on 04-09-2013 2:51 PM
Hi,
I am trying to configure SSO to my SAP App which is deployed on SAP NetWeaver Cloud.
I am using sample application which came along sdk.
I have tried with two ACS URLs
1. https://ondemand.com/saml2/sp/acs/p1798703876trial/p1798703876trial. Using this, it is landing on www.sap.com/index.epx instaed of my application. I have used my application URL as RelayState
2. I have used my application URL as ACS URL (as in one of the discussion I have read to use SAP Cloud application URL as ACS URL). In this case recursive SAMLRequest/Response is getting generated and it goes in infinite loop.
Any pointers on this will be helpful.
Thanks.
Hi,
Regarding the first issue please correct the URLs to start with "hanatrial." - https://hanatrial.ondemand.com/saml2/sp/acs/p1798703876trial/p1798703876trial.
Regarding the second issue see a possible reason for this in the documentation -
https://help.hana.ondemand.com/help/frameset.htm?e637f62abb571014857cb0232adc43a7.html:
Avoid Mapping Servlet Resources to /* in the web.xml
Avoid mapping a servlet to resources using wildcard (<url-pattern>/*</url-pattern> in the web.xml). This may lead to an infinite loop.
Regards,
Dimitar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks! Dimitar. It is working now for SP initiated. But for IdP initiated it is showing me error as "
Status 400 - Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it has not received RelayState." Though I am using my app(xLeave App) URL as the RelayState.
Is there any specifications for using RelayState ?
Regards,
Sales
Hi,
Currently the default Assertion Consumer Service (ACS) provided by the platform does not support IDP-initiated SSO. I suppose in the future this limitation will be resolved but right now there is no such functionaity. In order to mitigate this you can develop "own" ACS - e.g. some Servlet or JSP as part of your application. This ACS shall be a protected resource, shall handle GET and POST requests and you have to configure it in your IDP instead of the default one. It will evaluate the provided "RelayState" parameter and will do the redirect to the corresponding application URL. This is possible because the SAML authentication does not happen at the default ACS endpoint but at the application side. For example during SP-initiated SSO the default ACS just resubmitts the SAML response to the originally requested application URL and does perform authentication.
Let me know if you need any further details in case you decide to implement own ACS.
Regards,
Dimitar
Hello,
How to test SP-initiated SSO for SAP HANA Cloud application?
I have created the application with the URL: https://s1hanaxs.hanatrial.ondemand.com/p1940537722trial/myhanaxs/hello
and configured the SP and IdP side configurations under TRUST tab.
However I don't know how to test the SP-initiated SSO. When I hit the https://s1hanaxs.hanatrial.ondemand.com/p1940537722trial/myhanaxs/hello in browser then it redirects me to https://accounts.sap.com/saml2/idp/sso/accounts.sap.com?SAMLRequest=fVH.........
Am I missing something here?
See the following document on how to setup SAML based SSO to SAP HANA Cloud portal.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello sales user and Samuli,
Samuli kindly pointed me to this thread. I am having a similiar issue.
When you create the local service provider, the link embedded in the metadata.xml file is pointing to something like this:
https://ondemand.com/saml2/sp/acs/p1829333990trial/p1829333990trial
However upon successful authentication, you get redirected to the page and the server replies with a HTTP/1.1 301 Moved Permanently
I will also include the link to my entry, so maybe one of us will have a solution soon
http://scn.sap.com/message/13973085#13973085
For reference, this is what I get as reply from ondemand:
HTTP/1.1 301 Moved Permanently
Set-Cookie: nwt=rodfall; path=/
Set-Cookie: ARPT=LLKLIOS144.56.74.48CKMOJ; path=/
Content-Type: text/html; charset=UTF-8
Location: http://www.sap.com/index.epx
Server: Microsoft-IIS/7.5
Date: Thu, 11 Apr 2013 07:00:40 GMT
Content-Length: 151
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://www.sap.com/index.epx">here</a></body>
Hi,
There is a problem in the metadata generation and the endpoint URLs are wrong. Please correct the URLs to start with "hanatrial.", e.g.
https://hanatrial.ondemand.com/saml2/sp/acs/p1829333990trial/p1829333990trial. The same applies for the SLO endpoints -
https://ondemand.com/saml2/sp/slo/p1829333990trial/p1829333990trial.
A fix is being prepared and should be applied soon.
Regards,
Dimitar
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.