2018 Aug 24 6:39 AM
Hello Expert,
We have a mobile application (using Xamarin development tool) and want to consume Odata service from a SAP server which is protected by the Azure application proxy. We are having some problem passing the proxy pre-authentication and reach to the SAP server. I need some input/advice how we are able to get through?
This is quite complex environment, so please allow me to give some background in the beginning.
Systems involved
Intranet scenario
Internet scenario
We followed the SAP document from the link below. And we are able to get the Odata service within the intranet, that without Azure AD and Azure application proxy in the picture.
We are also able to get access token from Azure AD via a Microsoft ADAL library and that token can be accepted by the proxy server. We added the access_token in the authorization header of the http request and the request reached to SAP system and we get a http 401 error from the SAP system, because the request didn’t carry the authentication SAP requires.
However, if we carry the SAP authentication into the authorization header of the http request, we cannot pass the proxy authentication. We are not able to carry two authorization header in the same request either because it does not allow me to do so.
So the question is how we can pass both proxy authentication and the SAP authentication in the internet scenario and reach to the Odata service? Does any one have similar experience before and share with me some thoughts?
BTW the browser access to the Odata service seems working properly from the internet. So I believe there must be a way to make it work in the mobile app.
Thanks
Chenyang
2018 Aug 24 7:25 AM
I followed the document below and it works correctly in intranet scenario.
2018 Aug 25 5:01 AM
Hi Chenyang,
Please check this thread from stackoverflow: https://stackoverflow.com/questions/29282578/multiple-http-authorization-headers
where it talks about putting multiple values into HTTP authorization header. There is mixed results so I am not sure if this is supported by Azure and SAP. However in your diagram step 3&4 already present a solution to this issue. Did you manage to get SAP access token during step 4? What error did you get? During step 4 there is no need to carry two authorization headers into one request as at this point you already passed Azure proxy authentication and as long as the request carries Azure session cookie it should fine.
Tong
2018 Aug 27 2:33 AM
Hi Tony,
Yes I did try to add both authorization headers mentioned in the stackoverflow post. It is not supported by proxy.
I am able to get the SAP access token and get the Odata from the intranet, but not from the internet.
The internet scenario is from my assumption only, and it is not proved yet.
In step 3 of Internet diagram, I am able to hit the SAP system and get a 401 error, because I didn't carry SAP authorization header required by Oauth token service. I am able to get two Azure cookies from the call though. But a browser based simulation gets three Azure cookies. The step 4 failed and it was rejected by proxy server and didn't reach to SAP. I guess it is because the third cookie is missing.
2018 Aug 28 4:16 AM
Hi Chenyang,
If you are using Azure AD Application Proxy check this link: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-single-sign-on and try to disable SSO on AP. Then retry step 4 and handle the basic authentication in mobile app. The other option is to change the logon mechanism of the OAuth authorization end point in SICF from basic to SAML or SPNEGO and use federated SSO from AP. Also make sure there is proper authorization in Azure for the AD user to be able to access the backend app.
Tong
2018 Aug 29 4:18 AM
Hi Tony,
Appreciate your help indeed. Yes I am using Azure application proxy.
I am not able to follow your first suggestion. Both Azure proxy and my sap aplication need authentication. Why I need to disable AP SSO?
for the second suggestion, the logon method of token SICF service cannot be modified. Please check screen below.
This service supports basic auth and SSL cert authentication only.