Skip to Content

SAML SSO is not working for SAP system with ADFS

Hi All,

I am trying to configure Single Sign-on with ADFS for SAP System.

What I have done so far is:

====================

1) Run t-code SAML2 on SAP system and downloaded Service Provider(SAP system) Metadata file and ADFS team has been uploaded in ADFS server.

2) Imported ADFS Metadata file + Digital Certificate in SAP system and done configuration as per guide lines.

SAML 2.0 at SAP Gateway and MSFT ADFS - SAP.com

How to access application:

====================

1) Once I access the URL: https://<SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

2) Our request routing to ADFS Federation Portal https://federation-sts-stage.xxxx.com/adfs/ls/ and got the ADFS Portal Sign On screen.

3) My request redirected to URL: https:// <SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html after providing ADFS User ID/Password.

But here, we are getting SAP Fiori login page, means, SSO is not working between ADFS and SAP system.

I have enabled SAML2 trace on my SAP system and got the below errors:

SAML20 SP (client 100 ): Exception raised:

SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration

SAML20 at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)

SAML20 at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)

SAML20 at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)

SAML20 at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)

SAML20 at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)

SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)

SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)

SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)

Thanks,

Nagaraju

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

4 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Mar 04, 2016 at 02:57 PM

    Hallo,

    the clue is in your dev_icm:

    [Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"

    (...)

    [Thr 2360] session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"

    (...)

    [Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

    SAPSSLS.pse indicates that the certificates in "SSL client SSL Client (Standard)" are not correct or not complete.

    The ADFS certificates will have been automatically added by the SAML2 transaction/configuration under "SSF SAML2 Service Provider ...".

    It's not sufficient to add the ADFS certiifcate to "SSL client SSL Client (Standard)": the intermediate and root certifcates which are used to sign the ADFS certiifcate need to be added here!

    Those root intermediate certificates can be extracted from the ADFS certificate.


    Refer to http://service.sap.com/sap/support/notes/1094342 how to extract the root and intermediate.


    Regards

    Thomas.

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi All,


      ADFS server is not sending SAML Assertion information to SAP system. So, we have done below corrected as below:

      Fix at ADFS side:

      1. The signature was set to SAH 256 and ESO team changed to
        SHA 1.
      2. The NameID format was set to UPN and SAML 2.0. ESO team
        changed it to NameID to EnterpriseID and format unspecified.

      Thanks,

      Nagaraju

  • author's profile photo Former Member
    Former Member
    Posted on Mar 02, 2016 at 02:56 PM

    Hallo,

    Any errors in dev_icm??

    Have you imported the root and intermediate certificates of the ADFS signing certificate in STRUSTSSO2?

    Are the Local and Trusted Provider enabled in SAML2?

    Regards

    Thomas

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi All,

      I am getting below error after uploading Server certs.

      Please support me here.

      More information about the exception during SAML 2.0 processing

      SAML2-Exception:

      CX_SAML20: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML. Long text: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML.
      at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 33)
      at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 255)
      at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
      at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
      at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
      at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
      at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)
      at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)


      Intern data:SAPSYS:::ASMDASOLMAN:::SM1:::000:::WP#3

      Thanks,

      Nagaraju

  • Posted on Mar 02, 2016 at 02:58 PM

    Moved to SSO Space

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Aug 22, 2016 at 03:24 PM

    Hello POD,

    i am having the similar issue....

    could you please suggest here to fix issues.

    a)actually in my system signature was set to SHA1

    b)could you be more specific how to change "

    1. The NameID format was set to UPN and SAML 2.0. ESO team
      changed it to NameID to EnterpriseID and format unspecified.

    "

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.