cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML2 with ADFS using web dispatcher does not work

former_member246738
Explorer

on ‎2016 Jul 22 3:54 PM

0 Kudos
2,267

Dear All,

I have configured Single Sign on for NWBC using SAML2 with ADFS 3.0. Currently the scenario works perfectly. Now , I want to extend this to include a web dispatcher. Sadly, I cannot get this to work. I have followed this discussion:

SAML 2.0 Service Provider for AS ABAP and Web Dispatcher or Proxy - Security and Identity Management...

I have deleted the previous SAML2 config and configured it after accessing the SAML UI via the webdispatcher. I have downloaded the metadata and reconfigured the relying party accordingly.

Now, single sign on works for NWBC only if accessed directly using the server URL but does not work when accessed via web dispatcher. The error message is :

No relay state mapping found for value xxxxxxxxx

Does anyone know if there is anything additional I need to do.

I have checked the metadata file downloaded from SAML config and find no information about the web dispatcher URL. I can't see how this is expected to work.

Any ideas/thoughts are highly appreciated.

Regards

Joyee

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
JoeGoerlich
Active Contributor
‎2016 Aug 12 2:33 PM

Hello,

i had a similar issue and fixed it by switching the settings for authentification response in the IdP settings on AS ABAP:

In the traces from sec_diag_tool i found that after this adjustment the AssertionConsumerServiceURL is added to the outgoing AuthnRequest:

SAML20 SP (client 100 😞 Outgoing AuthnRequest

SAML20 Binding: POST

SAML20 Signed: True

SAML20 IdP Name: rs.entitlement.siemens.com

SAML20 Destination: https://IdP.com/GetAccess/Saml/IDP/SSO/Post

SAML20 <samlp:AuthnRequest ID="S005b1-28c-1ee-981-b92aa112"

SAML20 Version="2.0"

SAML20 IssueInstant="2016-08-12T13:08:04Z"

SAML20 Destination="https://IdP.com/GetAccess/Saml/IDP/SSO/Post"

SAML20 ForceAuthn="false"

SAML20 IsPassive="false"

SAML20 AssertionConsumerServiceURL="https://your-server.com/"

SAML20 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

SAML20 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

My IdP use this AssertionConsumerServiceURL for the redirect after successful authentification  and

then the relaystate could be mapped.



Hopefully this could help you

Regards

Johannes Goerlich

Show replies
Show replies
Ask a Question