SAP Knowledge Base Article - Preview

2346372 - SAML 2.0: ABAP SP signature algorithm mismatch with Microsoft ADFS

Symptom

While performing a SAML 2.0 authentication between an ABAP Service Provider and a Microsoft ADFS (Identity Provider), it fails.

In ABAP SAML Traces the following information can be verified:

    • The 'Incoming Response' from the Identity Provider has 'Status Code' value 'urn:oasis:names:tc:SAML:2.0:status:Responder'
    • The 'DigestMethod Algorithm' attribute of the 'Incoming Response' is 'http://www.w3.org/2001/04/xmlenc#sha256'

      In order to collect the SAML 2.0 traces access the Security Diagnostic Tool in the AS ABAP system by calling the URL below:

      http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX>

      Press the start button, reproduce the scenario and press the stop button.

      More information regarding the Security Diagnostic Tool for ABAP can be found here.

In Microsoft ADFS side the following error can be seen:

    • Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)

Read more...

Environment

  • Microsoft Active Directory Federation Services
  • SAP Netweaver AS ABAP 7.02
  • SAP Netweaver AS ABAP 7.30
  • SAP Netweaver AS ABAP 7.31
  • SAP Netweaver AS ABAP 7.40
  • SAP Netweaver AS ABAP 7.50

Product

SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5 ; SAP enhancement package 1 for SAP NetWeaver 7.3 ; SAP enhancement package 2 for SAP NetWeaver 7.0

Keywords

SAML 2.0, SAML2, ADFS, Responder, status code, digest algorithm, SHA-1, SHA-256, SHA-2, microsoft, SAML, authentication, fails, identity provider, service provider, sp, idp , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , BC-SEC-SSF , Secure Store and Forward , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.