Hello Nick,
Does the RedwoodCPS application use the SPNEGO authentication of SAP AS Java or implements it on its own? Can you check traces collected with the security troubleshooting tool with incident type "Authentication" - http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4e/961adccb0c4f1db41023c755c7c519/frameset.htm. Are there any records with "LOGIN.OK" string for this application and if yes does the authentication table contain the SPNegoLoginModule?
Additional hints:
- You can disable the SPNEGO authentication also using HTTP header "x-sap-spnego: disabled". If set by a reverse proxy it won't be affected by any redirects/URL expansions, however it will affect all users. Still you can try it out.
- Using the latest component for risk-based authentication of SAP SSO product you can write a policy that certain users (members of a specific group for example) cannot authenticate with SPNEGO, and/or from certain IPs, etc. The functionality is quite flexible and powerful. In this case the users won't need to play with URL parameters, of course a prerequisite is that the RedwoodCPS application is using the authentication infrastructure of SAP AS Java.
Regards,
Dimitar
