cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAML2 No Entity in with ID error during verification of SAML response from IDP in BW4HANA 2.0

paulmitch25
Explorer

on ‎2022 Nov 01 2:10 PM

0 Kudos
866

We are getting an error that the entity from the response is not matching the Identify provider in the database.

The SAML2 error is reporting a shorter SAML2 name than what is in the provider name in SAML2.

CX_SAML20_CORE error

CL_SAML20_ENTITY->GET_ENTITY_FROM_DB (Line 304)

It seems to be truncating the name of the IDP from the SAML response to 50 characters, which doesn't match the value in the SAML2 transaction from uploading the XML from Azure AD.

We have a BW4HANA 2.0 753 SP7.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
RolandKramer
Active Contributor
‎2022 Nov 02 10:11 AM
0 Kudos

Hello

can you have a look to the Blog - https://blogs.sap.com/2022/02/16/next-mystery-solved-proper-sac-connection/#sac_saml2 check again the correct SAML2 Setup.

this configuration is also done on SAP BW/4 2.0 (SAP Basis 7.53) at least SP10, which means there might be some corrections needed as well.

Best Regards Roland

Show replies
Show replies
paulmitch25
Explorer
‎2022 Nov 02 12:09 PM
0 Kudos

Hi Roland,

Thanks for your response. It is a very nice document. I will try to organize and upgrade to SP10 from SP7.

We managed to get SSO working with SAC using our corporate IdP. In addition, we have the Live and Tunnel connections from SAC working, but not with SSO to BW4HANA.

We are using the Saml-trace extension in chrome and everything seems to work beautifully up to the verification of the SAML response. We keep getting thrown back to the SP logon screen, even after the IDP comes back with a SAML response with the Subject being the correctly parsed user name for BW (after applying the prefix transformation in the IDP.)

The problem arises after the SAML response is parsed and BW is validating the IDP ID (entity ID) against the ID in the SAML2 transaction (the one that we populated by importing the XML from the IDP).

I had a problem with XML in BPC where the Answerprompt from our legacy BW 7.3 could not be interpreted by our BPC 11.1 because the Infoprovide kept including all the XML. It turned out that the escape character '\n' was not visible to the XML parser in BW in the newline search. I had to create a Z program that specifically searched for '\n' instead of newline. This may sound irrelevant, but it shows that we had issues with the parsing of documents and escape characters.

Interestingly, on the error message, the IDP name is truncated at exactly 50 characters which is too short. I don't think that this is because the variable to hold this name in the error message (I think MSG1 or 2) is 50 characters.

Up to the verification of the SAML response, everything seems to work well.

Regards,

Paul

Ask a Question