You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Nguyen, Bao L" <ba...@intel.com> on 2012/10/23 00:24:12 UTC

[users@httpd] Apache Reverse Proxy for Keberos-Enabled Website

Hi All,



I have configured Apache to act as a reverse proxy for some of our internal SAP applications.  These internal SAP applications already has SSO set up using Kerberos.   Is it possible configure Apache to  "delegate" the authentication to the internal SAP application so I have to set up  mod_auth_kerb to authenticate the users before proxy-ing the request?



Any advices would be greatly appreciated!



Thank you.





Bao Nguyen

Intel Corp - SAP Integration Engineering

916-356-7153

[users@httpd] RE: Apache Reverse Proxy for Keberos-Enabled Website

Posted by "Rapp, James" <ja...@sap.com>.

Hi,

> I have configured Apache to act as a reverse proxy for some of our internal SAP applications.  These internal SAP applications already has SSO set up using Kerberos.   Is it possible configure Apache to  "delegate" the authentication to the internal SAP application so I have to set up  mod_auth_kerb to authenticate the users before proxy-ing the request?

It depends on where you actually want the Kerberos authentication to take place.  If you authenticate the users with Kerberos at the Apache Reverse Proxy it would be redundant to do so again within your SAP applications.  A likely alternative would be to handle the Kerberos authentication via mod_auth_kerb, as you mention, and then configure the SAP applications to "trust" a pre-authenticated user from the Reverse Proxy.  SAP can usually interpret REMOTE_USER, or a web session variable containing the authenticated user name.

Alternately you could consider an authentication method such as SAML, which would allow you to delegate the Identity Provider service to the Application Server hosting your SAP apps.

Feel free to follow up with me directly if you need further context on integration with your SAP applications.

Cheers,

James Rapp
Specialist, Customer Solution Adoption (CSA) Team, TIP Customer Engagement & Strategic Projects

From: Nguyen, Bao L [mailto:bao.l.nguyen@intel.com]
Sent: Monday, October 22, 2012 4:24 PM
To: users@httpd.apache.org
Subject: [users@httpd] Apache Reverse Proxy for Keberos-Enabled Website


Hi All,



I have configured Apache to act as a reverse proxy for some of our internal SAP applications.  These internal SAP applications already has SSO set up using Kerberos.   Is it possible configure Apache to  "delegate" the authentication to the internal SAP application so I have to set up  mod_auth_kerb to authenticate the users before proxy-ing the request?



Any advices would be greatly appreciated!



Thank you.





Bao Nguyen

Intel Corp - SAP Integration Engineering

916-356-7153