So I recently started working on Hana Cloud Platform and one of the first challenges which await me is to figure out how to achieve SSO in a set of simple applications my team is writing on Hana Cloud Platform.
Since we are working on Hana Cloud Platform, choosing ID Service is easy, it has got to be SAP Cloud Identity Service. Here are the steps you need to follow, to get you started on HANA Cloud Platform with SCI Service.
Objective : At the end of this blog you should be able to
- Run a simple greeting service which would greet the logged in user using SAP Cloud SDK on your local machine
- Deploy the greeting service on cloud and configure the application and SCI tenant to greet the end user.
Pre requisites : In order to make the scenario work, you need a HCP account and access to a tenant of SCI service. You may want to work with your SAP contact to get a handle to both of them. You can also request for the trials online. Once you have access to both, please ensure that you have setup your eclipse with SAP Cloud SDKs. You can follow the instructions on this link to setup your development environments.
Let's get started.
- Fire up your eclipse and create a new Dynamic Web Project. Here are a few things to set while you create it
- Name : sayHello
- Target Runtime : SAP -> Java Web Tomcat 8 . It may ask you to set path to a Neo SDK. I set it to the folder where I have unzipped neo-java-web-sdk-3.30.16 SDK. I chose the default workbench JRE which is a SAP JVM in my case.
- Dynamic Web Module Version -> 3.1
- I set my sources folder on build path to /src/main and Default output folder to build/target
- I do check the Generate web.xml deployment descriptor to true in the wizard.
- Java Package : com.sample.helloworld
- Class name : Greeting
- URL mapping : /greeting
Now that we have a locally authenticated service working in our eclipse, let's publish the application to HCP and outsource our authentication to SCI. Here are the steps to do that
- Right click on Servers window of your eclipse and choose New Server.
- In the dialog box which shows up choose SAP-> SAP Cloud Platform. Enter the correct region code for your HCP account. You can find the available regions and hosts here. Mine happens to be int.sap.hana.ondemand.com. (If host for your region is not available on the page, check the post here , as it may help you figure out your host. SAP uses some conventions so you may crack it yourself. )
- Enter the application name as sayhello, You can leave the runtime to be chosen Automatically.
- The subaccount name is available in your Hana Cloud Cockpit. Enter the subaccount and your credentials.
- Add the sayHello application to the configured resources for the server, and press Finish.
- It will take some time, but finally the application should be deployed successfully, Copy your application URL from the Server window and hit the greeting service using a browser. The URL for my service was https://sayhelloi031884sapdev.int.sap.hana.ondemand.com/sayHello/greeting and the error I got was "Identity Provider could not process the authentication request received. Delete your browser cache and stored cookies, and restart your browser. If you still experience issues after doing this, please contact your administrator." The error is unintuitive and should have been something different like "There is no IDP configured for this application so I can't allow you to login"
The application is now deployed successfully on HCP so let's proceed to configure the SCI for this application,
- Open your HCP cockpit and navigate to the subaccount in which you deployed the sayHello application.
- On the left hand side navigation choose Security->Trust and click
- Change the Local Service Provider from default to Custom, Click Generate Key Pair to generate a new key pair. Let Principal propogation and force authentication be Disabled. and save.
- Select the next tab i.e. Application Identity Provider and click Add Trusted Identity Provider.
- Before you proceed any further you need to open the SCI tenant in a new browser tab which you have. I have mine hosted on https://i031884.accounts400.ondemand.com/admin/ . Logon to this tenant as administrator and go to Tenant Settings -> SAML 2.0 Configuration and select to download metadata file.
- Go back to HCP console ( i.e. the browser tab you were using in step 4 to add trusted identity provider) . Browse and select the metadata file we downloaded in step 5. Choose Save. i031884.accounts400.ondemand.com should now be your default identity provider.
- Go to tab Local Service Provider and click Get Metadata again. Save the file in downloads folder
- Go back to SCI tenant (Browser tab which we opened in step 5) and navigate to Applications and Resources -> Applications.
- Click Add Application and give a name sayhello and click save
- select sayhello application and click on SAML 2.0 configuration. Browse to the file you saved in step 7 and click save. You have now configured the application and IDP to trust and know each other.
- Try hitting the application again (https://sayhelloi031884sapdev.int.sap.hana.ondemand.com/sayHello/greeting in my case) and it should prompt you to enter id, password and you are good to go :).