SAP Knowledge Base Article - Preview

2758293 - IAS proxy scenario: HTTP 500 error from corporate identity provider - Certificate used to validate the signature cannot be null

Symptom

Login to Corporate Identity Provider (IdP) does not work with the Identity Authentication Service (IAS) functioning as a proxy. Corporate IdP login screen shows an "HTTP 500" error.

In Troubleshooting Logs, the following entries can be seen:

"POST /saml2/idp/acs/<TenantID>.accounts.ondemand.com HTTP/1.1" 200

severity=INFO, location=umtrace, crtAccount=<TenantID>, authenticatedSubject="anonymous", state=failed, action=authenticate, objectType=user, authenticationMethod=saml2Assertion, category=audit.configuration, correlationId

#ERROR#com.sap.security.saml2.idp.endpoints.sso.ACSEndpoint##<TenantID>#anonymous#http-bio-127.0.0.1-8080-exec-5#na#N/A#N/A#N/A#Authentication error.SAML2Response signature verification failed. Caused by: Certificate used to validate the signature cannot be null

Hovever, SAML response is successful:

<...>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
<...>
<dsig:X509Certificate><...></dsig:X509Certificate><...><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
<...>


Read more...

Environment

  • SAP Cloud Platform Identity Authentication Service functioning as a proxy
  • Corporate IdP
  • SAP Cloud Platform

Product

Identity Authentication all versions

Keywords

500 Internal Server error, Internal server error, HTTP 500, IAS Tenant , KBA , BC-IAM-IDS , Identity Authentication Service , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.