cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAML2.0 on same AS ABAP back-end for two or more FQDNs?

Florian-Georg-Furtmller
Explorer

on ‎2019 Nov 18 7:47 AM

0 Kudos
1,796

Hi all,

I'm wondering how it can be achieved to configure SAML2.0 in a way on AS ABAP to prevent No RelayState mapping found for RelayState value xxx errors when coming from and FQDN for which SAML2.0 has not been configured (per default).

For example having, abc123.acme.com exporting SP Metadata and importing IdP Metadata based on this FQDN, for which SAML2.0 is operating as expected. Now our customer are not able to remind abc123.acme.com, so we are offering saplaunchpad.acme.com (super easy to remind) but getting back RelayState error, which is obvious because for saplaunchpad.acme.com no SP & IdP has been set up on AS ABAP back-end.

The question is, how to overcome this behaviour, will it be sufficient to just export SP Metadata (on saplaunchpad.acme.com) and setup additional IdP (based on the second FQDN) on the AS ABAP back-end? Is AS ABAP able to select which IdP configuration (e.g. based on incomming/forward host header) must be used?

Thank you & best wishes

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

Colt
Active Contributor
‎2019 Nov 18 8:26 AM

Hi Georg,

I try to avoid that whenever possible and recommend to use a generic FQDN for the SP.

There might be approaches to implement this without additional network components, I haven't done that yet. Check out this answer from Dimitar, maybe helpful.

I have seen customers having used a BIG-IP or other appliances. There are various scenarios how to setup this requirement. They were used to forward queries to the correct SPs based on specific FQDNs and Service-URLs. Thus the URL was appropriately masked and rewritten by the reverse proxy. The host header was replaced with the host value extracted from the matched ACS URI of the internal SP. Additional security functions such as URL filtering etc. are performed by downstream systems (such as an SAP web dispatcher) placed in front of the SP.

Cheers Colt

Show replies
Show replies
Colt
Active Contributor
‎2022 Sep 08 10:33 AM
0 Kudos

Feedback from SAP: Not possible.

With S/4, the trust only goes as far as the client, not finer. It is therefore not possible to configure individual ICF services as separate SPs.

Show replies
Show replies
Ask a Question