Skip to Content
avatar image
Former Member

ADFS 2016 and SAP Cloud Platform

Hello,

I'm working as an IT consultant and i've created a trial account to test ADFS 2016 Federation with SAP Cloud Platform for a Customer.

I followed step by step the following link :

https://blogs.sap.com/2017/01/25/how-to-configure-ms-adfs-3.0-as-identity-provider-for-sap-hana-cloud-platform/

The configuration seems ok, but when i try to go to the URL https://iotcockpitiotservices-p1943013815trial.hanatrial.ondemand.com/com.sap.iotservices.cockpit/ with a standard AD account, there is a popup asking credentials and then the following error : "

"Missing Authorization
You are not authorized to access this page. Check the URL or contact your administrator.
Reload application"

If i try to go to "https://ADFSFQDN/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://hanatrial.ondemand.com/p1943013815", i have the following error :

"HTTP Status 400 - Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it has not received RelayState."

What am doing wrong ?

FYI, i'm a complete beginner for the SAP part...

Thanks for your assistance

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Oct 25, 2017 at 04:39 PM

    Hi,

    It seems your configuration is ok, but unfortunately I can't reproduce your error, because it's working on my environment. I'm using the ADFS 3.0 in Windows 2012 R2 instead of Windows 2016.

    Probably the popup asking for username and password come from ADFS and you need to inform the credentials (domain user). It is happening because you are not logged on AD domain. If you are logged on domain, it should not appear.

    If you followed my configuration then you have set the application to work only thru SP-Initiated instead of IDP-Initiated. In this case, only connections started on Service Provider (SCP) will accepted.

    If try to connect using IDP-Initiated (IdpInitiatedsignon.aspx on ADFS), you will receive the following message:

    HTTP Status 400 - Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it has not received RelayState.

    The right URL to access your application is: https://iotcockpitiotservices-p1943013815trial.hanatrial.ondemand.com/com.sap.iotservices.cockpit

    Sometimes, when you have many connections with SCP opened in your browser, you can receive an message telling you that you don't have authorizations. To avoid this behavior I really recommend you to do test using a "New Incognito Window" (Chrome) or a inPrivate Browsing (Internet Explorer). Believe, I spent a lot of time in the first configuration due to this behavior. Also you must guarantee that the entire path starting from "/adfs" is accebible from the browser.

    Best Regards,

    Alex Belle.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 27, 2017 at 09:24 AM

    Hi,

    Thanks for your answer.

    Indeed i was using the wrong URL and my endpoint in ADFS was misconfigured.

    It's now solved

    Thanks.

    Add comment
    10|10000 characters needed characters exceeded