cancel
Showing results for 
Search instead for 
Did you mean: 

Service Provider has received SAML2Response from Identity Provider whose destination does not match requested URL

bryanmontgomery
Discoverer
0 Kudos

Hello all . . . hoping for a little luck here.

We've configured a brand-new SAP Portal (our "service provider") for single sign-on via SAML2 authentication, using WebSphere as our identity provider.

I can confirm that I'm receiving information from the identity provider, as the troubleshooting wizard produces results. Unfortunately, no amount of Google-fu has turned up a response to the error I'm seeing. The error is weird because it's citing the use of Port 80, rather than the standard of 50000. The error, specifically, says, "Service Provider has received SAML2Response from Identity Provider [https://websphere.mycompany.com/idp/shibboleth] whose destination [https://portal.mycompany.com/saml2/sp/acs] does not match requested URL [http://portal.mycompany.com:80/irj/portal]."

My Service Provider settings configuration does state that /irj/portal should be the default redirect once a successful SAML assertion is received, but I have nothing which points to port 80.

I'm also attaching a defaultTrace file where I've cranked up the debugging, just to see what else I can see. Any ideas?

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hello Bryan,

We are also getting the same error, using ECP Client for NetWeaver7.3 SP18...BTW, our IdP is also Shibboleth..

Did you receive the help from SAP?

Will appreciate any help/guidance...

Thanks

Vikas

xudonny
Advisor
Advisor
0 Kudos

Hello,

Is your portal behind a load balance?

If so, and you setup the ssl on load balance and use http to portal system, this error may happen because protocol info is missing.

You can try to add wdisp/add_clientprotocol_header = 1 if you are using webdispatch or set a header field named ClientProtocol for reverse proxy like Apache.

Regards,

Donny

bryanmontgomery
Discoverer
0 Kudos

Hi Donny,

Is the Portal behind a load balancer? Um, not sure exactly what you're asking, but it's not behind a web dispatcher. We have an alias URL which directs traffic via reverse-proxy to the Portal.

Interesting on the ssl/http. The alias portal.mycompany.com forces a switch to https, and directs traffic to the portal. The portal is only operating http.

The parameter you offered is appreciated, but I'm not using a web dispatcher. Don't understand the part where you said "or set a header field named ClientProtocol for reverse proxy like Apache." Can you elaborate?

By the way - our IdP (I stated WebSphere above - that was incorrect) is Shibboleth.

Thanks,

Bryan

Former Member
0 Kudos

Hi Bryan,

I am faced same problem but for me the identity provider is AzureAD.

Can you solved your problem ?

Thanks.

bryanmontgomery
Discoverer
0 Kudos

Hi Ricardo.

No, I have not yet found a resolution to my problem; it still persists. I have deleted and reconfigured SAML2 a number of times. I've noticed that if you reconfigure it, the ACS (assertion consumer service) and various other services appear using port 50000. However, if you restart the java stack and navigate back into NWA again to the SAML configuration, it then shows those same services as using port :80. VERY strange.

I have lodged an OSS incident with SAP Support for assistance, I will try to let you know the outcome; if you resolve it, I would appreciate the same.

Best,

Bryan

PS - I'm using Shibboleth as my IdP.

xudonny
Advisor
Advisor
0 Kudos

Hi Bryan,

For Apache proxy, you may refer to a help doc:

Configuring SAML for Use in SAP Gateway - SAP Gateway Foundation (SAP_GWFND) - SAP Library

In one of my cases, nginx is used and I add this in config file:

proxy_set_header ClientProtocol https;


Hope this helps.

Donny

former_member202592
Participant
0 Kudos

Hi Bryan,

I am more familiar with SAML 2.0 for ABAP systems, however I can try to help you out with this Java issue.

Based in the error message it seems that there is a configuration problem in the IdP end not in the Java SP end. This URL is the one being accessed "http://portal.mycompany.com:80/irj/portal", thus you have to make sure that the IdP is sending the SAML Response to this application path/URL.

Currently it seems that the IdP is sending the SAML Response to a different path/URL: "https://portal.mycompany.com/saml2/sp/acs".

Therefore, try to locate in the IdP side which are the paths configured to receive the SAML Responses, and make sure that "http://portal.mycompany.com:80/irj/portal" is configured there.

Cheers,

Filipe Santos