topic Re: SAML Destination errors in security log in Application Development and Automation Discussions

SAML Destination errors in security log

Former Member — Tue, 23 Jan 2007 22:39:20 GMT

We have configured SAML on a number of hosts, so we thought we had the config of this pretty well down. But in a recent config, we are unable to get our J2EE to contact the SAML source (a 3rd party SAML assertion authority).

The error in the security log is:

#1.5#0003BADBD644001700000031000018C4000427BCC716793A#1169591654316#/System/Security/SAML/JAAS#sap.com/irj#com.sap.security.core.server.saml.jaas.SAMLLoginModule.login()#Guest#3#####SAPEngine_Application_Thread[impl:3]_26##0#0#Error#1#com.sap.security.core.server.saml.jaas.SAMLLoginModule#Java###An exception occurred. Further details should be available in the audit trace for location "". The exception text is: "".#2#com.sap.security.core.server.saml.jaas.SAMLLoginModule#The destination with key "ireport1.bloomberg.com" could not be read from the destinations service.: The properties for destination ireport1.bloomberg.com of type HTTP could not be located.: <~~Localization failed: ResourceBundle='com.sap.exception.io.IOResourceBundle', ID='No such destination ireport1.bloomberg.com of type HTTP exists ', Arguments: []~~> : Can't find resource for bundle java.util.PropertyResourceBundle, key No such destination ireport1.bloomberg.com of type HTTP exists

The ports are open between the J2EE host and SAML authority, so I'm not sure what this destination service that the error refers to is.

Any ideas?

Re: SAML Destination errors in security log

Former Member — Wed, 24 Jan 2007 13:13:12 GMT

Hi Dave,

I would guess that there is a mismatch between the destination configured in SAML and what is configured in the destination service. At least this part of the error message leads me to believe this:

No such destination ireport1.bloomberg.com of type HTTP exists

The relevant parameter for the SAML service is

<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/2d/d1f1285432da4d8ff121b47363e54d/frameset.htm">DestinationName</a> (seams to be set to 'ireport1.bloomberg.com') and the definitions in the Destination service. Please check that in the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/c4/4bf969fb2a48908224679e83e9d805/frameset.htm">destination service</a> there really is a destination of type HTTP named ireport1.bloomberg.com.

Kind regards,

Patrick

Re: SAML Destination errors in security log

Former Member — Wed, 24 Jan 2007 18:55:49 GMT

Thanks for that tip. I missed that config. The destination service was not configured yet.

Now I have a followup...our source SAML is load balanced between 2 hosts (A and B).

In our test, we made the SAML connection between host A and SAP. Then we reconfigured to make a direct test between host B and SAP. Does the SAML configuration in SAP allow for providing more than one SAML source? I don't see this option in the configtool when I'm setting up the SAML parameters to allow more than one sourceID/destination.

Re: SAML Destination errors in security log

Former Member — Wed, 24 Jan 2007 19:05:34 GMT

I should also add that our SAML source is a 3rd party Juniper/Neoteris VPN. The config on it is very straightforward where we specify the sourceID(hex) and Issuer ID(i.e. destination for SAP). While we could set these to be the load balanced name, the problem occurs when SAP tries to respond back to the SAML. If it responds to the load balanced URL for the SAML authority, it may not go back to the one that issued the assertion and therefore fail.

Re: SAML Destination errors in security log

Former Member — Tue, 30 Jan 2007 14:28:46 GMT

bumping to top for any further advice...

Re: SAML Destination errors in security log

Former Member — Fri, 02 Feb 2007 12:20:02 GMT

Hi Dave,

no this is not supported. However what you can do is using the same hostname for both systems (and the same certificates). The Loadbalancer then can connect the SAML service to the system as defined in the settings of the balancer.

regards,

Patrick

Re: SAML Destination errors in security log

Former Member — Fri, 02 Feb 2007 14:40:52 GMT

Thank you for the info. I think I need some clarification...Let me explain the environment.

We have two VPN/SAML Sources for redundancy purposes. They are called ireport1 and ireport2. The DNS alias is simply 'ireport'. When a user accesses 'ireport', they get passed to either #1 or #2.

At that point, they provide credentials to login to the VPN (Juniper Neoteris), which authenticates them against our own LDAP. Once that has occured, ireport(1 or 2) will make the call the the SAP Portal, which is configured to accept SAML as a logon method.

In the SAP Portal system, if we were to configure the SAML SourceID as simply 'ireport', and the destination(responder URL) as just 'ireport/xxx/yyy', what happens when a user makes their request from ireport1, but the responder calls back 'ireport' and gets 'ireport2'?

Re: SAML Destination errors in security log

Former Member — Fri, 02 Feb 2007 20:05:31 GMT

Just to follow up - we have configured our SAML configuration as follows:

In the configtool, under the partnersinbound connections, I have 2 sub-configs - one for each SAML Source system.

In the Admintool destinations service, I have also configured these with the appropriate response.

So, now when we access our SAML source alias (ireport), we get passed to ireport1 or ireport2, and then the authentication occurs, and the response goes back to the correct URL as defined in the Destination service.

So, it appears to work, but you have me curious as to what you meant when you said it is not supported?

Re: SAML Destination errors in security log

Former Member — Mon, 05 Feb 2007 14:34:30 GMT

Hi Dave,

maybe I had some misunderstanding here. What I referred to was a HA system of SAML sources sharing the SAME SAML ID. If you have to SAML sources that are independent of each other, this is not an issue.

So what I meant was, that if both SAML sources share the same SourceID, then you may run into trouble, as as far as I remember, the destination is selected based on the SourceID and thus you will only be able to specify one SAML source.

It appears to me, that you have a destination id for each of you SAML sources right ?

Regards,

Patrick

Re: SAML Destination errors in security log

Former Member — Mon, 05 Feb 2007 14:42:56 GMT

That is correct. Initially I had configured both SAML sources (1 and 2) with the same sourceIDs. So we now have unique sourceIDs with unique destinations for each one and the solution is working. It seems to me that not many customers are using SAML based on the limited posts or info on SDN. I may need to write a blog about our environment....

Re: SAML Destination errors in security log

Former Member — Mon, 05 Feb 2007 14:53:31 GMT

Hi Dave,

well the feedback I have so far was, that it just had been to easy to install which sounds a bit better. Even your question wasn't really a problem, as you did solve it yourself

Regards,

Patrick

Re: SAML Destination errors in security log

Former Member — Mon, 10 Dec 2007 07:55:22 GMT

Hello David,

Can you expand a little bit about your Juniper solution.

I'm looking for a solution that will let our employees to access the portal from anywhere in the world with reasonable performance.

Many thanks,

Eli