on 07-22-2016 3:54 PM
Dear All,
I have configured Single Sign on for NWBC using SAML2 with ADFS 3.0. Currently the scenario works perfectly. Now , I want to extend this to include a web dispatcher. Sadly, I cannot get this to work. I have followed this discussion:
I have deleted the previous SAML2 config and configured it after accessing the SAML UI via the webdispatcher. I have downloaded the metadata and reconfigured the relying party accordingly.
Now, single sign on works for NWBC only if accessed directly using the server URL but does not work when accessed via web dispatcher. The error message is :
No relay state mapping found for value xxxxxxxxx
Does anyone know if there is anything additional I need to do.
I have checked the metadata file downloaded from SAML config and find no information about the web dispatcher URL. I can't see how this is expected to work.
Any ideas/thoughts are highly appreciated.
Regards
Joyee
Hello,
i had a similar issue and fixed it by switching the settings for authentification response in the IdP settings on AS ABAP:
In the traces from sec_diag_tool i found that after this adjustment the AssertionConsumerServiceURL is added to the outgoing AuthnRequest:
SAML20 SP (client 100 😞 Outgoing AuthnRequest
SAML20 Binding: POST
SAML20 Signed: True
SAML20 IdP Name: rs.entitlement.siemens.com
SAML20 Destination: https://IdP.com/GetAccess/Saml/IDP/SSO/Post
SAML20 <samlp:AuthnRequest ID="S005b1-28c-1ee-981-b92aa112"
SAML20 Version="2.0"
SAML20 IssueInstant="2016-08-12T13:08:04Z"
SAML20 Destination="https://IdP.com/GetAccess/Saml/IDP/SSO/Post"
SAML20 ForceAuthn="false"
SAML20 IsPassive="false"
SAML20 AssertionConsumerServiceURL="https://your-server.com/"
SAML20 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
SAML20 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
SAML20 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
My IdP use this AssertionConsumerServiceURL for the redirect after successful authentification and
then the relaystate could be mapped.
Hopefully this could help you
Regards
Johannes Goerlich
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
When you generate the metadata on SAP to export and use in ADFS make sure you are connected via your web dispatcher i.e. run SAML2 from the web dispatcher, not on the actual SAP server.
By doing the above the web dispatcher will be included in the metadata and not the actual SAP server. Then when you create the relying party trust on ADFS it will have the correct information to communicate via your web dispatcher.
Regards,
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Joyee,
only idea. At least I had this error before by myself. Root cause normally is the fact, you access a protected resource using the WD (host name) but identity provider is returning the SAML 2.0 response to a different host name (maybe direct app server). Try to play with the URLs, FQDNs and DNS to fix that issues.
Thx
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.