Configure Local IDP with HANA Cloud Platform – Different Errors & Possible Fixes
Recently, I was trying to setup a local IDP on my Eclipse and connect to HANA Cloud Platform so that I can test how custom authentication process works with applications deployed on HANA Cloud Platform. Even though this is a help document available that will take you through detailed process of setting up a local IDP, I was not able to setup my local IDP in first try. I faced a number of errors and I was clueless about how to fix them. In this blog, I will try to cover error I faced while configuring a local IDP and how I managed to resolve them all.
Note – These errors are not exhaustive list of all possible errors. You might get a different error altogether while working on your own IDP configuration. However, these are also common errors and with this blog, you will be quickly fix missing configuration.
Unable to Login with IDP User
Though was not an error as such, but it was a roadblock. I was not able to test IDP configuration with HCP and I was clueless about what was that I missed. Take a look at error snapshot and user configuration in my local IDP.
As you can see, I have a user “ameya” defined in my local IDP and I was trying to login run application simply with this configuration. Even though I was providing correct credentials, I was not able to get through.
Solution – I did not upload local IDP Metadata XML to configure new trust provider in HANA Cloud Platform. I had no clue that I need to download local IDP metadata XML. I was trying to upload metadata XML that I downloaded from local trust providers. I got this file by clicking on “Get Metadata” link in HANA Cloud Platform.
I was simply uploading XML I got after clicking “Get metadata” while configuring new “Trusted Identity provider”. While I tried uploading this file, I got a pop-up that stats – “There was a problem uploading XML” and none of the required fields were getting populated automatically. I didn’t know that fields should be populated automatically when you upload a correct XML file from local IDP.
To establish trust between local IDP and HANA Cloud Platform, you need to upload local IDP metadata XML to HANA Cloud Platform while configuring a new trust provider. Also, you have to copy HANA Cloud Platform local trust provider metadata XML to your local IDP so that both IDP and HANA Cloud Platform can recognized one another.
Simply enter this URL in browser window and download local IDP metadata XML file – http://localhost:8080/saml2/localidp/metadata
This will download a metadata file named – localidp-metadata.xml
Note – If you face any problem downloading this file, check proxy settings of your browser.
You will have to upload this file to new trusted identity provider and all required fields should populate automatically, even the name field. If you have type in any field manually, that means you are not uploading correct XML file.
With this, I was able to get custom login screen provided by local IDP as shown below.
However, after login, I was getting yet another error – HTTP 401 Unauthorized!
HTTP 401 Error
I thought I will be able to run the application now and test the local IDP authentication. I had even assigned a role “sales” in HCP roles section that I had defined for IDP user.
However, I was still getting HTTP 401 error and this was because there was no “sales” role defined in my application Web XML
Solution – I found that application authentication with local IDP and HANA Cloud Platform works on basis of a “Pre-defined” roles. These roles are application roles we define in a Web XML of application. Unfortunately, I had defined a number of roles in the “Roles” section of my IDP, but I had no corresponding roles defined in application that will do that mapping.
As you can see, I have a role “sales” defined for user “ameya” in my IDP. But this role wasn’t defined in the application Web XML and I was getting the error HTTP 401 Unauthorized.
I simply added a role to Web XML of my application, and re-deployed application to HANA Cloud Platform. To understand how to add a Pre-defined role to application Web XML, follow this URL – SAP HANA Cloud Platform > Enabling Authentication Example 1. Follow instruction to add a new role and re-name it to “sales”.
Now, re-deploy the application to HANA Cloud Platform.
However, I was not able to get rid of the error
Solution – If you are still not able to login and getting 401 Unauthorized error, then there is a work around that worked for me. Changing the SDK location for run time environment could fix this issue. I am not sure what the reason behind this strange behavior is, but I have managed to fix the problem and also seen others also able to resolve 401 Unauthorized error.
Simply double-click on your server and select “Overview tab”
Click on “Runtime Environment” link and change the location of your SDK (NEO). Basically, extract your SDK into a different directory and set the new location here for runtime environment. If the link “Runtime Environment” is disabled for you, as it was for me initially, you will have to create a new IDP server and change SDK location. Again, I am not sure of reason why this happens, but I want to focus on possible fixes of common issues. Perhaps, one the product matures we will have more clarity of how things work and reasons of all these errors.
HANA Cloud Portal Service Not Working
This is the last and one of the most common errors. As you know, we have to set correct proxy in order to deploy UI5 or any other application from your office to HANA Cloud Platform which is in a different domain. Messing up with proxy could stop you from accessing HANA Cloud Portal service. For e.g. You have logged in to HANA Cloud Platform Cockpit, and then you click on HANA Cloud Portal service to navigate to Cloud Portal. You get authenticated and then simply get a black page.
Solution 1 – If you are working with a local IDP, you will have to define role for all users who will be authenticated from IDP to HANA Cloud Portal. You will have to do this before you setup and change trust provider in HANA Cloud Platform. Let’s say you are going to have a user named “ameya” who will have a “Creator” access to HANA Cloud Portal, and user named “Admin” who will have “Administrator” access to HANA Cloud Portal. Set up access and roles for both these users before you set up a new trust provider in HANA Cloud Platform
If you fail to do this, you will have to revert to default trust provider which is SAP ID Service, login to HANA Cloud Portal and add roles and then again change the trust provider to local IDP. Otherwise, you will keep on getting either unauthorized or a blank page while logging on to HANA Cloud Portal
Solution 2 – Check the proxy. If you have added an exception in proxy settings and have an entry that looks something like this – *.hanatrial.ondemand.com OR *.ondemand.com, then remove the exception and have proxy settings again. This should enable to login to HANA Cloud Portal
Solution 3 – This is not a solution actually. Sometimes SAP performs maintenance of HANA Cloud Infrastructure and in that case, you cannot stop, start, or deploy any application to HANA Cloud Platform. When you try to deploy an application, you get an error saying – There was an error deploying application to HANA Cloud. To confirm whether SAP HANA Cloud Infrastructure is in maintenance mode or not, navigate to Window > Show View > Error Log from your Eclipse. Double click on the error entry and check whether there is any mention of maintenance mode. If it is, then you will see something like this –
As you have seen, I have tried to focus mainly on finding a fix to some of the most common errors while setting up a local IDP with HANA Cloud Platform. Unfortunately, I will not be able to give any explanation or provide reason why something works and why something does not? The product itself is in its initial phase and is yet to mature. I think as we go along, the product will be more robust and there will be explanations to all possible errors. Till then, fix any error if you have, and gain valuable experience.