Hi,
I'm getting be below error when trying to use SAML SSO for a ABAP Webdynpro page on a NW 7.4 system. When I access the page, it redirects to the identity provider, comes back to the page and it shows the logon page. I'm looking for any ideas of things I could look at.
N SAML20 SP (client 400): Incoming Response
N SAML20 Binding: POST
N SAML20 IdP Name: http://xxxxxx/adfs/services/trust
N SAML20 Status Code: urn:oasis:names:tc:SAML:2.0:status:Responder
N SAML20 SP (client 400): Default ACS endpoint: https://xxxxxx/sap/saml2/sp/acs/400 , old default ACS endpoint
N SAML-Trace: CALL 'SAML login': SY-SUBRC = 222 , PWDCHG = 0
N *** ERROR => SAML-Trace: Path = /sap/bc/webdynpro/sap/oauth2_authority [sign.c 16519]
N {root-id=005056AD26DF1ED4B69880FF4BE51F68}_{conn-id=005056AD26DF1ED4B69880FF4BE53F68}_1
N *** ERROR => SAML-Trace: Returncode = 222 [sign.c 16519]
N *** ERROR => SAML-Trace: Message class = SAML number = 011 [sign.c 16519]
N *** ERROR => SAML-Trace: Message = Error when logging on for external ID "": Error during SAML 2.0 logon [sign.c 16519]
I have updated the service to use alternate logon procedure and added the handler CL_HTTP_EXT_SAML20
I have added the identity provider through transaction SAML2, but it does not seem to be working.
Here is a decrypted SAML assertion:
<samlp:Response ID="_9c844d84-8117-4851-8270-aeb12e935daf"
Version="2.0"
IssueInstant="2015-04-02T00:21:06.477Z"
Destination="https://xxxxxxxxx/sap/saml2/sp/acs/400"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="S005056ad-26df-1ed4-b699-c4c630853f68"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxxxxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_9c844d84-8117-4851-8270-aeb12e935daf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>08HK08VLpJC23JoQs+p+oHbDBvjRF+9NwBeowmlFTrY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxx</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFPjCCBCagAwIBAgIHAMFKH58TFzANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0xNDAxMjMxOTM3MThaFw0xNzAxMjMxOTM3MThaMEIxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UEAxMUZnNwcm94eTItZGV2LmlndC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAM13/bboldFRmDGK3QBbxlDREoGuQEUWeroZCDM/tH7Rk+AjgXbc4pkon13EwKi7q9brzkBMCY3HH9Ep2BUHjopydy+AWQH9vjLK2wXD/+6T4FCG1i8Kt+lRrcxRWUugnBuK+BRgxEJDz7ap8KvcRk6ERWQrx5Co8K7ey5nEqjapCDJQg3Yrkxo2pEWGBKSIXXmpU+CgK03y4HOW19/rmdcyLThjchn+Jgxe8obL4tiVk4D/X36wOqtV/1cnIjGak/px/p1oQEGD5PC7F3FIZConhUu7PJDLmioqdGcimZvFiZK6xQJyzy90lm0dHRT1qhkC9TTsGvAAMCh/gn41xAgMBAAGjggHEMIIBwDAPBgNVHRMBAf8EBTADAQEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTExLmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wOQYDVR0RBDIwMIIUZnNwcm94eTItZGV2LmlndC5jb22CGHd3dy5mc3Byb3h5Mi1kZXYuaWd0LmNvbTAdBgNVHQ4EFgQUMRTW5O0fpR4kET2ED84QAS6ZXBowDQYJKoZIhvcNAQELBQADggEBAKCQfnSSA1gs6qyYKqAqQKhhRRhC4wMtZJLZUmMGPe2q+QM4dQxJgrFy2OVG6I4dXFrxINGlPdJVVXBKtLn9Fm2t0Cb8lAV3rLruEfRJTDK6MeDFOD5qXgU4higpuDGrAmqKvMIOk7VJA0gPbW4lasgqGQXzOspZCmCIWwOqcIDZRr0wo09QLidegr/phjZMzuy8IO0U1w7U6MX767qcl3RGcqRwpquMtMiaw5ROx9v3DK3JOemlqQwKy/uzzBohzYln6AYim8cnZMvfaKDLYNwE0+Rg6nmemlf6PXOjE3Uisc71v3uFstWsXzUPhDeQlycFzPDT4t4srIaxdMrEs3w=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.