Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Crash SAML2 service remotely with PAOS http header

OO
Participant
312

Dear all,

nearly one year ago, we found, that SAML2 authentication services in our BI crashes, if we send a PAOS http header.

As SAP didn't provide a solution yet, I was wondering if anyone else experienced similar behaviour.

Our goal was configuring support for Enhanced Client or Proxy, so we selected PAOS as a supported binding in SAML2 transaction:

If now a PAOS http header according to ECP specification is sent to our BI webservices from any client anywhere, SSO / SAML2 authentication is skipped and the user is asked to use Basic authentication with his BI credentials.

Using server-side SAML2 tracing by Security Diagnostic Tool, it turned out that this was due to the crash of "SAML20 SP":

Error message as text:

SAML20 SP (client 300 😞  Exception raised:
SAML20  SAML20 CX_SAML20: Unerwartete Ausnahme während der SAML-2.0-Verarbeitung: 'Eine Exception vom Typ CX_SY_REF_IS_INITIAL ist au'. Long text: Unerwartete Ausnahme während der SAML-2.0-Verarbeitung: 'Eine Exception vom Typ CX_SY_REF_IS_INITIAL ist au'. 
SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 1032)
SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2288)
SAML20  Caused by: CX_SY_NO_HANDLER: Eine Exception vom Typ CX_SY_REF_IS_INITIAL ist aufgetreten, wurde aber weder lokal behandelt noch durch eine RAISING-Klausel deklariert.. Long text: Es ist eine Ausnahme vom Typ 'CX_SY_REF_IS_INITIAL' aufgetreten, die nirgends entlang der Aufrufhierarchie abgefangen wurde. Sie wurde weder lokal behandelt noch durch eine RAISING-Klausel deklariert.
SAML20     at CL_SAML20_AUTHN_REQUEST->SET_ATTRIBUTES(Line 12)

Call stack as text:

  CL_SAML20_TRACE->TRACE_TEXT_INTERNAL(Line 42)
    at CL_SAML20_TRACE->TRACE_EXCEPTION(Line 118)
    at CL_HTTP_SAML20->PROCESS_LOGON(Line 1038)
    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2288)

Could this issue even be security relevant, because one can "switch out" the SSO authentication from outside sending a PAOS header. In our case there is an automatic fallback to the classic system logon, but is it the same everywhere?

The error can be reproduced by injecting PAOS header with man-in-the-middle http proxies like Fiddler or "simply" writing a short script, e.g. with Windows Powershell:

  • Enabeling server-side SAML2 tracing by Security Diagnostic Tool
  • Push Windows button + R and type in powershell to start Powershell
  • Paste the following code to the command line, replacing the $Url by your own URL to an Odata webservice:
$Url = "https://<host>:<port>/sap/opu/odata/sap/<ServiceName>/<Query>(<Key>='<Value>')/Results?`$format=json"
$Headers = @{}
$Headers.Add('Accept', 'text/html;application/vnd.paos+xml')
$Headers.Add('PAOS', 'ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"')
$LoginResponse = Invoke-WebRequest -Uri $Url -Method GET -Headers $Headers
  • Check recorded server-side SAML2 trace in Security Diagnostic Tool
0 REPLIES 0