SAP Knowledge Base Article - Preview

2673983 - SAML Fails with a "status:Responder" Error

Symptom

You have configured SAML between your AS JAVA as your Service Provider and your Identity Provider but this is failing. You have reproduced this issue running a Security Troubleshooting Wizard Trace and you can see the failed logon procedure throwing the below error:

LOGIN.FAILED
User: N/A
IP Address: xxx.xxx.xxx.xx
Authentication Stack: xxxxx
Authentication Stack Properties:
        policy_domain = xxxxx
        realm_name = xxxxx

Login Module                                                                                    Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
2. com.sap.security.saml2.sp.SAML2LoginModule                                  OPTIONAL    ok          exception             true       Rejected signed Response 
                                                                                                                                    Reason: Error SAML2Response received.
                                                                                                                                      ID: xxxxxxxxxx
                                                                                                                                      Issuer: "IDP URL....."
                                                                                                                                      Destination: "SP URL....."
                                                                                                                                      In Response To: xxxxx
                                                                                                                                      Issue Instant: "Time and Date"
                                                                                                                                      Top Level Status Code: urn:oasis:names:tc:SAML:2.0:status:Responder
                                                                                                                                      Second Level Status Code:
                                                                                                                                      Status Message:
                                                                                                                                      Consent: urn:oasis:names:tc:SAML:2.0:consent:unspecified
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true      
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true      
No logon policy was applied


Read more...

Environment

  • Release Independent
  • SAP NetWeaver

Product

SAP NetWeaver all versions

Keywords

SAML2 Responder, status:Responder, Reason: Error SAML2Response received, Rejected signed Response, SAML2 SSO, Fail, Troubleshooting Wizard Trace. , KBA , BC-JAS-SEC-LGN , Logon, SSO , BC-JAS-SEC-SML , JAVA SAML 1.1 and 2.0 , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.