Recently, I was trying to setup a local IDP on my Eclipse and connect to HANA Cloud Platform so that I can test how custom authentication process works with applications deployed on HANA Cloud Platform. Even though this is a help document available that will take you through detailed process of setting up a local IDP, I was not able to setup my local IDP in first try. I faced a number of errors and I was clueless about how to fix them. In this blog, I will try to cover error I faced while configuring a local IDP and how I managed to resolve them all.

Note – These errors are not exhaustive list of all possible errors. You might get a different error altogether while working on your own IDP configuration. However, these are also common errors and with this blog, you will be quickly fix missing configuration.

Unable to Login with IDP User

Though was not an error as such, but it was a roadblock. I was not able to test IDP configuration with HCP and I was clueless about what was that I missed. Take a look at error snapshot and user configuration in my local IDP.

Local+IDP_user.png

Local+IDP_cusom.png

As you can see, I have a user “ameya” defined in my local IDP and I was trying to login run application simply with this configuration. Even though I was providing correct credentials, I was not able to get through.

Solution I did not upload local IDP Metadata XML to configure new trust provider in HANA Cloud Platform. I had no clue that I need to download local IDP metadata XML. I was trying to upload metadata XML that I downloaded from local trust providers. I got this file by clicking on “Get Metadata” link in HANA Cloud Platform.

/wp-content/uploads/2014/09/error_537612.png

I was simply uploading XML I got after clicking “Get metadata” while configuring new “Trusted Identity provider”. While I tried uploading this file, I got a pop-up that stats – “There was a problem uploading XML” and none of the required fields were getting populated automatically. I didn’t know that fields should be populated automatically when you upload a correct XML file from local IDP.

To establish trust between local IDP and HANA Cloud Platform, you need to upload local IDP metadata XML to HANA Cloud Platform while configuring a new trust provider. Also, you have to copy HANA Cloud Platform local trust provider metadata XML to your local IDP so that both IDP and HANA Cloud Platform can recognized one another.

Simply enter this URL in browser window and download local IDP metadata XML file – http://localhost:8080/saml2/localidp/metadata


This will download a metadata file named – localidp-metadata.xml

Note – If you face any problem downloading this file, check proxy settings of your browser.

You will have to upload this file to new trusted identity provider and all required fields should populate automatically, even the name field. If you have type in any field manually, that means you are not uploading correct XML file.

/wp-content/uploads/2014/09/localidp_537613.png

With this, I was able to get custom login screen provided by local IDP as shown below.

/wp-content/uploads/2014/09/blog15_537647.png

However, after login, I was getting yet another error – HTTP 401 Unauthorized!

HTTP 401 Error

IDP+error.png

I thought I will be able to run the application now and test the local IDP authentication. I had even assigned a role “sales” in HCP roles section that I had defined for IDP user.

IDP-roles.png

However, I was still getting HTTP 401 error and this was because there was no “sales” role defined in my application Web XML

Solution – I found that application authentication with local IDP and HANA Cloud Platform works on basis of a “Pre-defined” roles. These roles are application roles we define in a Web XML of application. Unfortunately, I had defined a number of roles in the “Roles” section of my IDP, but I had no corresponding roles defined in application that will do that mapping.

IDP role.png

As you can see, I have a role “sales” defined for user “ameya” in my IDP. But this role wasn’t defined in the application Web XML and I was getting the error HTTP 401 Unauthorized.

I simply added a role to Web XML of my application, and re-deployed application to HANA Cloud Platform. To understand how to add a Pre-defined role to application Web XML, follow this URL – SAP HANA Cloud Platform > Enabling Authentication Example 1. Follow instruction to add a new role and re-name it to “sales”.

Now, re-deploy the application to HANA Cloud Platform.

However, I was not able to get rid of the error

Solution – If you are still not able to login and getting 401 Unauthorized error, then there is a work around that worked for me. Changing the SDK location for run time environment could fix this issue. I am not sure what the reason behind this strange behavior is, but I have managed to fix the problem and also seen others also able to resolve 401 Unauthorized error.

Simply double-click on your server and select “Overview tab”

/wp-content/uploads/2014/09/blog17_538700.png

Click on “Runtime Environment” link and change the location of your SDK (NEO). Basically, extract your SDK into a different directory and set the new location here for runtime environment. If the link “Runtime Environment” is disabled for you, as it was for me initially, you will have to create a new IDP server and change SDK location. Again, I am not sure of reason why this happens, but I want to focus on possible fixes of common issues. Perhaps, one the product matures we will have more clarity of how things work and reasons of all these errors.

HANA Cloud Portal Service Not Working

This is the last and one of the most common errors. As you know, we have to set correct proxy in order to deploy UI5 or any other application from your office to HANA Cloud Platform which is in a different domain. Messing up with proxy could stop you from accessing HANA Cloud Portal service. For e.g. You have logged in to HANA Cloud Platform Cockpit, and then you click on HANA Cloud Portal service to navigate to Cloud Portal. You get authenticated and then simply get a black page.

Solution 1 – If you are working with a local IDP, you will have to define role for all users who will be authenticated from IDP to HANA Cloud Portal. You will have to do this before you setup and change trust provider in HANA Cloud Platform. Let’s say you are going to have a user named “ameya” who will have a “Creator” access to HANA Cloud Portal, and user named “Admin” who will have “Administrator” access to HANA Cloud Portal. Set up access and roles for both these users before you set up a new trust provider in HANA Cloud Platform

If you fail to do this, you will have to revert to default trust provider which is SAP ID Service, login to HANA Cloud Portal and add roles and then again change the trust provider to local IDP. Otherwise, you will keep on getting either unauthorized or a blank page while logging on to HANA Cloud Portal

Solution 2 – Check the proxy. If you have added an exception in proxy settings and have an entry that looks something like this – *.hanatrial.ondemand.com OR *.ondemand.com, then remove the exception and have proxy settings again. This should enable to login to HANA Cloud Portal

Solution 3 – This is not a solution actually. Sometimes SAP performs maintenance of HANA Cloud Infrastructure and in that case, you cannot stop, start, or deploy any application to HANA Cloud Platform. When you try to deploy an application, you get an error saying – There was an error deploying application to HANA Cloud. To confirm whether SAP HANA Cloud Infrastructure is in maintenance mode or not, navigate to Window > Show View > Error Log from your Eclipse. Double click on the error entry and check whether there is any mention of maintenance mode. If it is, then you will see something like this –

/wp-content/uploads/2014/09/blog18_538702.png

As you have seen, I have tried to focus mainly on finding a fix to some of the most common errors while setting up a local IDP with HANA Cloud Platform. Unfortunately, I will not be able to give any explanation or provide reason why something works and why something does not? The product itself is in its initial phase and is yet to mature. I think as we go along, the product will be more robust and there will be explanations to all possible errors. Till then, fix any error if you have, and gain valuable experience.

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

  1. Matthias Steiner

    Many thanks Ameya for taking the time to write this detailed post about the issues you are facing. Let me see if I can get the experts to look at the challenges you describe, because it should work just fine. From experience I can say that usually it just boils down to a tiny mistake along the way…

    On a separate note: for all those working with IDPs and exchanging SAML tokens – there’s a great tool for Firefox called SSO Tracer that helps you look into the data exchange between your IDP and your browser.

    Cheers,

    Matthias

    (0) 
    1. Ameya Pimpalgaonkar Post author

      Hi Matthias,

      I agree that in the end, it just boils down to small mistakes. However, as the product is relatively new, a lot of consutlants will make these errors along the way. For e.g. I have hardly seen anybody asking how to configure SSO between SAP Portal and R/3. As we go forward, we will have greater understand on concepts such as cross domain requests, SAML tickets and so on.

      On the side note, thanks a ton for mentioning the SSO Tracer. I think a lot of consultants cannot install add-ons on their office system because of network restrictions. Nevertheless, we can always ask for an exception 🙂

      Best,

      Ameya

      (0) 
      1. Yunjun Wang

        Hi, Ameya

        I’m getting HTTP Status 404 error says the requested resource is not available while trying to download the local metadata file from: localhost:8080/saml2/localidp/metadata/

        Do you know how to set the proxy correctly?

        (0) 
        1. Ameya Pimpalgaonkar Post author

          Couple of points, first, check whether proxy is configured in your browser settings. Second, check if localhost is getting resolved. if not, add an entry to hosts file. Apart from these, there should be no error. Let me know if you still face any issue.

          Best Regards,

          Ameya

          (0) 
            1. Ameya Pimpalgaonkar Post author

              In that case, one reason for this error is your custom IDP app isn’t deployed! if it is not deployed on the HANA platform, I guess neither it will create the directory in your machine that stores the metadata. Is your IDP running and up?

              (0) 
            2. Yunjun Wang

              localhost:8080/saml2/localidp/metadata which gave me Java error:

              Message:

              sun.security.tools.KeyTool

              StackTrace:

              java.lang.ClassNotFoundException: sun.security.tools.KeyTool

              at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:501) (the rest part of error I didn’t copy due to too long)

              localhost:8080/saml2/localidp/metadata/ which gave me HTTP 404 error

              (0) 
              1. Ameya Pimpalgaonkar Post author

                Ok, in this case, can you physically navigate to project directory on your system? Look for the location of the workspace and then navigate to IDP project and then saml2 > localidp > metadata.

                Ameya

                (0) 
                1. Yunjun Wang

                  Hi, Ameya

                  I can have directory:\workspace\Servers\Java EE 6 Web Profile Server-config\work\Catalina\localhost\saml2_localidp, and there’s only a folder called ‘org’ under it, no metadata.

                  but didn’t find a path with ..\salm2\localidp\metadata

                  It seems the local server is not working property for the idp.

                  Unless I’m looking at the wrong directory.

                  _____________________________________________________________________
                  BTW,

                  I’m following the openSap online course: https://open.sap.com/courses/hanacloud1-2/items/1afcdjvxVVytmuun74jBJj#459

                  Introduction to SAP HANA Cloud Platform (Repeat)Rui Nogueira and Martin Grasshoff

                  week4unit3

                  (0) 

Leave a Reply