Hi,
I have configured SP initiated SSO with Siteminder IDP for SAP FIORI Launchpad. The setup works well. We have 60mins ideal timeout for SAML sessions and SAP HTTP Sessions.
Everything works well but issue only occurs if anyone keep the Launchpad ideal for more than 60mins ( break for Lunch as usual the culprit).
How do we handle this timeout and request user to logon again?
Here is the Sec_diag logs.
SAML20 <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
SAML20
SAML20 <ns2:SubjectConfirmationData NotOnOrAfter="2015-06-26T16:01:57Z"
SAML20 Recipient="https://mysap.avaya.com:443/sap/saml2/sp/acs/110" />
SAML20 </ns2:SubjectConfirmation>
SAML20 </ns2:Subject>
SAML20 <ns2:Conditions NotBefore="2015-06-26T15:59:57Z"
SAML20 NotOnOrAfter="2015-06-26T16:01:57Z">
SAML20 <ns2:AudienceRestriction>
SAML20 <ns2:Audience>GWP-SP</ns2:Audience>
SAML20 </ns2:AudienceRestriction>
SAML20 <ns2:AudienceRestriction>
SAML20 <ns2:Audience>https://mysap.avaya.com</ns2:Audience>
SAML20 </ns2:AudienceRestriction>
SAML20 </ns2:Conditions>
SAML20 <ns2:AuthnStatement AuthnInstant="2015-06-26T16:00:26Z"
SAML20 SessionIndex="czjOI2bdNDR+NbqsraJGAsfLRV0=j+KycA=="
SAML20 SessionNotOnOrAfter="2015-06-26T16:01:57Z">
After 60mins, when user trying to use same sessions.. they get below error
SAML20 CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.
SAML20 at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)
SAML20 at CL_SAML20_RESPONSE->VALIDATE(Line 60)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)
SAML20 Caused by: CX_SAML20_ASSERTION: All 'SubjectConfirmation' elements are invalid. Long text: All 'SubjectConfirmation' elements are invalid.
SAML20 at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 116)
SAML20 at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27)
SAML20 at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 50)
SAML20 at CL_SAML20_RESPONSE->VALIDATE(Line 60)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)
SAML20 Caused by: CX_SAML20_ASSERTION: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid. Long text: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid.
SAML20 at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 92)
SAML20 at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27)
SAML20 at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 50)
SAML20 at CL_SAML20_RESPONSE->VALIDATE(Line 60)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
SAML20
SAML20 <ns2:SubjectConfirmationData NotOnOrAfter="2015-06-26T16:01:57Z"
SAML20 Recipient="https://mysap.avaya.com:443/sap/saml2/sp/acs/110" />
SAML20 </ns2:SubjectConfirmation>
SAML20 </ns2:Subject>
SAML20 <ns2:Conditions NotBefore="2015-06-26T15:59:57Z"
SAML20 NotOnOrAfter="2015-06-26T16:01:57Z">
SAML20 <ns2:AudienceRestriction>
SAML20 <ns2:Audience>GWP-SP</ns2:Audience>
SAML20 </ns2:AudienceRestriction>
SAML20 <ns2:AudienceRestriction>
SAML20 <ns2:Audience>https://mysap.avaya.com</ns2:Audience>
SAML20 </ns2:AudienceRestriction>
SAML20 </ns2:Conditions>
SAML20 <ns2:AuthnStatement AuthnInstant="2015-06-26T16:00:26Z"
SAML20 SessionIndex="czjOI2bdNDR+NbqsraJGAsfLRV0=j+KycA=="
SAML20 SessionNotOnOrAfter="2015-06-26T16:01:57Z">
SAML20 <ns2:AuthnContext>
SAML20 <ns2:AuthnContextClassRef>
SAML20 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
SAML20 </ns2:AuthnContext>
SAML20 </ns2:AuthnStatement>
SAML20 <ns2:AttributeStatement>
SAML20 <ns2:Attribute Name="uid"
SAML20 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
SAML20
SAML20 <ns2:AttributeValue>sAMAccountName</ns2:AttributeValue>
SAML20 </ns2:Attribute>
SAML20 </ns2:AttributeStatement>
Thanks in advance.
Santosh Lad
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.