You log on to SAP BTP via the Cloud Foundry CLI or the browser and you get an HTTP 401 error or see messages on the screen that indicate that your login attempt has failed.
Authentication in Cloud Foundry runs through the UAA service which tunnels the credentials supplied (such as username and password) towards a trusted Open ID Connect Identity Provider (IdP). SAP's default IdP is the SAP ID service, which is available at https://accounts.sap.com for SAP ID Service, or athttps://account.sap.com for SAP Universal ID.
To narrow down the origin of the issue, you need to check the individual components involved in the login process.
-
Open the UAA service in the browser directly, depending on your region: For example, for the European region, go to https://uaa.cf.eu10.hana.ondemand.com/ (For an overview of all Cloud Foundry landscape URLs, see Regions).
If you are redirected to https://accounts.sap.com asking for two-factor authentication and a passcode, a second factor in the form of a one-time TOTP token is mandatory.
-
See Activate TOTP Two-Factor Authentication for information about how to configure a device to generate TOTP tokens; for example, with an authenticator app.
-
Log on to your Cloud Foundry environment using two-factor authentication.
- Type
cf login. - Enter your e-mail address.
- Enter your password in the following format: <your global password><one-time-token>
- Type