cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML + SMP + 403 Forbidden

Go to solution
nageshcaparthy
Product and Topic Expert
Product and Topic Expert

on ‎03-30-2016 3:06 PM

0 Kudos

Dear Experts,

We are tying to do SAML Configurations with SMP and setup the trust between SMP and ADFS System via metadata file exchange. When I am trying to do a registration from REST Client,

The App Registration is able to redirect to our ADFS System and able to login successfully. But after login, we get error 403 forbidden.

https://SMPHOST:8081/odata/applications/latest/com.saml.logon/Connections

Screen flow as below which is redirected to ADFS:

After successful login, I get :

I am able to capture the APPCID and SMPSession via SAML Trace and If I continue to do registration on Rest client i get following error:

I have followed the below documents:

http://scn.sap.com/community/developer-center/mobility-platform/blog/2015/07/04/smp-3-security--conf...

WIKI GUIDE

I have also seen the OSS Note: 2163908

and I am trying to do a Fiori client with SAML and I get 403 after login success similar error. Any suggestions.

 

Any suggests on the 403 and unable to redirect?

Regards,

Nagesh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-30-2016 9:57 PM

Check you backend server,  looks like you have a sicf service that's not active, or maybe on ADFS,

Show replies
Show replies
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎03-31-2016 6:00 AM
0 Kudos

Hi Adebowale,

Can you please elaborate on the backend SICF which is required and the ADFS which you say.

Regards,

Nagesh

Former Member
‎03-31-2016 3:10 PM
0 Kudos

I am assuming there are no cert/ssl trust issues between the servers involved, if so look at the below link on steps to activate saml on gw

1:  Configuring SAML for Use in SAP Gateway - SAP Gateway Foundation (SAP_GWFND) - SAP Library

Former Member
‎03-31-2016 3:10 PM
0 Kudos

apply the sap notes on that page also.

nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎03-31-2016 5:57 PM
0 Kudos

The link is related to GW with SAML. Our scenario is from SMP.

GW with SAML is working fine.

Regards,

Nagesh

Former Member
‎03-31-2016 9:56 PM
0 Kudos

sorry about the mixup, so how about from smp to gw/or other backend?  

Your log file above: says access to resource is forbidden.  I assume backend resources are protected somehow.  This could be the source of your 403, so in other words the 403 could be coming from you back end server, if your saml authentication was successful and smp is properly configured.   do you see any traffic between backend and smp?

I would say up your logging on smp to trace (especially for connectivity and proxy) and post the log.

Also I am assuming com.saml.logon is your appid.

Kevin_SAP
Advisor
Advisor
‎04-01-2016 4:28 PM
0 Kudos

Nagesh opened an incident on this.  Hopefully we can update this when we resolve it.  I looked at the error in the SMP log and have seen this with a cookie or certificate naming problem before.

Kevin_SAP
Advisor
Advisor
‎04-04-2016 1:17 PM
0 Kudos

Nagesh solved the issue through the incident using SAP Note 1240081.  The root issue was the JCE jurisdiction policy files.  Please see SAP Note for resolution.

Regards,

Kevin

nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎04-04-2016 2:12 PM
0 Kudos

Yes, Thank you Kevin for all the support.

Regards,

Nagesh

Answers (2)

Answers (2)

former_member190010
Contributor
‎03-31-2016 3:44 AM
0 Kudos

Hi Nagesh,

According the trace you are getting, have you checked your browser javascript configuration?

How to enable JavaScript in your browser and why

Best Regards,

Emanuel

Show replies
Show replies
Kevin_SAP
Advisor
Advisor
‎03-30-2016 7:25 PM
0 Kudos

You may try to get a FIddler trace with Fiori Client (How to Capture Fiori Client Mobile Device Traffic using Fiddler - SAP Mobility - SCN Wiki).  Make sure you are using the latest SDK for a Custom Client or the latest on the App Store.

Regards,

Kevin

Show replies
Show replies
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎03-31-2016 8:49 AM
0 Kudos

Hi ,

I tried to get the fiddler working, but there is an internal proxy which blocks the requests and its unable to reach ADFS System(Its only the case with Fiddler). Any alternative approach or any suggestions to fix this issue.

Also, I would like to understand if the ports are required to be open between ADFS(443) and SMP(8081) between the two systems. As far as I understand its only a redirect with cookies.

Regards,

Nagesh

nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎03-31-2016 12:56 PM
0 Kudos

Hi ,

I got the fiddler working, but dont see much information here.

I can see the SAML Response:

On SMP I see Registration Error with the following message:

#2.0#2016-03-31 02:42:56 PM#ERROR#ApplicationSettings###Registration#145942457287009#5f918bba-b513-412e-9814-2fb08a6851af#fiorisaml#com.sap.mobile.platform.server.coreservices.configuration.service.

ApplicationConnectionServiceImpl:isAppConnInputValid########645#####Invalid application connection#

Here is the details on 403 log here:

POST https://SMPHOST:8091/saml/sso HTTP/1.1

Host: SMPHOST:8091

Content-Type: application/x-www-form-urlencoded

Origin: https://ADFSHOST

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13E233 SAPFioriClient/1.6.4

Referer: https://ADFSHOST/adfs/ls/

Content-Length: 8485

Accept-Language: en-us

SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfYTA2NTYwNTItNWRkMy00ZTg4LWI4MjAtNGE0N2FhY2MxZWFmIiBWZXJza2B<deleted>

HTTP/1.1 403 Forbidden

Server: Apache-Coyote/1.1

Cache-Control: no-store, no-cache, max-age=0

Set-Cookie: X-SMP-SESSID=B5613CCD2447FAD735E84FB7839B27956BC03B144FD728E8BA131D123C47B5F4; Path=/; Secure; HttpOnly

Content-Type: text/html;charset=utf-8

Content-Language: en

Content-Length: 927

Date: Thu, 31 Mar 2016 11:24:20 GMT

<html><head><title>SAP - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 403 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>SAP</h3></body></html>

Regards,

Nagesh

Kevin_SAP
Advisor
Advisor
‎03-31-2016 1:29 PM
0 Kudos

Can you attach the saz trace and SMP log?

Regards,

Kevin

Ask a Question