyap Shah 0 Reputation points
2021-11-30T12:44:45+00:00

Hello,

I have configured Single Sign-On using Azure AD for SAP Fiori access (via SAP Web Dispatcher). It works fine when accessed on a desktop/laptop connected to the corporate network (through VPN) via SAP Web Dispatcher link/URL.
In addition Azure AD Application-Proxy has been configured so that the system can be accessed on an organisation managed mobile device via Application-Proxy URL. Such access from mobile device fails after user is authenticated against Azure AD.

I think the issue is that while accessing the Azure Application-Proxy (app-proxy.url.net) link, the URL changes to the back-end SAP Web Dispatcher (sap.web.dispatcher.local) after authenticating the user on Azure AD and the SAP Web Dispatcher URL can't be resolved over Internet on the mobile device. It may well be some setting to keep sticking to the same Azure Application-Proxy URL after authenticating the user on Azure AD. If my understanding is correct, I am not sure where that setting is to be done, whether on SAP side or on Azure side. I would appreciate if anyone could assist.

I even tried maintaining an additional Reply URL for corresponding Azure enterprise application: https://app-proxy.url.net/sap/saml2/sp/acs/<sap-client-number> but that fails with error:

SAML20 SP (client <sap-client-number> ): Destination from Response https://app-proxy.url.net/sap/saml2/sp/acs/<sap-client-number> must match the actual URL where message was sent - ACS endpoint https://sap.web.dispatcher.local:<port>/sap/saml2/sp/acs/<sap-client-number> or application URL(depending on configuration)
SAML20 SP (client <sap-client-number> ): Exception raised:
SAML20 SAML20 CX_SAML20_CORE: Message 'Response' did not arrive at the correct destination. Long text: Message 'Response' did not arrive at the correct destination.

Please let me know if any more information is required.

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-12-06T05:29:11.393+00:00

    anonymous user The error seems to reflect a configuration error somewhere. While researching I came across this SAP KB with exact same error where you can read the cause and solution if you have a SAP account.
    Check more here : https://userapps.support.sap.com/sap/support/knowledge/en/2661988

    Can you share the documents which you followed for this setup ?
    This particular document seems to be setting up the SAP Fiori with Azure AD as IDP correctly : https://blogs.sap.com/2020/12/10/sap-on-azure-single-sign-on-configuration-using-saml-and-azure-active-directory-for-public-and-internal-urls/

    Azure AD uses the sign on URL, Reply URL and Logout URL, check if your SAP settings allows you to add other things to be able to resolve it over mobile devices. A fiddler trace might be a good start to the see the complete URL flow and understand which component fails.

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments
  2. Bansal, Manish 0 Reputation points
    2024-03-24T06:51:43.8366667+00:00

    We are facing same issue. Application-Proxy URL is authenticated but then asks for Fiori GW User ID and password ( both externally and internally)

    Did you managed to resolve it?

    0 comments