Hi All,
I am trying to configure Single Sign-on with ADFS for SAP System.
What I have done so far is:
====================
1) Run t-code SAML2 on SAP system and downloaded Service Provider(SAP system) Metadata file and ADFS team has been uploaded in ADFS server.
2) Imported ADFS Metadata file + Digital Certificate in SAP system and done configuration as per guide lines.
SAML 2.0 at SAP Gateway and MSFT ADFS - SAP.com
How to access application:
====================
1) Once I access the URL: https://<SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
2) Our request routing to ADFS Federation Portal https://federation-sts-stage.xxxx.com/adfs/ls/ and got the ADFS Portal Sign On screen.
3) My request redirected to URL: https:// <SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html after providing ADFS User ID/Password.
But here, we are getting SAP Fiori login page, means, SSO is not working between ADFS and SAP system.
I have enabled SAML2 trace on my SAP system and got the below errors:
SAML20 SP (client 100 ): Exception raised:
SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration
SAML20 at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)
SAML20 at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)
SAML20 at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)
SAML20 at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
SAML20 at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)
Thanks,
Nagaraju
4 Answers
-
Best Answer
Former MemberPosted on Mar 04, 2016 at 02:57 PMHallo,
the clue is in your dev_icm:
[Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"
(...)
[Thr 2360] session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"
(...)
[Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"
SAPSSLS.pse indicates that the certificates in "SSL client SSL Client (Standard)" are not correct or not complete.
The ADFS certificates will have been automatically added by the SAML2 transaction/configuration under "SSF SAML2 Service Provider ...".
It's not sufficient to add the ADFS certiifcate to "SSL client SSL Client (Standard)": the intermediate and root certifcates which are used to sign the ADFS certiifcate need to be added here!
Those root intermediate certificates can be extracted from the ADFS certificate.
Refer to http://service.sap.com/sap/support/notes/1094342 how to extract the root and intermediate.
Regards
Thomas.
Add a comment
-
Posted on Aug 22, 2016 at 03:24 PM
Hello POD,
i am having the similar issue....
could you please suggest here to fix issues.
a)actually in my system signature was set to SHA1
b)could you be more specific how to change "
- The NameID format was set to UPN and SAML 2.0. ESO team
changed it to NameID to EnterpriseID and format unspecified.
"
Add a comment
- The NameID format was set to UPN and SAML 2.0. ESO team
Add a comment