The following Guided Answers decision tree will assist you with configuration and troubleshooting of SAML 2.0 with AS ABAP
Errors investigated in this decision tree are:
The issue occurs during configuration of SAML 2.0
1.1. Transaction SAML2 results in 403 Forbidden or 500 Internal Server Error
1.2. User has no permissions to display/edit the configuration
1.3. Error or warning when creating local service provider
1.3.1. The corresponding PSE is locked by user
1.3.2. Local entity is locked by user
1.3.3. Warning that external aliases cannot be created
1.3.4. You can get more information by collecting traces using tool http(s)://host:port/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=XXX
188.8.131.52. Traces contain error “SAML20 CX_SAML20_CORE: Can't create pse: ' Error while creating PSE (SSFPSE_CREATE:SSFA/S2SV'.”
1.4. Error or warning when creating new trusted identity provider
1.4.1. The imported metadata file contains no entities
1.4.2. Trusted provider with the same name already exists
1.4.3. Metadata contains provider which is not identity provider
1.4.4. Signature verification of metadata was not successful
1.4.5. The corresponding PSE is locked by user XXX
1.4.6. Local entity is locked by user XXX
1.4.7. You can get more information by collecting traces using tool http(s)://host:port/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=XXX
1.5. Error or warning when saving existing trusted identity provider
1.5.1. The corresponding PSE is locked by user …
1.5.2. Local entity is locked by user …
1.5.3. You can get more information by collecting traces using tool http(s)://host:port/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=XXX
1.6. Error or warning when downloading service provider metadata
1.6.1. Warning Client is not prepared for SAML2 authentication through web service communication
1.6.2. You get 403 Forbidden when downloading metadata
The issue occurs during SAML 2.0 authentication
2.1. Decryption of element 'XML element' of message 'SAML2 message' failed
2.2. No RelayState mapping found for RelayState value ouc…
2.3. No default application path is configured for ACS endpoint
2.4. CALL 'SAML login' and received empty CONTEXT_REF during SAML logon
2.5. "SAML 2.0: "SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1"
2.6. No entity with 'trusted provider name' found in client 'client'
2.7. The binding <binding name> is not supported during <profile name> processing
2.8. Message 'SAML2 message' is not signed
2.9. Signature of message 'SAML2 message' from issuer 'trusted provided name' is invalid
2.10. Message Response did not arrive at correct destination
2.11. No entity with 'trusted provider name' found in client 'client'
2.12. Element 'XML element' is not encrypted
2.13. Element 'xml element' does not exist
2.14. Attribute 'xml attribute' of element 'xml element' is invalid
2.15. User assignment of name ID <Name ID value> (format: <Name ID format>) failed
2.16. Configuration forbids identity federation
2.17. Entity ‘trusted provider name’ does not support the format 'Name ID format' for user assignment
2.18. "No user mapping found with name ID <Name ID value> (Format: <Name ID format>) No user found for name ID <Name ID value>"
2.19. "Entity <entity name> is not defined in the element 'AudienceRestriction'
2.20. Signature validation with the configured primary certificate failed
2.21. You are accessing application which contains "#" in the URL
2.22. SAML 2.0 authentication fails for WebGUI applications
- SAP Netweaver AS ABAP 7.02
- SAP Netweaver AS ABAP 7.30
- SAP Netweaver AS ABAP 7.31
- SAP Netweaver AS ABAP 7.40
- SAP Netweaver AS ABAP 7.50 and higher
AS ABAP SAML2 SP service provider, Fiori, Launchpad, FLP, SAML2 service not accessible, HTTP 404 not found , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , CA-UI2-INT-FE , Please use CA-FLP-FE-COR , CA-UI2-INT-BE , Please use CA-FLP-ABA , BC-SEC-LGN , Authentication and SSO , Problem
About this pageThis is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).
Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.