cancel
Showing results for 
Search instead for 
Did you mean: 

CL_SAML20_RESPONSE->VALIDATE_ASSERTION

0 Kudos

Hi All,

I am having an issue with setting up SSO with ADFS as the Idp for SAP Fiori Launchpad.

I have managed to setup Fiori Dev and QA systems on the test ADFS system we temporarily created.

However, when we implement the same changes on the production ADFS, we get the below error:

CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.

    at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)

    at CL_SAML20_RESPONSE->VALIDATE(Line 72)

    at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 86)

    at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)

    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)

Caused by: CX_SAML20_CORE: Error in ST program SAML2_ASSERTION when importing XML data. Long text: Error in ST program SAML2_ASSERTION when importing XML data. Diagnosis Signature verification failed (for signer) or Enve System Response Procedure Check the trace of the current work process dev_w. At level 2 you can find further information about the error. Procedure for System Administration

    at CL_SAML20_ABSTRACT_MSG->VERIFY_SIGNATURE(Line 134)

    at CL_SAML20_ABSTRACT_MSG->DECRYPT(Line 107)

    at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 252)

    at CL_SAML20_ASSERTION->CREATE_FROM_XML(Line 52)

    at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 32)

    at CL_SAML20_RESPONSE->VALIDATE(Line 72)

    at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 86)

    at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)

    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)

Caused by: CX_SEC_SXML_ERROR: SSFW_KRN_VERIFY failed with: Signature verification failed (for signer) or Envelope failed (for recipient)

    at CL_SEC_SXML_DSIGNATURE->HANDLE_SSF_ERROR(Line 51)

We followed the following document

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member202592
Participant
0 Kudos

Hello,

Could you please make sure that both ADFS and the ABAP Service Provider are using certificates with SHA-256 algorithm?

This issue usually happens when IdP or SP are using SHA-1 certificates for signing the SAML response metadata.

Cheers,

Filipe Santos

0 Kudos

Hi Filipe,

Are you talking about the hash algorithm such as below?

Or does it mean we have to export the certificates again but using SHA-256?

Kind regards

Keo

Former Member
0 Kudos

I have exactly the same issue on production after importing new ADFS certificates. Did you find a solution?