SAP Knowledge Base Article - Public

2601672 - HTTP status 500 - Multidomain params signature is not valid in SAP Analytics Cloud (SAC)

Symptom

You can logon to SAP Analytics Cloud after configuring your Active Directory Federation Services (ADFS) as your custom SAML Identity Provider

However, when you log out, your browser shows: HTTP status 500 - Multidomain params signature is not valid in SAP Analytics Cloud (SAC)

Environment

  • SAP Analytics Cloud
  • Active Directory Federation Services (ADFS) 

Reproducing the Issue

  1. Configure SAML SSO authentication for SAP Analytics Cloud using ADFS
  2. Log in to SAP Analytics Cloud
  3. Log out of SAP Analytics Cloud
  4. The browser shows the error: HTTP status 500 - Multidomain params signature is not valid

Cause

The ADFS claim does not contain the required format: <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</NameID>

The original Claim only contains:

<NameID>USER_NAME</NameID>

Resolution

SAP Analytics Cloud expects to receive the claim in the fomat <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</NameID>  in SAML assertion returned from SAML Identity Provider.  Add additonal transformation thus to supplement and tranform the claim to the expected format.

Warning - The steps indicated here are correct for our testing Active Directory. You should contact your AD FS administrator or Microsoft to confirm that are valid for your environment.

  1. In the AD FS Administrator, go to Relying Party Trusts > Select the entry for SAP Analytics Cloud > Right click and select Edit Claim Rules...

 Edit.png

  1. Modify the rule used to Send LDAP Attributes as Claims. As Outgoing Claim Type, you can select any claim type from the dropdown list, or provide any custom claim type name.  In this sample, we manually enter the custom claim type name called: my_intermediate_claim. We use the logon name (LDAP Attribute: SAMAccountName).

claimrule.png

  1. Click OK to save the changes
  2. Add a new rule > Select Transform an Incoming Claim > Give it a name "Tranform Claim to set unspecified" for example
  3. As Incoming claim Type, select or manually type the previous intermidiate claim type name in Step 2
  4. As Outgoing claim type select "Name ID" from the list 
  5. Leave Outgoing Name ID format: "Unspecified"

transform rule.png

  1. Click OK to save the change

See Also

Keywords

directory, error, 500, logoff, logout, exit, saml, adfs, ad, saml2, saml, sso, Cloud-Analytics, multi, domain, params. signature,  Default NAME ID format, unspecified, active directory, AD , KBA , LOD-ANA , SAP Analytics Cloud , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , LOD-ANA-PL , SAP Analytics Cloud – Planning (BOC) , LOD-ANA-BR , SAP Analytics Cloud - Digital Boardroom , LOD-ANA-PR , SAP Analytics Cloud – Predictive (BOC) , Problem

Product

SAP Analytics Cloud 1.0