Skip to Content
author's profile photo Former Member
Former Member

HANA On-premise XS SAML Authentication: Unable to verify XML signature

We are doing SAP HANA SSO integration with our IdP. The following steps have been performed:

  1. We have created a Simple Hello World XS Application (using Create Your First HANA XS Application using HANA Studio). The application was tested with basic authentication and it worked.
  2. Following Use SAML to enable SSO for your SAP HANA XS App (SPS 09 rev 92 or later), we have configured SAML SSO (excluding step 4).
  3. In the Trust Store, we have imported IWA Root certificate and IdP's Digital Signing Certificate.
  4. Under Service Provider Configuration, we are using SHA1 as our Hash logic.
  5. SP metadata content carried the ACS url as https://<server-name>:4300/sap/hana/xs/saml/login.xscfunc

Post configuration when we access our XS application it authenticates with our IdP. But when it hits the ACS url it displays the following error - "StatusCode in ResponseMessage != OK; please refer to the database trace for more information". The trace shows -

e XSSession XSSessionLifecycle.cpp(00254) : Assertion authentication failed with reason: Unable to verify XML signature(StatusCode: , StatusMessage: )

Amendments Tried:

  1. On IdP end, we have tried both the signature type - Assertion and Response.
  2. In the trace portal, we have set the trace level to Debug for our application as well as sap.hana.xs.saml. But still we receive only the above message.

Queries:

  1. Are we using the correct ACS?
  2. How can we increase the trace level to get better detailing of the error message?
  3. We have also implemented the solution provided in Troubleshooting Issues when implementing SAML SSO in HANA XS Engine but did not succeed. So please let us know if there any different options that can be tried out?
Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Aug 30, 2016 at 04:53 PM

    Hi Umesh,

    I'm having the exact same issue. Could you share the solution for this issue if you solved it?

    thanks,

    Emerson

    Add a comment
    10|10000 characters needed characters exceeded

    • Thanks for the help Umesh.


      In the end was a combination with the solution you suggested together with a SAP Note (2127582 - SAML SSO between HANA SP09 and BI fails with error: Assertion is not intended for this service provider)

      It looks like a bug. Some of the admin preferences wasn't being updated in the XS database so I had to manually set it by SQL.

      Thanks again,

      Emerson Urushibata

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.