on 03-30-2016 3:06 PM
Dear Experts,
We are tying to do SAML Configurations with SMP and setup the trust between SMP and ADFS System via metadata file exchange. When I am trying to do a registration from REST Client,
The App Registration is able to redirect to our ADFS System and able to login successfully. But after login, we get error 403 forbidden.
https://SMPHOST:8081/odata/applications/latest/com.saml.logon/Connections
Screen flow as below which is redirected to ADFS:
After successful login, I get :
I am able to capture the APPCID and SMPSession via SAML Trace and If I continue to do registration on Rest client i get following error:
I have followed the below documents:
I have also seen the OSS Note: 2163908
and I am trying to do a Fiori client with SAML and I get 403 after login success similar error. Any suggestions.
Any suggests on the 403 and unable to redirect?
Regards,
Nagesh
Check you backend server, looks like you have a sicf service that's not active, or maybe on ADFS,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am assuming there are no cert/ssl trust issues between the servers involved, if so look at the below link on steps to activate saml on gw
1: Configuring SAML for Use in SAP Gateway - SAP Gateway Foundation (SAP_GWFND) - SAP Library
sorry about the mixup, so how about from smp to gw/or other backend?
Your log file above: says access to resource is forbidden. I assume backend resources are protected somehow. This could be the source of your 403, so in other words the 403 could be coming from you back end server, if your saml authentication was successful and smp is properly configured. do you see any traffic between backend and smp?
I would say up your logging on smp to trace (especially for connectivity and proxy) and post the log.
Also I am assuming com.saml.logon is your appid.
Hi Nagesh,
According the trace you are getting, have you checked your browser javascript configuration?
How to enable JavaScript in your browser and why
Best Regards,
Emanuel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You may try to get a FIddler trace with Fiori Client (How to Capture Fiori Client Mobile Device Traffic using Fiddler - SAP Mobility - SCN Wiki). Make sure you are using the latest SDK for a Custom Client or the latest on the App Store.
Regards,
Kevin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I tried to get the fiddler working, but there is an internal proxy which blocks the requests and its unable to reach ADFS System(Its only the case with Fiddler). Any alternative approach or any suggestions to fix this issue.
Also, I would like to understand if the ports are required to be open between ADFS(443) and SMP(8081) between the two systems. As far as I understand its only a redirect with cookies.
Regards,
Nagesh
You can see the SAML flow here http://scn.sap.com/community/developer-center/mobility-platform/blog/2015/07/04/smp-3-security--conf.... Port number reference is here http://help.sap.com/saphelp_smp3010svr/helpdata/en/7c/27c5767006101495339e5c0a746999/content.htm.
I got the fiddler working, but dont see much information here.
I can see the SAML Response:
On SMP I see Registration Error with the following message:
#2.0#2016-03-31 02:42:56 PM#ERROR#ApplicationSettings###Registration#145942457287009#5f918bba-b513-412e-9814-2fb08a6851af#fiorisaml#com.sap.mobile.platform.server.coreservices.configuration.service.
ApplicationConnectionServiceImpl:isAppConnInputValid########645#####Invalid application connection#
Here is the details on 403 log here:
POST https://SMPHOST:8091/saml/sso HTTP/1.1
Host: SMPHOST:8091
Content-Type: application/x-www-form-urlencoded
Origin: https://ADFSHOST
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13E233 SAPFioriClient/1.6.4
Referer: https://ADFSHOST/adfs/ls/
Content-Length: 8485
Accept-Language: en-us
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfYTA2NTYwNTItNWRkMy00ZTg4LWI4MjAtNGE0N2FhY2MxZWFmIiBWZXJza2B<deleted>
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Cache-Control: no-store, no-cache, max-age=0
Set-Cookie: X-SMP-SESSID=B5613CCD2447FAD735E84FB7839B27956BC03B144FD728E8BA131D123C47B5F4; Path=/; Secure; HttpOnly
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 927
Date: Thu, 31 Mar 2016 11:24:20 GMT
<html><head><title>SAP - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 403 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>SAP</h3></body></html>
Regards,
Nagesh
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.