cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HANA On-premise XS SAML Authentication: Unable to verify XML signature

Former Member

on ‎04-07-2016 4:00 PM

0 Kudos

We are doing SAP HANA SSO integration with our IdP. The following steps have been performed:

  1. We have created a Simple Hello World XS Application (using Create Your First HANA XS Application using HANA Studio). The application was tested with basic authentication and it worked.
  2. Following , we have configured SAML SSO (excluding step 4).
  3. In the Trust Store, we have imported IWA Root certificate and IdP's Digital Signing Certificate.
  4. Under Service Provider Configuration, we are using SHA1 as our Hash logic.
  5. SP metadata content carried the ACS url as https://<server-name>:4300/sap/hana/xs/saml/login.xscfunc

Post configuration when we access our XS application it authenticates with our IdP. But when it hits the ACS url it displays the following error - "StatusCode in ResponseMessage != OK; please refer to the database trace for more information". The trace shows -

e XSSession   XSSessionLifecycle.cpp(00254) : Assertion authentication failed with reason: Unable to verify XML signature(StatusCode: , StatusMessage: )

Amendments Tried:

  1. On IdP end, we have tried both the signature type - Assertion and Response.
  2. In the trace portal, we have set the trace level to Debug for our application as well as sap.hana.xs.saml. But still we receive only the above message.

Queries:

  1. Are we using the correct ACS?
  2. How can we increase the trace level to get better detailing of the error message?
  3. We have also implemented the solution provided in but did not succeed. So please let us know if there any different options that can be tried out?
Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

eurushibata
Discoverer
‎08-30-2016 5:53 PM
0 Kudos

Hi Umesh,

I'm having the exact same issue. Could you share the solution for this issue if you solved it?

thanks,

Emerson

Show replies
Show replies
Former Member
‎08-30-2016 6:27 PM
0 Kudos

Hi Emerson,

Yes we have resolved this issue ourselves but SAP notes on enabling debug level logs and certificate storage helped a lot.

Basically the issue related to certificate storage.  Older version of SAP HANA by default used file based storage, the PSE files.

When you import IdP Metadata in XS Admin, it shows IdP certificate imported if you look it under Trust Manager app in XS Admin. (I might not be using accurate terms).  You can also use a command line tool to see the content of the PSE file. It shows your IdP's cert.

The issue here is (and I guess this is bug in SAP HANA) that it does not import the IdP certificate and its issuer in database. SAP HANA latest version using Database as the storage for the certificate.

The runtime verification of the token signing certificate happens against database but signature validation fails as there is no certificate in the database.

Solution: - In SAP HANA Cockpit, configure "Certificate Store" and "Certificate Collections" applications. You will need appropriate roles. Refer Tile Catalog: SAP HANA Certificate Management - SAP HANA Administration Guide - SAP Library

Import your Idp's token signing certificate and its CA certificate. Then add your certificate to the collection named "SAML" . If you have the same issue like ours, this should resolve your issue.

eurushibata
Discoverer
‎09-08-2016 1:41 PM
0 Kudos

Thanks for the help Umesh.


In the end was a combination with the solution you suggested together with a SAP Note (2127582 - SAML SSO between HANA SP09 and BI fails with error: Assertion is not intended for this service provider)

It looks like a bug. Some of the admin preferences wasn't being updated in the XS database so I had to manually set it by SQL.

Thanks again,

Emerson Urushibata

Ask a Question