cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Facing issue in SAML based SSO to SAP NetWeaver cloud app

Go to solution
Former Member

on ‎04-09-2013 2:51 PM

0 Kudos

Hi,

I am trying to configure SSO to my SAP App which is deployed on SAP NetWeaver Cloud.

I am using sample application which came along sdk.

I have tried with two ACS URLs

1. https://ondemand.com/saml2/sp/acs/p1798703876trial/p1798703876trial. Using this, it is landing on www.sap.com/index.epx instaed of my application. I have used my application URL as RelayState

2. I have used my application URL as ACS URL (as in one of the discussion I have read to use SAP Cloud application URL as ACS URL). In this case recursive SAMLRequest/Response is getting generated and it goes in infinite loop.

Any pointers on this will  be helpful.

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member182254
Active Participant
‎04-11-2013 9:00 AM
0 Kudos

Hi,

Regarding the first issue please correct the URLs to start with "hanatrial." - https://hanatrial.ondemand.com/saml2/sp/acs/p1798703876trial/p1798703876trial.

Regarding the second issue see a possible reason for this in the documentation -

https://help.hana.ondemand.com/help/frameset.htm?e637f62abb571014857cb0232adc43a7.html:

Avoid Mapping Servlet Resources to /* in the web.xml

Avoid mapping a servlet to resources using wildcard (<url-pattern>/*</url-pattern> in the web.xml). This may lead to an infinite loop.

Regards,

Dimitar

Show replies
Show replies
Former Member
‎04-12-2013 2:51 PM
0 Kudos

Thanks! Dimitar. It is working now for SP initiated. But for IdP initiated it is showing me error as "

Status 400 - Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it has not received RelayState." Though I am using my app(xLeave App) URL as the RelayState.

Is there any specifications for using RelayState ?

Regards,

Sales

former_member182254
Active Participant
‎04-15-2013 7:02 AM
0 Kudos

Hi,

Currently the default Assertion Consumer Service (ACS) provided by the platform does not support IDP-initiated SSO. I suppose in the future this limitation will be resolved but right now there is no such functionaity. In order to mitigate this you can develop "own" ACS - e.g. some Servlet or JSP as part of your application. This ACS shall be a protected resource, shall handle GET and POST requests and you have to configure it in your IDP instead of the default one. It will evaluate the provided "RelayState" parameter and will do the redirect to the corresponding application URL. This is possible because the SAML authentication does not happen at the default ACS endpoint but at the application side. For example during SP-initiated SSO the default ACS just resubmitts the SAML response to the originally requested application URL and does perform authentication.

Let me know if you need any further details in case you decide to implement own ACS.

Regards,

Dimitar

Former Member
‎04-28-2014 12:35 PM
0 Kudos

Hello,

How to test SP-initiated SSO for SAP HANA Cloud application?

I have created the application with the URL: https://s1hanaxs.hanatrial.ondemand.com/p1940537722trial/myhanaxs/hello

  and configured the SP and IdP side configurations under TRUST tab.

However I don't know how to test the SP-initiated SSO. When I hit the https://s1hanaxs.hanatrial.ondemand.com/p1940537722trial/myhanaxs/hello in browser then it redirects me to https://accounts.sap.com/saml2/idp/sso/accounts.sap.com?SAMLRequest=fVH.........

Am I missing something here?

Answers (1)

Answers (1)

Former Member
‎04-09-2013 7:06 PM
0 Kudos

See the following document on how to setup SAML based SSO to SAP HANA Cloud portal.

http://scn.sap.com/docs/DOC-35458

Show replies
Show replies
Former Member
‎04-11-2013 8:03 AM
0 Kudos

Hello sales user and Samuli,

Samuli kindly pointed me to this thread. I am having a similiar issue.

When you create the local service provider, the link embedded in the metadata.xml file is pointing to something like this:

https://ondemand.com/saml2/sp/acs/p1829333990trial/p1829333990trial

However upon successful authentication, you get redirected to the page and the server replies with a HTTP/1.1 301 Moved Permanently

I will also include the link to my entry, so maybe one of us will have a solution soon

http://scn.sap.com/message/13973085#13973085

For reference, this is what I get as reply from ondemand:

HTTP/1.1 301 Moved Permanently

Set-Cookie: nwt=rodfall; path=/

Set-Cookie: ARPT=LLKLIOS144.56.74.48CKMOJ; path=/

Content-Type: text/html; charset=UTF-8

Location: http://www.sap.com/index.epx

Server: Microsoft-IIS/7.5

Date: Thu, 11 Apr 2013 07:00:40 GMT

Content-Length: 151

<head><title>Document Moved</title></head>

<body><h1>Object Moved</h1>This document may be found <a HREF="http://www.sap.com/index.epx">here</a></body>

former_member182254
Active Participant
‎04-11-2013 8:47 AM
0 Kudos

Hi,

There is a problem in the metadata generation and the endpoint URLs are wrong. Please correct the URLs to start with "hanatrial.", e.g.

https://hanatrial.ondemand.com/saml2/sp/acs/p1829333990trial/p1829333990trial. The same applies for the SLO endpoints -

https://ondemand.com/saml2/sp/slo/p1829333990trial/p1829333990trial.

A fix is being prepared and should be applied soon.

Regards,

Dimitar

Former Member
‎04-11-2013 9:38 AM
0 Kudos

Hello Dimitar,

thank you for your quick response!

I can confirm that this fixes the issue! It works now.

Regards

Tom

Ask a Question