cancel
Showing results for 
Search instead for 
Did you mean: 

Error when loggong on for external ID "": Error during SAML 2.0 logon

Former Member
0 Kudos
5,009

Hi,

I'm getting be below error when trying to use SAML SSO for a ABAP Webdynpro page on a NW 7.4 system. When I access the page, it redirects to the identity provider, comes back to the page and it shows the logon page. I'm looking for any ideas of things I could look at.

N  SAML20 SP (client 400): Incoming Response

N  SAML20 Binding:          POST

N  SAML20 IdP Name:         http://xxxxxx/adfs/services/trust

N  SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Responder

N  SAML20 SP (client 400): Default ACS endpoint: https://xxxxxx/sap/saml2/sp/acs/400 , old default ACS endpoint

N  SAML-Trace: CALL 'SAML login': SY-SUBRC = 222 , PWDCHG = 0

N  *** ERROR => SAML-Trace: Path = /sap/bc/webdynpro/sap/oauth2_authority [sign.c       16519]

N  {root-id=005056AD26DF1ED4B69880FF4BE51F68}_{conn-id=005056AD26DF1ED4B69880FF4BE53F68}_1

N  *** ERROR => SAML-Trace: Returncode = 222 [sign.c       16519]

N  *** ERROR => SAML-Trace: Message class = SAML number = 011 [sign.c       16519]

N  *** ERROR => SAML-Trace: Message = Error when logging on for external ID "": Error during SAML 2.0 logon [sign.c       16519]

I have updated the service to use alternate logon procedure and added the handler CL_HTTP_EXT_SAML20

I have added the identity provider through transaction SAML2, but it does not seem to be working.

Here is a decrypted SAML assertion:

<samlp:Response ID="_9c844d84-8117-4851-8270-aeb12e935daf"

  Version="2.0"

  IssueInstant="2015-04-02T00:21:06.477Z"

  Destination="https://xxxxxxxxx/sap/saml2/sp/acs/400"

  Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

  InResponseTo="S005056ad-26df-1ed4-b699-c4c630853f68"

  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

  >

  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxxxxx.com/adfs/services/trust</Issuer>

  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

  <ds:SignedInfo>

  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

  <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

  <ds:Reference URI="#_9c844d84-8117-4851-8270-aeb12e935daf">

  <ds:Transforms>

  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

  </ds:Transforms>

  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

  <ds:DigestValue>08HK08VLpJC23JoQs+p+oHbDBvjRF+9NwBeowmlFTrY=</ds:DigestValue>

  </ds:Reference>

  </ds:SignedInfo>

  <ds:SignatureValue>xxxxxxx</ds:SignatureValue>

  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

  <ds:X509Data>

  <ds:X509Certificate>MIIFPjCCBCagAwIBAgIHAMFKH58TFzANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0xNDAxMjMxOTM3MThaFw0xNzAxMjMxOTM3MThaMEIxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UEAxMUZnNwcm94eTItZGV2LmlndC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAM13/bboldFRmDGK3QBbxlDREoGuQEUWeroZCDM/tH7Rk+AjgXbc4pkon13EwKi7q9brzkBMCY3HH9Ep2BUHjopydy+AWQH9vjLK2wXD/+6T4FCG1i8Kt+lRrcxRWUugnBuK+BRgxEJDz7ap8KvcRk6ERWQrx5Co8K7ey5nEqjapCDJQg3Yrkxo2pEWGBKSIXXmpU+CgK03y4HOW19/rmdcyLThjchn+Jgxe8obL4tiVk4D/X36wOqtV/1cnIjGak/px/p1oQEGD5PC7F3FIZConhUu7PJDLmioqdGcimZvFiZK6xQJyzy90lm0dHRT1qhkC9TTsGvAAMCh/gn41xAgMBAAGjggHEMIIBwDAPBgNVHRMBAf8EBTADAQEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTExLmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wOQYDVR0RBDIwMIIUZnNwcm94eTItZGV2LmlndC5jb22CGHd3dy5mc3Byb3h5Mi1kZXYuaWd0LmNvbTAdBgNVHQ4EFgQUMRTW5O0fpR4kET2ED84QAS6ZXBowDQYJKoZIhvcNAQELBQADggEBAKCQfnSSA1gs6qyYKqAqQKhhRRhC4wMtZJLZUmMGPe2q+QM4dQxJgrFy2OVG6I4dXFrxINGlPdJVVXBKtLn9Fm2t0Cb8lAV3rLruEfRJTDK6MeDFOD5qXgU4higpuDGrAmqKvMIOk7VJA0gPbW4lasgqGQXzOspZCmCIWwOqcIDZRr0wo09QLidegr/phjZMzuy8IO0U1w7U6MX767qcl3RGcqRwpquMtMiaw5ROx9v3DK3JOemlqQwKy/uzzBohzYln6AYim8cnZMvfaKDLYNwE0+Rg6nmemlf6PXOjE3Uisc71v3uFstWsXzUPhDeQlycFzPDT4t4srIaxdMrEs3w=</ds:X509Certificate>

  </ds:X509Data>

  </KeyInfo>

  </ds:Signature>

  <samlp:Status>

  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">

  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive" />

  </samlp:StatusCode>

  </samlp:Status>

</samlp:Response>

Accepted Solutions (1)

Accepted Solutions (1)

Former Member

I'm facing the same error, did you found any solution for this issue? would appreciate if if you could share the solution

mig1
Participant
0 Kudos

I did find a solution. In my case, I was using ADFS. ADFS would authenticate successfully and redirect back to SAP but without the user ID. Kind of a strange behaviour!

I found that we had a mismatch in the certificate key lengths. I replaced the certificates in STRUSTSSO2 to use 2048 key length (and made sure we used 2048 as setting in ADFS) and that was it!

Former Member
0 Kudos

Thank you for ur reply, we are using ADFS as well.

In our Strustsso2 we have the SYSTEM PSE key length as 1024, Algorithm DSA with SHA-1.

and under SSL Client SSL client (standard) we imported the ADFS certificate key length as 2048 and RSA with SHA-256 algorithm? Could this be an issue?

Which is the best way to resolve, regenerating SAP cert with 2048? or ADFS to 1024?

Thank you

Senthil

mig1
Participant
0 Kudos

Solve it in STRUSTSSO2.

The certificates for SSF SAML2 Service Provider - Encryption and Signing are generated as 1024 using the SAML2 wizard. Replace them using RSA SHA-256 with 2048 key length. After that, import them again in ADFS.

Former Member
0 Kudos

Thank you

As your ur advise, I regenerated the certs with 2048 key length in Strust for both SSF Saml2 service provide E and S.

Now my question which one I should export and import to ADFS only the signing cert? since ADFS is maintained by a seperate team, I want to given them the correct cert.

Regards

mig1
Participant
0 Kudos

The ADFS team needs both of them. There are two tabs to configure on the Relying Party; the Encryption and the Signature.

Former Member
0 Kudos

Sorry for not responding earlier, I was trying to find what we did, but I no longer have access on the system I was on at the time.

I'll mark response as correct. were you able to resolve your issue?

Answers (3)

Answers (3)

former_member612251
Participant
0 Kudos

Did someone find a solution to this?

mig1
Participant
0 Kudos

Did you find a solution?

AtulKumarJain
Active Contributor
0 Kudos

Hi Brian,

I am not sure but you could check below thread and couple of sap note.

1799402 - Automatic account creation for SAML 2.0 SP

1257108 - Collective Note: Analyzing issues with Single Sign On (SSO)

It may help you to resolve / identify the cause of the issue.

BR

AKJ