We have configured a NetWeaver Gateway to use Microsoft Active Directory Federation Server (ADFS) as an Identity Provider and all in all everything is working great with one exception. We are trying to use SAPUI5 (JavaScript) to access OData services on the Gateway and we are having issues with the calls for $metadata.
After staring at Fiddler for many hours, I think I know what might be happening.
Whenever a SAPUI5 web page makes a call to an OData service, it actually calls the Gateway server a number times.
1) It requests the metadata for the service.
2) It calls the service asking for a count of the results.
3) It call the service and retrieves the data.
The problem is with the first call, $metadata. If this is the first call of the session (the one forcing authentication), the call hangs. If it's not the first call of the session (the session is already authenticated), everything works. My working theory is that requests for $metadata don't require authentication (anonymous authentication). However, the federation driven redirections are confusing things and causing the request to fail.
The simple work around for this problem is to always be already authenticated before requesting $metadata. A single ‘trip’ to ADFS sets the SAML tokens that are good for the rest of the browsing session. If the session is already authenticated, the redirection on the $metadata request doesn’t happen and everything works. With the NetWeaver Business Client, the authentication occurs as part of the client startup. That’s why we’ve never seen this issue in any of our testing using NWBC. For other ‘outside-in’ clients (e.g. Internet Explorer) the JavaScript programmer needs to ensure that JavaScript code has ‘initialized’ the connection (force authentication to occur) before the $metadata call occurs. He can do this by doing an HTTP GET against some bogus content on the SAP server.
My guess is that most SAP clients never run into this issue because they store their HTML pages on the same server as their web services. The act of pulling up their HTML pages is in-effect ‘initializing’ their connections.
Has anyone else encountered this issue? Is there a more elegant solution than my work around?