on 04-07-2016 4:00 PM
We are doing SAP HANA SSO integration with our IdP. The following steps have been performed:
Post configuration when we access our XS application it authenticates with our IdP. But when it hits the ACS url it displays the following error - "StatusCode in ResponseMessage != OK; please refer to the database trace for more information". The trace shows -
e XSSession | XSSessionLifecycle.cpp(00254) : Assertion authentication failed with reason: Unable to verify XML signature(StatusCode: , StatusMessage: ) |
Amendments Tried:
Queries:
Hi Umesh,
I'm having the exact same issue. Could you share the solution for this issue if you solved it?
thanks,
Emerson
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Emerson,
Yes we have resolved this issue ourselves but SAP notes on enabling debug level logs and certificate storage helped a lot.
Basically the issue related to certificate storage. Older version of SAP HANA by default used file based storage, the PSE files.
When you import IdP Metadata in XS Admin, it shows IdP certificate imported if you look it under Trust Manager app in XS Admin. (I might not be using accurate terms). You can also use a command line tool to see the content of the PSE file. It shows your IdP's cert.
The issue here is (and I guess this is bug in SAP HANA) that it does not import the IdP certificate and its issuer in database. SAP HANA latest version using Database as the storage for the certificate.
The runtime verification of the token signing certificate happens against database but signature validation fails as there is no certificate in the database.
Solution: - In SAP HANA Cockpit, configure "Certificate Store" and "Certificate Collections" applications. You will need appropriate roles. Refer Tile Catalog: SAP HANA Certificate Management - SAP HANA Administration Guide - SAP Library
Import your Idp's token signing certificate and its CA certificate. Then add your certificate to the collection named "SAML" . If you have the same issue like ours, this should resolve your issue.
Thanks for the help Umesh.
In the end was a combination with the solution you suggested together with a SAP Note (2127582 - SAML SSO between HANA SP09 and BI fails with error: Assertion is not intended for this service provider)
It looks like a bug. Some of the admin preferences wasn't being updated in the XS database so I had to manually set it by SQL.
Thanks again,
Emerson Urushibata
User | Count |
---|---|
95 | |
11 | |
11 | |
10 | |
9 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.