Hi, > I have configured Apache to act as a reverse proxy for some of our internal > SAP applications. These internal SAP applications already has SSO set up > using Kerberos. Is it possible configure Apache to "delegate" the > authentication to the internal SAP application so I have to set up > mod_auth_kerb to authenticate the users before proxy-ing the request?
It depends on where you actually want the Kerberos authentication to take place. If you authenticate the users with Kerberos at the Apache Reverse Proxy it would be redundant to do so again within your SAP applications. A likely alternative would be to handle the Kerberos authentication via mod_auth_kerb, as you mention, and then configure the SAP applications to "trust" a pre-authenticated user from the Reverse Proxy. SAP can usually interpret REMOTE_USER, or a web session variable containing the authenticated user name. Alternately you could consider an authentication method such as SAML, which would allow you to delegate the Identity Provider service to the Application Server hosting your SAP apps. Feel free to follow up with me directly if you need further context on integration with your SAP applications. Cheers, James Rapp Specialist, Customer Solution Adoption (CSA) Team, TIP Customer Engagement & Strategic Projects From: Nguyen, Bao L [mailto:bao.l.ngu...@intel.com] Sent: Monday, October 22, 2012 4:24 PM To: users@httpd.apache.org Subject: [users@httpd] Apache Reverse Proxy for Keberos-Enabled Website Hi All, I have configured Apache to act as a reverse proxy for some of our internal SAP applications. These internal SAP applications already has SSO set up using Kerberos. Is it possible configure Apache to "delegate" the authentication to the internal SAP application so I have to set up mod_auth_kerb to authenticate the users before proxy-ing the request? Any advices would be greatly appreciated! Thank you. Bao Nguyen Intel Corp - SAP Integration Engineering 916-356-7153
