cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error while Configuring SAML Trust between Neo Environment and Cloud Foundry Environment

former_member351344
Explorer

‎03-23-2018 10:20 AM - edited ‎02-04-2024 3:55 AM

0 Kudos

Hi,

I am trying to Configuring SAML Trust between Neo Environment and Cloud Foundry Environment. I have done all the steps as per SAP's document(SAP IoT Application Enablement Reuse Controls and Templates)(Document Version: 1.43.0 – 2017-11-03). But while accessing the SAP Web IDE, i am gettting error as shown in below screen shot:

Note: My Cloud foundry environment is on different account and Neo environment is on different account.

I am able to fetch the time series data from IoT 4.0 with Postman.

Thanks,

Abhishek

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member232287
Active Participant
‎03-26-2018 6:54 AM
0 Kudos

Hi,

Can you show me how your authentication endpoint in the destinations looks like?

Recently there was the following announcement for the trust configuration between Application Enablement and Neo:

"Dear customers, There is an ACTION REQUIRED for IOT AE users of WebIDE before 15.02.2018: If you are creating IOT applications via the Web IDE, you need to apply some changes in the destination set up as described in the attached document and video. The reason behind this is that there was a change in the XSUAA that was announced at 23.11.2017 with the CF release note regarding Security: https://help.sap.com/viewer/cafc710a2446438abafad188be02bb59/Cloud/en-US/d51c12839e4549d19e53e01bc69.... This change is required to support better our Multi Cloud strategy which has been announced with the following link: https://news.sap.com/sap-cloud-platform-goes-multi-cloud-with-cloud-foundry/ If you do not change the destination links, your applications will not work any more after 15.02.2018. Customers who will receive their welcome mail starting from tomorrow (06.02.2018) should already get the updated link versions. You also do not need to wait until 15.02. to apply the changes, but you can apply them directly. Everything should be working fine in a seamless way. Best regards IOT AE Developer Experience Team"

Regards

Jan

Show replies
Show replies
former_member351344
Explorer
‎03-26-2018 10:59 AM
0 Kudos

Hi Jan,

Thanks for your reply.

PFA authentication endpoint in the destinations.

Please note that, my cloud foundry is on different subaccount and neo is on different subaccount.

destination.png

Thanks,

Abhishek

former_member232287
Active Participant
‎03-26-2018 11:55 AM
0 Kudos

Hi Abhishek,

The destination configuration is wrong. Please have a look into the current version of the Application Enablement documentation and configure the destinations accordingly with OAuth2SAMLBearerAssertion.

https://help.sap.com/viewer/86ce311577794701bae493bddd753aa3/latest/en-US/b11e8ace511c492693a16aaca0...

Regards

Jan

former_member351344
Explorer
‎03-27-2018 2:31 PM
0 Kudos

Hi Jan,

As per your above comment, i have configured my destination with OAuth2SAMLBearerAssertion. Now, I am getting the response code as attached in connection.png screen shot.

connection.png

Also, i am attaching screen shot of my code, using that i am trying to consume the service.

code.png

while running the code i am getting "401- Unauthorized" error.

Thanks,

Abhishek

former_member232287
Active Participant
‎03-27-2018 2:35 PM
0 Kudos

Hi,

Can you please check if it works using one of the Application Enablement templates and you receive some data using them?

Regards

Jan

former_member351344
Explorer
‎03-28-2018 7:59 AM
0 Kudos

Hi Jan,

We have already configured all these things(Application Enablement, IoT service cockpit, SAP Web IDE Full stack) and we are able to get live data as well at my Web IDE application.

Now, we are trying to configure the existing cloud foundry to other neo account to consume the IoT service as shown in below screen shot.(Blue line indicates that, the REST API of IoT 4.0 to be consumed in other neo account)

Using this link ( https://www.sap.com/developer/tutorials/iotae-api-postman.html ) i have followed all the steps and retrieved below service:

https://tenant-name.iot-sap.cfapps.eu10.hana.ondemand.com/appiot-mds/Things('0F4DFD27CB3743E19E060B93B5F25677')/iot.shared.fd4iotpackage:Fd4IoT_ThingType/FD4_MQTT_Device?timerange=3M

Now, I am trying to consume this service in other neo account Web IDE to show the time series data. But i am getting errors as discussed in earlier discussion.

Please do let me know if any clarification is required.

Thanks,

Abhishek

former_member232287
Active Participant
‎03-28-2018 9:16 AM
0 Kudos

Hi,

Yes, that helped me to understand your problem. So, your second Neo account doesn't have a trust connection to Application Enablement and therefore you tried to connect using basic authentication. But Application Enablement doesn't support basic authentication.

You have to possibilities:

  1. Establish a trust between the second Neo account and Application Enablement as well.
  2. Or you can use an OAuth Token. I have described that in another blog post [1]

Regards

Jan

[1] https://blogs.sap.com/2017/10/13/access-the-sap-iot-application-enablement-apis-using-postman/

former_member351344
Explorer
‎03-28-2018 11:23 AM
0 Kudos

Hi Jan,

Thanks for your quick reply.

  1. As i have posted my main question as "Error while Configuring SAML Trust between Neo Environment and Cloud Foundry Environment". I have already established a trust between the second Neo account and Application Enablement but, while accesing my Web IDE it gives me error as shown in below screen shot.

can you help me in the same.

2. Thanks for your detailed blog. I will try to go through the same and will let you know.

Thanks,

Abhishek

former_member232287
Active Participant
‎03-28-2018 11:55 AM
0 Kudos

Hi,

It is not possible to establish trust between a Trial Account and Application Enablement, because you can't do change the identity provider for your trial account [1]. So you have to use option 2. or you have to change your architectur and deploy your app to the Neo account with the connection and consum the other services from there.

Regards

Jan

[1] https://help.sap.com/viewer/86ce311577794701bae493bddd753aa3/1.52.0.0/en-US/b30ad78a6a92448ea47b74c2...

former_member351344
Explorer
‎03-30-2018 11:40 AM
0 Kudos

Hi Jan,

Thanks for your continuous support.

I am trying with this https://blogs.sap.com/2017/10/13/access-the-sap-iot-application-enablement-apis-using-postman/ blog. but i am getting error as "Unauthorized". PFA screen shot for your reference.


I don't know whether i am missing anything and which credentials do i need to put over here to over come this unauthorized error ?

Thanks,

Abhishek

former_member232287
Active Participant
‎04-03-2018 7:15 AM
0 Kudos

Did you turn off interceptor? And what is your second header?

former_member351344
Explorer
‎04-03-2018 7:51 AM
0 Kudos

Hi Jan,

As per instruction in your blog, I have turned off interceptor.

Please find below screen shot of header:

Can you have a look into this and let me know, Whether i am missing any parameter ?

Thanks,

Abhishek

former_member232287
Active Participant
‎04-03-2018 7:55 AM
0 Kudos

You don't miss anything, but you should delete the 'Authorization' header. Like I said, you can't authenticate yourself using Basic auth. You'll be authenticated with the client secret.

former_member351344
Explorer
‎04-03-2018 8:10 AM
0 Kudos

Hi Jan,

Thanks you so much for your support.

Got- Status : 200 OK

and below values are received in response:

Please have look and confirm whether its a correct response i have received ?

  1. "access_token"
  2. "token_type"
  3. "expires_in"
  4. "scope"
  5. "ext_attr"
  6. "jti"

Thanks,

Abhishek

former_member232287
Active Participant
‎04-03-2018 8:17 AM
0 Kudos

Yes, looks good.

Ask a Question