Showing results for 
Search instead for 
Did you mean: 

Error when loggong on for external ID "": Error during SAML 2.0 logon

Former Member
0 Kudos


I'm getting be below error when trying to use SAML SSO for a ABAP Webdynpro page on a NW 7.4 system. When I access the page, it redirects to the identity provider, comes back to the page and it shows the logon page. I'm looking for any ideas of things I could look at.

N  SAML20 SP (client 400): Incoming Response

N  SAML20 Binding:          POST

N  SAML20 IdP Name:         http://xxxxxx/adfs/services/trust

N  SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Responder

N  SAML20 SP (client 400): Default ACS endpoint: https://xxxxxx/sap/saml2/sp/acs/400 , old default ACS endpoint

N  SAML-Trace: CALL 'SAML login': SY-SUBRC = 222 , PWDCHG = 0

N  *** ERROR => SAML-Trace: Path = /sap/bc/webdynpro/sap/oauth2_authority [sign.c       16519]

N  {root-id=005056AD26DF1ED4B69880FF4BE51F68}_{conn-id=005056AD26DF1ED4B69880FF4BE53F68}_1

N  *** ERROR => SAML-Trace: Returncode = 222 [sign.c       16519]

N  *** ERROR => SAML-Trace: Message class = SAML number = 011 [sign.c       16519]

N  *** ERROR => SAML-Trace: Message = Error when logging on for external ID "": Error during SAML 2.0 logon [sign.c       16519]

I have updated the service to use alternate logon procedure and added the handler CL_HTTP_EXT_SAML20

I have added the identity provider through transaction SAML2, but it does not seem to be working.

Here is a decrypted SAML assertion:

<samlp:Response ID="_9c844d84-8117-4851-8270-aeb12e935daf"








  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"></Issuer>

  <ds:Signature xmlns:ds="">


  <ds:CanonicalizationMethod Algorithm="" />

  <ds:SignatureMethod Algorithm="" />

  <ds:Reference URI="#_9c844d84-8117-4851-8270-aeb12e935daf">


  <ds:Transform Algorithm="" />

  <ds:Transform Algorithm="" />


  <ds:DigestMethod Algorithm="" />





  <KeyInfo xmlns="">







  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">

  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive" />




Accepted Solutions (1)

Accepted Solutions (1)

Former Member

I'm facing the same error, did you found any solution for this issue? would appreciate if if you could share the solution

0 Kudos

I did find a solution. In my case, I was using ADFS. ADFS would authenticate successfully and redirect back to SAP but without the user ID. Kind of a strange behaviour!

I found that we had a mismatch in the certificate key lengths. I replaced the certificates in STRUSTSSO2 to use 2048 key length (and made sure we used 2048 as setting in ADFS) and that was it!

Former Member
0 Kudos

Thank you for ur reply, we are using ADFS as well.

In our Strustsso2 we have the SYSTEM PSE key length as 1024, Algorithm DSA with SHA-1.

and under SSL Client SSL client (standard) we imported the ADFS certificate key length as 2048 and RSA with SHA-256 algorithm? Could this be an issue?

Which is the best way to resolve, regenerating SAP cert with 2048? or ADFS to 1024?

Thank you


0 Kudos

Solve it in STRUSTSSO2.

The certificates for SSF SAML2 Service Provider - Encryption and Signing are generated as 1024 using the SAML2 wizard. Replace them using RSA SHA-256 with 2048 key length. After that, import them again in ADFS.

Former Member
0 Kudos

Thank you

As your ur advise, I regenerated the certs with 2048 key length in Strust for both SSF Saml2 service provide E and S.

Now my question which one I should export and import to ADFS only the signing cert? since ADFS is maintained by a seperate team, I want to given them the correct cert.


0 Kudos

The ADFS team needs both of them. There are two tabs to configure on the Relying Party; the Encryption and the Signature.

Former Member
0 Kudos

Sorry for not responding earlier, I was trying to find what we did, but I no longer have access on the system I was on at the time.

I'll mark response as correct. were you able to resolve your issue?

Answers (3)

Answers (3)

0 Kudos

Did someone find a solution to this?

0 Kudos

Did you find a solution?

Active Contributor
0 Kudos

Hi Brian,

I am not sure but you could check below thread and couple of sap note.

1799402 - Automatic account creation for SAML 2.0 SP

1257108 - Collective Note: Analyzing issues with Single Sign On (SSO)

It may help you to resolve / identify the cause of the issue.