on 03-02-2016 2:24 PM
Hi All,
I am trying to configure Single Sign-on with ADFS for SAP System.
What I have done so far is:
====================
1) Run t-code SAML2 on SAP system and downloaded Service Provider(SAP system) Metadata file and ADFS team has been uploaded in ADFS server.
2) Imported ADFS Metadata file + Digital Certificate in SAP system and done configuration as per guide lines.
How to access application:
====================
1) Once I access the URL: https://<SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
2) Our request routing to ADFS Federation Portal https://federation-sts-stage.xxxx.com/adfs/ls/ and got the ADFS Portal Sign On screen.
3) My request redirected to URL: https:// <SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html after providing ADFS User ID/Password.
But here, we are getting SAP Fiori login page, means, SSO is not working between ADFS and SAP system.
I have enabled SAML2 trace on my SAP system and got the below errors:
SAML20 SP (client 100 😞 Exception raised:
SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration
SAML20 at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)
SAML20 at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)
SAML20 at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)
SAML20 at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
SAML20 at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)
Thanks,
Nagaraju
Hallo,
the clue is in your dev_icm:
[Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"
(...)
[Thr 2360] session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"
(...)
[Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"
SAPSSLS.pse indicates that the certificates in "SSL client SSL Client (Standard)" are not correct or not complete.
The ADFS certificates will have been automatically added by the SAML2 transaction/configuration under "SSF SAML2 Service Provider ...".
It's not sufficient to add the ADFS certiifcate to "SSL client SSL Client (Standard)": the intermediate and root certifcates which are used to sign the ADFS certiifcate need to be added here!
Those root intermediate certificates can be extracted from the ADFS certificate.
Refer to http://service.sap.com/sap/support/notes/1094342 how to extract the root and intermediate.
Regards
Thomas.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Thomas for your support.
After uploading root cert & intermediate cert. I am getting below error.
And I verified the below Class and Method to check the XML_STRING paramter does not exists. So, we are searching for SAP Notes, but could not find out right notes and even in scn blogs are we could not find out the similar issue.
I would be great if someone help us to fix the issue.
SAML2-Exception:
| |
Thanks,
Nagaraju
Hi All,
ADFS server is not sending SAML Assertion information to SAP system. So, we have done below corrected as below:
Fix at ADFS side:
Thanks,
Nagaraju
Hello POD,
i am having the similar issue....
could you please suggest here to fix issues.
a)actually in my system signature was set to SHA1
b)could you be more specific how to change "
"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Moved to SSO Space
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hallo,
Any errors in dev_icm??
Have you imported the root and intermediate certificates of the ADFS signing certificate in STRUSTSSO2?
Are the Local and Trusted Provider enabled in SAML2?
Regards
Thomas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Thomas,
Yes, I have imported all three certificates of ADFS in my SAP system under STRUST and I can see those certs under STRUSTSSO2 as well.
Please find the dev_icm longs(few).
[Thr 8040] Thu Mar 03 06:43:11 2016
[Thr 8040] *** WARNING => Connection request from (9/10/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 8040] {0018f32e} [icxxconn.c 2108]
[Thr 8040] Thu Mar 03 06:48:11 2016
[Thr 8040] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 8040] {0004f351} [icxxconn.c 2108]
[Thr 6640] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 6640] {0004f352} [icxxconn.c 2108]
[Thr 5792] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 5792] {0004f353} [icxxconn.c 2108]
[Thr 6640] Thu Mar 03 06:53:06 2016
[Thr 6640] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 6640] session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLA.pse"
[Thr 2360] SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"
[Thr 6640] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"
[Thr 2360] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 2360] session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"
[Thr 6640] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 2360] SecudeSSL_SessionStart: SSL_accept() failed --
[Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"
[Thr 6640] ERROR in ssl3_get_server_certificate: (536872221/0x2000051d) Server's certificate (chain) is untrusted (or incomplete)
[Thr 6640] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN"
[Thr 6640] ERROR in get_path: (27/0x001b) Found root certificate of <CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN> which does not fit the given PKRoot
[Thr 6640] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN> which does not fit the given PKRoot
[Thr 6640] << ---------- End of Secude-SSL Errorstack ----------
[Thr 2360] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 6640] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 2360] WARNING in ssl3_read_bytes: (536875074/0x20001042) received a fatal SSLv3 bad certificate alert message from the peer
[Thr 2360] << ---------- End of Secude-SSL Errorstack ----------
[Thr 2360] SSL NI-sock: local=10.35.20.54:8001 peer=10.35.20.54:56947
[Thr 2360] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000006C07A50)==SSSLERR_SSL_ACCEPT
[Thr 6640] SSL NI-sock: local=10.35.20.54:56947 peer=10.35.20.54:8001
[Thr 2360] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1713]
[Thr 6640] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000006C07730)==SSSLERR_PEER_CERT_UNTRUSTED
[Thr 6640] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0013f386} [icxxconn.c 1989]
[Thr 10424] Thu Mar 03 06:53:11 2016
[Thr 10424] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 10424] {0013f389} [icxxconn.c 2108]
[Thr 2360] Thu Mar 03 06:58:11 2016
[Thr 2360] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 2360] {0004f3c8} [icxxconn.c 2108]
[Thr 7756] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 7756] {0004f3c9} [icxxconn.c 2108]
[Thr 11104] Thu Mar 03 06:58:12 2016
[Thr 11104] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 11104] {0004f3ca} [icxxconn.c 2108]
[Thr 10676] Thu Mar 03 07:03:10 2016
[Thr 10676] *** WARNING => Connection request from (2/3/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 10676] {0018f40f} [icxxconn.c 2108]
[Thr 8040] Thu Mar 03 07:08:11 2016
[Thr 8040] *** WARNING => Connection request from (7/8/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
Thanks,
Nagaraju
Hi All,
I am getting below error after uploading Server certs.
Please support me here.
More information about the exception during SAML 2.0 processingSAML2-Exception:
| |
Intern data:SAPSYS:::ASMDASOLMAN:::SM1:::000:::WP#3 Thanks, Nagaraju |
User | Count |
---|---|
93 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.