I responded to a question on the SAP Community about a week ago regarding the UI theme designer. This was part of my #100DaysOfSAPCommunityQA activities. I had experienced the issue raised in the question previously myself and did eventually work out what the issue was. So, thought I would share the solution.
The error received is when the SAP Cloud Platform sub-account authentication takes place via an on-premise Identity Provider. It could happen using other Identity providers, but this is where I first experienced it.
The particular issue takes place when trying to perform some actions within the UI Theme Designer including (but not limited to):
- Publishing of a theme. In this case, the user can log in and change an existing theme however when they try and publish an error will occur.
- Duplication of a theme. In this case the user receives the message when trying to Duplicate an existing theme. While it does create the theme, the error occurs.
When I try and perform a publishing of the theme or duplicating a theme I will receive the following popup message.
Figure:1 UI Theme Designer error
If I look at the Details I will see some additional information.
Figure:2 UI Theme Designer error – Details screen
Additionally, if you look into the console you will see a pretty clear message included. Basically, the email address of the user is not being supplied by the Identity Provider.
Figure:3 UI Theme Designer error – Console messages
So, you may be asking why is the email address not being passed in? This relates to the Trust settings for the SAP Cloud Platform sub-account. Specifically, it relates to the Assertion attributes that have been mapped for the relevant Application Identity provider.
Figure:4 SAP Cloud Platform – Trust Settings for iDP
OK, now for the solution. Let’s first go and have a look at what the current Assertion attributes are. Follow the above path to get to the Application Identity Provider Trust settings.
Figure:5 Identity Provider Trust Settings
Select the Identity Provider to go into the configuration settings and navigate to the Attributes tab as highlighted below.
Figure:6 Identity Provider – Attribute settings
You can see from the above that only 3 attributes are passed in from the identity provider. Email address is NOT one of them.
- Universal Principle Name (nameid)
- Given Name (firstname)
- Surname (lastname)
This is the reason why the error occurs.
So, from here you should map the email address as an additional attribute to make sure it is passed in.
Figure:7 Identity Provider – Including Email in Attribute settings
You can see that I have now included the email address attribute from the Identity Provider.
- Email address (email)
Now, if we try the Duplicate Theme option or try and publish the error will no longer occur.
NOTE: You will need to log back into the Portal Service here to get the results of the change as the assertion takes place at this stage (logging in process).
Figure:8 Duplicate Theme option successful
If I look at the SAML trace as well as I can see that the email address is now passed in.
Figure:9 SAML trace including Email address
This completes the solution for this particular error however I have since found out through some of the comments that the Guided Answers also includes the troubleshooting for this issue. Let me now cover this.
I received some feedback on the blog post (from Ervin Szolke) and found that this error is detailed in the Guided Answers for the UI Theme Designer. I will now take you through how to find this so that you can become more familiar with how to use the guided answers. It does provide some really good assistance for other areas not only the UI Theme designer.
Navigate to the Guided Answers and the following screen will be displayed.
Figure:10 Guided Answers home page
Use the Search field and enter “UI Theme designer”.
Figure:11 UI Theme Designer search in Guided Answers
A list of topics will show up in the list based on your selection but you can see that the UI Theme Designer issues topic is included.
Figure:12 UI Theme Designer – Guided Answer topic
Select the topic as highlight above to start troubleshooting.
Figure:13 UI Theme troubleshooting
The guided answers will start taking you through some questions to focus in on the exact issue you are receiving. Select the [Design time] option here as this is happening when you are trying to duplicate or build the theme.
Figure:14 Guided Answers – UI Theme Designer – Design Time
Select the [Create / Build / Rebuild / Save theme] option and continue on.
Figure:15 Guided Answers – UI Theme Designer – Build / Rebuild theme options
Select the [SAP Cloud Platform] option as selected above. The following result will then be shown detailing more information on what the issue could be which matches the exact error we are receiving.
Figure:16 Guided Answers – UI Theme Designer – Theme compiling issues
This links to an SAP note that describes the missing email address issue that needs to be supplied by the Identity provider. This is seriously good!!!
The fix can be found here. This completes the use of the Guided Answers to try and find a solution to this issue.
There are some nuances when using an Identity Provider on the UI Theme Designer. Another of which I documented in this blog post here where the Account Developer custom role was required to be created.
Hope this helps others out there that may come across this issue.
As always feel free to post a comment, Like or Follow this content as a valued SAP Community member.
Thanks for reading