cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML SSO is not working for SAP system with ADFS

Go to solution
former_member210281
Explorer

on ‎03-02-2016 2:24 PM

0 Kudos

Hi All,

I am trying to configure Single Sign-on with ADFS for SAP System.

What I have done so far is:

====================

1) Run t-code SAML2 on SAP system and  downloaded Service Provider(SAP system) Metadata file and ADFS team has been uploaded in ADFS server.

2) Imported ADFS Metadata file + Digital Certificate in SAP system and done configuration as per guide lines.

SAML 2.0 at SAP Gateway and MSFT ADFS - SAP.com

How to access application:

====================

1) Once I access the URL: https://<SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

2) Our request routing to ADFS Federation Portal https://federation-sts-stage.xxxx.com/adfs/ls/ and got the ADFS Portal Sign On screen.

3) My request redirected to URL: https:// <SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html after providing ADFS User ID/Password.

But here, we are getting SAP Fiori login page, means, SSO is not working between ADFS and SAP system.

I have enabled SAML2 trace on my SAP system and got the below errors:

SAML20 SP (client 100 😞  Exception raised:

SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration

SAML20     at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)

SAML20     at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)

SAML20     at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)

SAML20     at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)

SAML20     at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)

Thanks,

Nagaraju

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-04-2016 2:57 PM
0 Kudos

Hallo,

the clue is in your dev_icm:

[Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"

(...)

[Thr 2360]    session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"

(...)

[Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

SAPSSLS.pse indicates that the certificates in "SSL client SSL Client (Standard)" are not correct or not complete.

The ADFS certificates will have been automatically added by the SAML2 transaction/configuration under "SSF SAML2 Service Provider ...".

It's not sufficient to add the ADFS certiifcate to "SSL client SSL Client (Standard)": the intermediate and root certifcates which are used to sign the ADFS certiifcate need to be added here!

Those root intermediate certificates can be extracted from the ADFS certificate.


Refer to http://service.sap.com/sap/support/notes/1094342 how to extract the root and intermediate.


Regards

Thomas.

Show replies
Show replies
former_member210281
Explorer
‎03-05-2016 6:16 AM
0 Kudos

Thanks Thomas for your support.

After uploading root cert & intermediate cert. I am getting below error.

And I verified the below Class and Method to check the XML_STRING paramter does not exists. So, we are searching for SAP Notes, but could not find out right notes and even in scn blogs are we could not find out the similar issue.

I would be great if someone help us to fix the issue.

SAML2-Exception:

CX_SAML20: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML. Long text: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML.
    at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 33)
    at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 255)
    at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
    at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
    at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
    at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)
    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)

Thanks,

Nagaraju

former_member210281
Explorer
‎03-09-2016 5:16 AM
0 Kudos

Hi All,


ADFS server is not sending SAML Assertion information to SAP system. So, we have done below corrected as below:

Fix at ADFS side:

 

  1. The signature was set to SAH 256 and ESO team changed to
    SHA 1.
  2. The NameID format was set to UPN and SAML 2.0. ESO team
    changed it to NameID to EnterpriseID and format unspecified.

Thanks,

Nagaraju

Answers (3)

Answers (3)

sandeepkarnati
Participant
‎08-22-2016 4:24 PM
0 Kudos

Hello POD,

i am having the similar issue....

could you please suggest here to fix issues.

a)actually in my system signature was set to SHA1

b)could you be more specific how to change "

  1. The NameID format was set to UPN and SAML 2.0. ESO team
    changed it to NameID to EnterpriseID and format unspecified.

"

Show replies
Show replies
former_member2987
Active Contributor
‎03-02-2016 2:58 PM
0 Kudos

Moved to SSO Space

Show replies
Show replies
Former Member
‎03-02-2016 2:56 PM
0 Kudos

Hallo,

Any errors in dev_icm??

Have you imported the root and intermediate certificates of the ADFS signing certificate in STRUSTSSO2?

Are the Local and Trusted Provider enabled in SAML2?

Regards

Thomas

Show replies
Show replies
former_member210281
Explorer
‎03-03-2016 8:26 AM
0 Kudos

Hi Thomas,

Yes, I have imported all three certificates of ADFS in my SAP system under STRUST and I can see those certs under STRUSTSSO2 as well.

Please find the dev_icm longs(few).

[Thr 8040] Thu Mar 03 06:43:11 2016

[Thr 8040] *** WARNING => Connection request from (9/10/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 8040]  {0018f32e} [icxxconn.c 2108]

[Thr 8040] Thu Mar 03 06:48:11 2016

[Thr 8040] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 8040]  {0004f351} [icxxconn.c 2108]

[Thr 6640] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 6640]  {0004f352} [icxxconn.c 2108]

[Thr 5792] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 5792]  {0004f353} [icxxconn.c 2108]

[Thr 6640] Thu Mar 03 06:53:06 2016

[Thr 6640] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 6640]    session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLA.pse"

[Thr 2360] SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"

[Thr 6640] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"

[Thr 2360] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 2360]    session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"

[Thr 6640] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 2360] SecudeSSL_SessionStart: SSL_accept() failed --

[Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

[Thr 6640] ERROR in ssl3_get_server_certificate: (536872221/0x2000051d) Server's certificate (chain) is untrusted (or incomplete)

[Thr 6640] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN"

[Thr 6640] ERROR in get_path: (27/0x001b) Found root certificate of <CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN> which does not fit the given PKRoot

[Thr 6640] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN> which does not fit the given PKRoot

[Thr 6640] << ---------- End of Secude-SSL Errorstack ----------

[Thr 2360] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 6640] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 2360] WARNING in ssl3_read_bytes: (536875074/0x20001042) received a fatal SSLv3 bad certificate alert message from the peer

[Thr 2360] << ---------- End of Secude-SSL Errorstack ----------

[Thr 2360]   SSL NI-sock: local=10.35.20.54:8001 peer=10.35.20.54:56947

[Thr 2360] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000006C07A50)==SSSLERR_SSL_ACCEPT

[Thr 6640]   SSL NI-sock: local=10.35.20.54:56947 peer=10.35.20.54:8001

[Thr 2360] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c   1713]

[Thr 6640] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000006C07730)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 6640] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0013f386} [icxxconn.c 1989]

[Thr 10424] Thu Mar 03 06:53:11 2016

[Thr 10424] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 10424] {0013f389} [icxxconn.c 2108]

[Thr 2360] Thu Mar 03 06:58:11 2016

[Thr 2360] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 2360]  {0004f3c8} [icxxconn.c 2108]

[Thr 7756] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 7756]  {0004f3c9} [icxxconn.c 2108]

[Thr 11104] Thu Mar 03 06:58:12 2016

[Thr 11104] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 11104] {0004f3ca} [icxxconn.c 2108]

[Thr 10676] Thu Mar 03 07:03:10 2016

[Thr 10676] *** WARNING => Connection request from (2/3/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 10676] {0018f40f} [icxxconn.c 2108]

[Thr 8040] Thu Mar 03 07:08:11 2016

[Thr 8040] *** WARNING => Connection request from (7/8/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

Thanks,

Nagaraju

Former Member
‎03-03-2016 9:13 AM
0 Kudos

Hallo,

the ICM trace indicates that there is something wrong with your certificates (chain).

Has SSL been setup in the ABAP stack?

Regards

Thomas.

former_member210281
Explorer
‎03-03-2016 11:54 AM
0 Kudos

Hi Thomas,

yes, it has done with self signed SSL. Do we need SSL with CA signed one? if yes, right now, we have working with Self signed SSL which is working fine to access our application with HTTPS.

Thanks,

Nagaraju

Former Member
‎03-03-2016 12:12 PM
0 Kudos

Hallo,

no need to get them signed by a CA.

You can add your own CA via STRUSTSSO2, select “Database” under menu “Certificate”.

Where did you import the root and intermediate certificates of the ADFS signing certificate in STRUSTSSO2? This should be under SSL Client standard.

Regards

Thomas.

former_member210281
Explorer
‎03-03-2016 1:38 PM
0 Kudos

Hi Thomas,

1) I tried to select Certificate-->Database  but here I am unable to see add option, but I can see Create but here it does not ask to add any cert.

Seems to be I already added my cert in SSL Server Standard.

ADFS certs added under SSL Client Standard.

Thanks,

nagaraju

former_member210281
Explorer
‎03-04-2016 12:10 PM
0 Kudos

Hi All,

I am getting below error after uploading Server certs.

Please support me here.

More information about the exception during SAML 2.0 processing

SAML2-Exception:

CX_SAML20: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML. Long text: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML.
    at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 33)
    at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 255)
    at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
    at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
    at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
    at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)
    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)


Intern data:SAPSYS:::ASMDASOLMAN:::SM1:::000:::WP#3

Thanks,

Nagaraju

Ask a Question