cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML2 with ADFS using web dispatcher does not work

former_member246738
Explorer

on ‎07-22-2016 3:54 PM

0 Kudos

Dear All,

I have configured Single Sign on for NWBC using SAML2 with ADFS 3.0. Currently the scenario works perfectly. Now , I want to extend this to include a web dispatcher. Sadly, I cannot get this to work. I have followed this discussion:

SAML 2.0 Service Provider for AS ABAP and Web Dispatcher or Proxy - Security and Identity Management...

I have deleted the previous SAML2 config and configured it after accessing the SAML UI via the webdispatcher. I have downloaded the metadata and reconfigured the relying party accordingly.

Now, single sign on works for NWBC only if accessed directly using the server URL but does not work when accessed via web dispatcher. The error message is :

No relay state mapping found for value xxxxxxxxx

Does anyone know if there is anything additional I need to do.

I have checked the metadata file downloaded from SAML config and find no information about the web dispatcher URL. I can't see how this is expected to work.

Any ideas/thoughts are highly appreciated.

Regards

Joyee

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

JoeGoerlich
Active Contributor
‎08-12-2016 2:33 PM

Hello,

i had a similar issue and fixed it by switching the settings for authentification response in the IdP settings on AS ABAP:

In the traces from sec_diag_tool i found that after this adjustment the AssertionConsumerServiceURL is added to the outgoing AuthnRequest:

SAML20 SP (client 100 😞 Outgoing AuthnRequest

SAML20 Binding: POST

SAML20 Signed: True

SAML20 IdP Name: rs.entitlement.siemens.com

SAML20 Destination: https://IdP.com/GetAccess/Saml/IDP/SSO/Post

SAML20 <samlp:AuthnRequest ID="S005b1-28c-1ee-981-b92aa112"

SAML20 Version="2.0"

SAML20 IssueInstant="2016-08-12T13:08:04Z"

SAML20 Destination="https://IdP.com/GetAccess/Saml/IDP/SSO/Post"

SAML20 ForceAuthn="false"

SAML20 IsPassive="false"

SAML20 AssertionConsumerServiceURL="https://your-server.com/"

SAML20 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

SAML20 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

My IdP use this AssertionConsumerServiceURL for the redirect after successful authentification  and

then the relaystate could be mapped.



Hopefully this could help you

Regards

Johannes Goerlich

Show replies
Show replies
nelis
Active Contributor
‎07-26-2016 8:33 AM
0 Kudos

Hi,

When you generate the metadata on SAP to export and use in ADFS make sure you are connected via your web dispatcher i.e. run SAML2 from the web dispatcher, not on the actual SAP server.

By doing the above the web dispatcher will be included in the metadata and not the actual SAP server. Then when you create the relying party trust on ADFS it will have the correct information to communicate via your web dispatcher.

Regards,

Nelis

Show replies
Show replies
Colt
Active Contributor
‎07-22-2016 5:08 PM
0 Kudos

Hi Joyee,

only idea. At least I had this error before by myself. Root cause normally is the fact, you access a protected resource using the WD (host name) but identity provider is returning the SAML 2.0 response to a different host name (maybe direct app server). Try to play with the URLs, FQDNs and DNS to fix that issues.


Thx

Carsten

Show replies
Show replies
Ask a Question