SAP Knowledge Base Article - Preview

2758293 - IAS proxy scenario: HTTP 500 error from corporate identity provider - Certificate used to validate the signature cannot be null

Symptom

Login to Corporate Identity Provider (IdP) does not work with the Identity Authentication Service (IAS) functioning as a proxy. Corporate IdP login screen shows an "HTTP 500" error.

In Troubleshooting Logs, the following entries can be seen:

"POST /saml2/idp/acs/<TenantID>.accounts.ondemand.com HTTP/1.1" 200

severity=INFO, location=umtrace, crtAccount=<TenantID>, authenticatedSubject="anonymous", state=failed, action=authenticate, objectType=user, authenticationMethod=saml2Assertion, category=audit.configuration, correlationId

#ERROR#com.sap.security.saml2.idp.endpoints.sso.ACSEndpoint##<TenantID>#anonymous#http-bio-127.0.0.1-8080-exec-5#na#N/A#N/A#N/A#Authentication error.SAML2Response signature verification failed. Caused by: Certificate used to validate the signature cannot be null

Hovever, SAML response is successful:

<...>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
<...>
<dsig:X509Certificate><...></dsig:X509Certificate><...><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
<...>


Read more...

Environment

  • SAP Cloud Platform Identity Authentication Service functioning as a proxy
  • Corporate IdP
  • SAP Cloud Platform

Product

Identity Authentication all versions

Keywords

500 Internal Server error, Internal server error, HTTP 500, IAS Tenant , KBA , BC-IAM-IDS , Identity Authentication Service , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.