Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
Amin_Omidy
Active Participant
In this blog, I'll delve into how you can troubleshoot errors in SAP IAS related to SSO and S/4 HANA private cloud. As you may know, SAP IAS is a highly competitive product when it comes to integrating SAP SaaS and PaaS solutions with S/4 HANA. Its main focus is on integration, security, compliance, simplicity, and scalability, making it an ideal choice for businesses looking to streamline their operations and ensure data security.

However, even with a reliable product like SAP IAS, errors can still occur, causing frustration and inconvenience for customers. In this blog, I will explain how we can track an error in IAS and strive to resolve it, using a real example from an issue we recently faced. Specifically, I will explore an escalation call with a customer and SI to resolve an error the customer was receiving when trying to log in to their S/4 HANA external Fiori link.

The customer claimed the SSO was configured via IAS and was working before. Recently when their users clicked on the Fiori link  (https://fiori-test.contoso.com), after using their email to authenticate (@test.example.com) the SSO is not working anymore.

I will show you how to troubleshoot this error, step by step, to help you understand the process and resolve similar issues that may arise in future.




Let’s first explain the high-level architecture of our scenario.

As you see in diagram below, S/4 HANA supported by SAP ECS team in Azure ( hyperscaler) and IAS tenant is the SAP "Identity Authentication Service" was integrated with the customer multiple IdPs .IAS enables this customer to authenticate with their Azure or Google IdPs. The existing integration helps the customer to log on in their Fiori launchpad link (S/4 HANA) via SAML2 protocol without re-entering the user password in S/4 HANA level after the respective IdP authenticated the user.

In other words, users would click on Fiori link then only prompted one time to log on with their corporate email to Google or Azure and after authenticated through, they would access to S/4 Fiori or any tiles in their S/4 Fiori dashboard seamlessly:


SSO integration with IAS and IdPs


If you follow numbers in diagram above, you can see when the user from business group A that originated from Azure (IdP), clicks on the Fiori link it would be directed to IAS and then redirected to Azure IdP ,after the user Authenticates successfully it would have access to SAP Fiori dashboard and can access to S/4 QA tile or any other tiles for SAP SaaS are enabled in their dashboard similar to below:


Fiori dashboard tiles


Here is a simple Architecture Diagram for this solution:


A simple Architecture Diagram for our scenario


Basically, all SAML2s for SaaS applications and S/4 HANA were configured in Applications section of this customer IAS tenant in below section:

https://***.accounts.ondemand.com/admin/#/applications

Applications & Resources > Applications:


All IdPs for different departments with the respective domain configured in IAS Identity Providers  section:

https://***.accounts.ondemand.com/admin/#/idPProxies

Identity Providers > Corporate Identity Providers:


IAS Corporate Identity Provider/


There are three areas probably we need to check during our troubleshooting to find the main root cause of this issue:

Identity Provider: This is the IAS Identity Provider for Google test domain (@test.examle.com) in our scenario

Application: This is the application in IAS representing the S/4 HANA  (QA1 system) or the customer test system the Fiori link pointing to

S/4 HANA QA system: Check the SAML2 configuration in S/4 HANA (ABAP) QA system including a review of the certificate expiration date

The best way to tackle this issue is ,first to download the error logs from IAS and from S/4 system (if there is any error) and then upload them to SAP Support Log Assistant self-service Tool to analyze as below:

Support Log Assistant 2.0 - Self Service Tool

Please for further detail about Support Log Assistant, check SAP Note 2990062 or the video link below:

Support Log Assistant - Self Service Tool Overview [Video]

The  Support Log Assistant is a great tool that can help to find the best resolution for your errors and you can upload multiple error log files in to this tool simultaneously. It is much better than searching on the internet or even asking ChatGPT!

To export error logs from IAS:

Log in to SAP IAS and go to Monitoring & Reporting > Troubleshooting Logs and click on "Download"


IAS error logs


To export error logs from NetWeaver ABAP system please follow links:

Troubleshooting SAML 2.0 error trace

1332726 - Troubleshooting Wizard

After I uploaded the logs to Support Log Assistant, I was guided to few Notes through this analysis and the main note specifically was relevant to our specific issue was Note 2698094.

Below you can see the result of Support Log Assistant after analyzed the logs:


Support Log Assistant Analyze


 

As you see, there was a reference to SAP note (2698094) which  was more relevant to one of main errors we were facing in IAS:

"Identity Provider could not process the authentication request received due to client error. The digital signature of the received SAML2 message is invalid. Caused by: Unable to validate signature Caused by: Signature length not correct"

Basically, to be in safe side after reviewing the Note, I requested to get a fresh Google test domain certificate (XML) from the Google team to reapply the certificate by importing it in existing IAS google test IdP. After that we should upload the certificate response from S/4 HANA to S/4 QA application in IAS.

In order to do so, we first had to get the existing IAS tenant SAML2 certificate (export)  to apply in S/4 then regenerate a new certificate response from S/4 HANA QA ABAP system.

The final step would be to upload this new S/4 HANA QA certificate response that reflects IAS tenant latest SAML to the QA application in IAS which was causing issue for the SSO.

By doing steps mentioned above we were able to renew the certificate for all layers involved in this solution to make sure SAMl2 can be established properly again.

Here is steps I followed to resolve this issue:

Step 1-Renew Google Test (IdP) in IAS:

Log on to the customer's IAS tenant and go to Identity Providers > Corporate Identity Providers:


Corporate Identity provider for Google-Test domain


 

Then navigate to “SAML 2.0 Configuration”, upload the metadata xml file we received from the google team for @test.exampple.com domain by clicking on “Browse” and point to .XML we received from the Google team:


IdP SAML2.0 Configuration



Google IdP configuration detail


We make sure “Forward All SSO Request to Corporate IdP” is on:


Forward All SSO to Corporate IdP ON


And in “Identity Federation” section use identity Authentication user store:


Identity Federation on


Step 2-Export IAS tenant certificate:

To export metadata from the IAS tenant. We can navigate to IAS Tenant Settings > SAML 2.0 Configuration:


IAS SAML2.0 Configuration


Click on “Download Metadata File” to get that in XML format:


Download Metadata File


This export file can be shared with IdP providers like Azure and Google and also will be used to get the final certificate response from S/4 HANA QA system.

Step 3-Upload IAS SAML XML in S/4 HANA QA system via SAML2 tcode:

Log on to QA1 system in S/4 HANA and run tcode SAML2 then navigate to “Trusted Provider” tab and upload two certificates from IAS and IdP:


Upload SAML2.0 Certification to S/4 system


Generate the response certificate from S/4 HANA:

In QA1 system in S/4 HANA run tcode SAML2 then go to “Local Provider” tab and export metadata:


Download the response certificate from S/4 system


Make sure , check mark all three options before click on “Download Metadata” then save the file as QA1.xml which will be used to upload in the QA1 in IAS applications section.

Step 4-Upload the S/4 HANA SAML response to the QA system in IAS Application:

Click on to the respective App in  IAS by going to “Applications” section and click on QA1-100:


Upload the certificate response from S/4 to its respective Application in IAS


Click on “SAML2.0 Configuration” then upload the XML meta data (QA1.xml) from QA1 system (Step 3) by clicking on "Browse". The rest of detail will be populated after the upload is done and there is no need to fill out any entry except reenter your Fiori link: as Default URL


Upload XML metadata in Application system in IAS



S/4 Application signing detail


Attention: always check “Conditional Authentication” section of your Application and click on “Add Rule” to have your identity provider (reflects the email domain for the user log on) if it is not already there:


Conditional Authentication entry for the IdP domain


Note: If any SaaS application facing a similar issue, we just need to renew their certificate in IAS in a similar fashion .

I hope after reading this blog you will be able to troubleshoot errors in SAP IAS and understand how you can enabled SAML2 for corporates IdP for SSO.

Conclusion



  • When you facing errors in IAS you can upload error logs in Support Log Assistant  to analyze first

  • Depends on your error you may need to troubleshoot IdP,  Applications or S/4 HANA system

  • After reviewing the related note you most likely get an idea which layer you need to focus on

  • To resolve the issue you need to have hands on in security aspect of IAS, SaaS, PaaS, and S/4

  • Please consider this as a team effort and make sure have all the required teams involved

  • Before doing your due diligent, do not create a ticket (incident) for SAP Support since it is required multiple teams to be involved and it may not be resolved in one easy call


 

You can always follow the SAP Business Technology Platform post and answer questions:
https://blogs.sap.com/tags/8077228b-f0b1-4176-ad1b-61a78d61a847/

To follow the the SAP BTP Security, post and answer questions:

https://blogs.sap.com/tags/842ea649-eeef-464c-b80c-a64b03e40158/

References:

Note 2942816 - How to export and self-analyze Troubleshooting logs from Identity Authentication

Note 3058189 - The digital signature of the received SAML2 message is invalid. Caused by: Certificate is expired

Note 2698094 - Given url does not contain SAML2 authentication request for validation

Note 2645425 - The digital signature of the received SAML2 message is invalid

Exporting the SAML Identity Provider Metadata:

https://help.sap.com/docs/CIAS_SFC/da4de2635ac348d9aebf4ace57826092/9d33762b9a5e4f92ab01c77a2d8165a0...

Configure SAML 2.0 Service Provider:

https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/51f1f7550dc24aa99...

Tenant SAML 2.0 Configuration:

https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/e81a19b0067f46469...

Share with others and Connect with us!


Please leave your comment if you have anything to add!

If you would like to ask questions, please use the community Q&A.

Give us a like and share on social media if you feel it was useful

You can follow me in People SAP :

amin_omidy

Thanks!

 
Labels in this area