We were successfully able to configure our on-premise version of HANA Express to connect with our Azure Active Directory and perform SAML Single sign-on with all of our XSA Applications.
This was working perfectly for a few weeks... until we restarted the HANA database (via Putty/SSH command line; HDB Stop/Start).
This restart action appears to have broken SSO for all of XSA applications and we now receive this UAA SSO error when you try to launch any XSA application:
https://*******/uaa-security/login?error=idp_not_found
When we run a SAML trace on a sign-on attempt, this is the error in the trace logs:
WARN --- LoginSamlDiscovery: Unable to find SAML IDP
org.cloudfoundry.identity.uaa.provider.saml.LoginSamlDiscovery$UnableToFindSamlIDPException: Unable to locate IDP provider for alias:httpssts.windows.ne***********
DEBUG --- FilterChainProxy: Securing GET /login?error=idp_not_found
The rest of the HANA UAA is working perfectly, as you can still sign on to the applications manually with user credentials, it is just the SSO part that is broken.
We know all of the required XSA configuration is in place, as the SSO was working for a number of weeks.
Since the error occurred, we have tried re-enabling the trust between HANA XSA and the Azure IDP, but the error persists.
We have also tried re-importing the Azure AD meta data to HANA XSA (and also back into Azure AD).
It is hard to think how a HANA restart would break SSO, but the root cause is not being revealed by the SAP XSA SAML trace.
The only online reference to the specific UAA error that we have found is:
https://github.com/cloudfoundry/uaa/issues/440
However this github issue does not reveal the root cause either.
We are running HANA Express 2.0 SP6 (2.00.061.00.1644229038), XSA Version 1.0.145
The connection between Azure AD and XSA is via enabling a trust relationship using metadata (Import of XSA metadata into Azure AD and vice versa).
Any suggestions or leads to point us in the right direction for known issues would be much appreciated, as we seem to be road blocked now.
Kind regards,
Tony.