Skip to Content

SAML2 with ADFS using web dispatcher does not work

Dear All,

I have configured Single Sign on for NWBC using SAML2 with ADFS 3.0. Currently the scenario works perfectly. Now , I want to extend this to include a web dispatcher. Sadly, I cannot get this to work. I have followed this discussion:

SAML 2.0 Service Provider for AS ABAP and Web Dispatcher or Proxy - Security and Identity Management - SCN Wiki

I have deleted the previous SAML2 config and configured it after accessing the SAML UI via the webdispatcher. I have downloaded the metadata and reconfigured the relying party accordingly.

Now, single sign on works for NWBC only if accessed directly using the server URL but does not work when accessed via web dispatcher. The error message is :

No relay state mapping found for value xxxxxxxxx

Does anyone know if there is anything additional I need to do.

I have checked the metadata file downloaded from SAML config and find no information about the web dispatcher URL. I can't see how this is expected to work.

Any ideas/thoughts are highly appreciated.



Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Posted on Jul 26, 2016 at 07:33 AM


    When you generate the metadata on SAP to export and use in ADFS make sure you are connected via your web dispatcher i.e. run SAML2 from the web dispatcher, not on the actual SAP server.

    By doing the above the web dispatcher will be included in the metadata and not the actual SAP server. Then when you create the relying party trust on ADFS it will have the correct information to communicate via your web dispatcher.



    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 22, 2016 at 04:08 PM

    Hi Joyee,

    only idea. At least I had this error before by myself. Root cause normally is the fact, you access a protected resource using the WD (host name) but identity provider is returning the SAML 2.0 response to a different host name (maybe direct app server). Try to play with the URLs, FQDNs and DNS to fix that issues.



    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Aug 12, 2016 at 01:33 PM


    i had a similar issue and fixed it by switching the settings for authentification response in the IdP settings on AS ABAP:

    In the traces from sec_diag_tool i found that after this adjustment the AssertionConsumerServiceURL is added to the outgoing AuthnRequest:

    SAML20 SP (client 100 ): Outgoing AuthnRequest

    SAML20 Binding: POST

    SAML20 Signed: True

    SAML20 IdP Name:

    SAML20 Destination:

    SAML20 <samlp:AuthnRequest ID="S005b1-28c-1ee-981-b92aa112"

    SAML20 Version="2.0"

    SAML20 IssueInstant="2016-08-12T13:08:04Z"

    SAML20 Destination=""

    SAML20 ForceAuthn="false"

    SAML20 IsPassive="false"

    SAML20 AssertionConsumerServiceURL=""

    SAML20 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    SAML20 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    SAML20 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

    My IdP use this AssertionConsumerServiceURL for the redirect after successful authentification and

    then the relaystate could be mapped.

    Hopefully this could help you


    Johannes Goerlich

    IdP_settings.png (14.9 kB)
    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.