2443156 - SAML 2.0 SSO with AS ABAP - Guided Answers | SAP Knowledge Base Article

SAP Knowledge Base Article - Preview

2443156 - SAML 2.0 SSO with AS ABAP - Guided Answers

Symptom

The following Guided Answers decision tree will assist you with configuration and troubleshooting of SAML 2.0 with AS ABAP

Errors investigated in this decision tree are:

The issue occurs during configuration of SAML 2.0
1.1. Transaction SAML2 results in 403 Forbidden or 500 Internal Server Error
1.2. User has no permissions to display/edit the configuration
1.3. Error or warning when creating local service provider
1.3.1. The corresponding PSE is locked by user
1.3.2. Local entity is locked by user
1.3.3. Warning that external aliases cannot be created
1.3.4. You can get more information by collecting traces using tool http(s)://host:port/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=XXX
1.3.4.1. Traces contain error “SAML20 CX_SAML20_CORE: Can't create pse: ' Error while creating PSE (SSFPSE_CREATE:SSFA/S2SV'.”
1.4. Error or warning when creating new trusted identity provider
1.4.1. The imported metadata file contains no entities
1.4.2. Trusted provider with the same name already exists
1.4.3. Metadata contains provider which is not identity provider
1.4.4. Signature verification of metadata was not successful
1.4.5. The corresponding PSE is locked by user XXX
1.4.6. Local entity is locked by user XXX
1.4.7. You can get more information by collecting traces using tool http(s)://host:port/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=XXX
1.5. Error or warning when saving existing trusted identity provider
1.5.1. The corresponding PSE is locked by user …
1.5.2. Local entity is locked by user …
1.5.3. You can get more information by collecting traces using tool http(s)://host:port/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=XXX
1.6. Error or warning when downloading service provider metadata
1.6.1. Warning Client is not prepared for SAML2 authentication through web service communication
1.6.2. You get 403 Forbidden when downloading metadata

The issue occurs during SAML 2.0 authentication
2.1. Decryption of element 'XML element' of message 'SAML2 message' failed
2.2. No RelayState mapping found for RelayState value ouc…
2.3. No default application path is configured for ACS endpoint
2.4. CALL 'SAML login' and received empty CONTEXT_REF during SAML logon
2.5. "SAML 2.0: "SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1"
2.6. No entity with 'trusted provider name' found in client 'client'
2.7. The binding <binding name> is not supported during <profile name> processing
2.8. Message 'SAML2 message' is not signed
2.9. Signature of message 'SAML2 message' from issuer 'trusted provided name' is invalid
2.10. Message Response did not arrive at correct destination
2.11. No entity with 'trusted provider name' found in client 'client'
2.12. Element 'XML element' is not encrypted
2.13. Element 'xml element' does not exist
2.14. Attribute 'xml attribute' of element 'xml element' is invalid
2.15. User assignment of name ID <Name ID value> (format: <Name ID format>) failed
2.16. Configuration forbids identity federation
2.17. Entity ‘trusted provider name’ does not support the format 'Name ID format' for user assignment
2.18. "No user mapping found with name ID <Name ID value> (Format: <Name ID format>) No user found for name ID <Name ID value>"
2.19. "Entity <entity name> is not defined in the element 'AudienceRestriction'
2.20. Signature validation with the configured primary certificate failed
2.21. You are accessing application which contains "#" in the URL
2.22. SAML 2.0 authentication fails for WebGUI applications


Read more...

Environment

  • SAP Netweaver AS ABAP 7.02
  • SAP Netweaver AS ABAP 7.30
  • SAP Netweaver AS ABAP 7.31
  • SAP Netweaver AS ABAP 7.40
  • SAP Netweaver AS ABAP 7.50 and higher

Product

SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5 ; SAP enhancement package 1 for SAP NetWeaver 7.3 ; SAP enhancement package 2 for SAP NetWeaver 7.0

Keywords

AS ABAP SAML2 SP service provider, Fiori, Launchpad, FLP, SAML2 service not accessible, HTTP 404 not found , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , CA-UI2-INT-FE , SAP Fiori Launchpad services (Java Script) , CA-UI2-INT-BE , SAP Fiori Launchpad services (ABAP) , BC-SEC-LGN , Authentication and SSO , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.