cancel
Showing results for 
Search instead for 
Did you mean: 

SAP-to-SAP SAML2 - Invalid X509IssuerName in response

Former Member
0 Kudos

We're on Basis 702 SP13, and I'm trying to proof the setup of SAML2 for web services by using two SAP systems, one as the consumer (say "CCC") and one as the provider (say "PPP").

I've run SAML2 in both systems, and WSS_SETUP in just PPP, and I have used SOAMANAGER to setup a runtime definition for "srt_test_provider" service in PP, flagged as using Asymmetric Message Signature / Encryption (for Communication Security) and Single Sign On using SAML for the Message Authentication.  The CCC system has also been defined as a Trusted Provider ( STS ) in the PPP system's SAML2 settings (so the consumer local provider entity now appears in tables SAML2_ENTITY and SAML2_ENTITY_E in the provider system).

The documentation available seems a bit thin, but I have progressed to the point where CCC is calling PPP, logging into PPP via the DELAY_LOGON account, and PPP is recognising the SAML assertion, and returned a response.  However the response from PPP contains a a SecurityTokenReference / X509Data / X509IssuerSerial block something like this

X509IssuerName  CN=PPP SNC,OU=I9999999999,OU=SAP Web AS,O=SAP Trust Community,C=DE

X509SerialNumber 1234567890123456


which appears to be the issuer on PPP's "SNC SAPCryptolib" PSE.  Naturally the consumer system rejects this as it has no reason to trust that Issuer.

Any ideas why PPP is returning this value and not something more relevant - have I missed a setup step?

Supplementary Question #1:  Do I need to run WSS_SETUP on the consumer system - and client 000?

Supplementary Question #2: What does the WSS_SETUP checkbox "Secure Conversation Bootstrap Endpoints / Provider Configuration" actually do - apart from creating a bunch of new SICF nodes?  What are these for, and does every client need this set?

Thanks!

Jonathan

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

We ended up registering an "incident" with SAP... after working with them, a new Note was created that solved both the "Invalid X509IssuerName" problem and couple of other issues we encountered during testing - we needed SAP Notes 1974624 + 2031917.

Jonathan

Answers (0)