Skip to Content

404 Missing Page /BOE/logon.jsp

I'm starting enable SAML authentication for SAP BO 4.2 SP7 with ADFS 3.0 following
sap note: 1795949 - Trusted Authentication with SAML Single Sign-On BI 4.x
and Blog: https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

In the blog, many people still struck the final step to test login and receive the redirect page from ADFS url like
https://<Tomcat hostname>:port/BOE/logon.jsp

404 Missing Page, The result appear the same on IE and Chrome.

The redirect page's changing from /BOE/saml/metadata to /BOE/logon.jsp after I fix the issue

...
"
DEBUG SAMLAuthenticationProvider:93 - Error validating SAML message
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a4700g0cabdg17464305h8hh0b7dgje
"
...

Following sap note: 2753932 - InResponseToField of the Response doesn't correspond to sent message - Front-End SAML Authentication on BI

This issue cannot fix by delete encryption tab on ADFS, Changing use SHA-1

In the springsaml.log that I debug also says
"
2019-05-07 17:43:17 INFO SAMLDefaultLogger:127 - AuthNResponse;SUCCESS;{My client IP Address};https://{BOE URL}:443/BOE/saml/metadata;http://{ADFS}/adfs/services/trust;wiwatsan.nga; https://excelsior-dev.cpf.co.th:443/BOE/saml/SSO" ID="_f687f411-a093-4e27-be07-ebaf80989dc9" InResponseTo="a497jfh0f6128cg81a2i5e97h6e5ga4" IssueInstant="2019-05-07T10:43:16.913Z" Version="2.0"> http://{ADFS}/adfs/services/trust http://{ADFS}/adfs/services/trust http://www.w3.org/2000/09/xmldsig#"> Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"/> Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> URI="#_0f4b609a-4cdd-4a71-801b-05969a9ec03e"> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"/> Algorithm=" xRq7HTll2rWBHpSU6hQJoufFOhg= SBn57cAQbVuhWbAMnz/3Wsw7RIOJt95bOTaZmFWFE4nkXIq1sTbEkyo29LNAypHqNTArcJa7aLRc871zjuUZd/XImRW3OC9hY4YdTijPMH5QECEVAtkij5g7n1NTQBzxByRPGmtD+39Cu4zezFTNM+s9HqSi5XFZLjFwc9PEeQtTXYx+UI9mP0jUnh5rORbKzerOw7J2XSRoOtGyEiSznDeAehJuWK12btsQS9rqfYE6Rc8MMyiZXbwVbBRUURtHwCCFvNybkY8NctEcTNvFsxEXwq4Pj1vKqXJEaHEFCZnSfaukn2A0jZC+AMxjhNoDrtndMq3EA0nswIVh2GzANA== http://www.w3.org/2000/09/xmldsig#sha1"/> xRq7HTll2rWBHpSU6hQJoufFOhg= SBn57cAQbVuhWbAMnz/3Wsw7RIOJt95bOTaZmFWFE4nkXIq1sTbEkyo29LNAypHqNTArcJa7aLRc871zjuUZd/XImRW3OC9hY4YdTijPMH5QECEVAtkij5g7n1NTQBzxByRPGmtD+39Cu4zezFTNM+s9HqSi5XFZLjFwc9PEeQtTXYx+UI9mP0jUnh5rORbKzerOw7J2XSRoOtGyEiSznDeAehJuWK12btsQS9rqfYE6Rc8MMyiZXbwVbBRUURtHwCCFvNybkY8NctEcTNvFsxEXwq4Pj1vKqXJEaHEFCZnSfaukn2A0jZC+AMxjhNoDrtndMq3EA0nswIVh2GzANA== xmlns=" MIIGyjCCBbKgAwIBAgIQeHC0vcDvbD/gvycIk3BzwTANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xODA4MjQwMDAwMDBaFw0yMDA4MjEyMzU5NTlaMFgxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxFDASBgNVBAMMCyouY3BmLmNvLnRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7OUMB+1Mfy9Wv/Bw8Tz8RCEolt2N9d/RHiMFUpPbSENsarhcS8On3mn1GIEZqnF4aofh5Sl5Sz4qvoCm8G8JQExUqIGV0l4byC3pwxYt14JLdg4TSH1/jqih7o1GgIeP2kGyxI8tRsQT0423WRiBEGMx0B0DaOXvHzQ315iDqfGr737VkgsLMKnYJCoEDVFVynDbrFkrE9TCYE3seegt84jxaNg7bB88TvJyOAWpfu20oMhuuYB5zQkA854hnhKCUumn7nmB0hWcRe6F1oYlwP2sUVxgP/HTFLanH9ZweV3F8AaHf7k0Oga4OUhqbt8QCKln+8r5rhS/Xt4r+gfaswIDAQABo4IDVTCCA1EwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHAvxGuOAyA6OaFFEDXYkRHQ4N5PMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAhBgNVHREEGjAYggsqLmNwZi5jby50aIIJY3BmLmNvLnRoMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWVp9Bp+AAAEAwBHMEUCIAmUfcscxIj02L0nRIdcyutCOiLyjow8j4Oqs8sf1pgxAiEA4khfDHyLjAr/Rp3oi4z1B04miDSeVnhjQun6LcMTITUAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWVp9BpdAAAEAwBHMEUCIQCYDYEcKEfYE2V3E3XHyoWNik/uHPn0A15JcfJhDgoZCgIgIWtrqRJFdxGUM6vLidLdYMSf6Gz0JVj1U7BVK9TdMn8AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWVp9Bo1AAAEAwBHMEUCIFxwu/OyDmrd4bM+XAZ7VqmmCRJ/nzPDEgoSvTfFDTx4AiEA15mgThlCwPV9F/YTTMGNWdU1eSpoTTSCKbnG3yk1X1EwDQYJKoZIhvcNAQELBQADggEBAHzlVS3Ey/nn48FRHcxyNMe7VNMFCup/eEfaIHt6GIYEImVcmr2CZecUm/mXOaU2hQWJ1U6QDfNxIUE+wh4yR/gV6tw4+xLAFrr3At6LBFuM5F5ystJfiEa7VAy9JeMvbq/e+B372lVyklMSRrhI30/TSyrpPX1qKp4r9yadR8V5Py0tmQoZyG/bIBaL5MoY7e6ftgUU98On9zU72CRnbVTGKAdzgvSHpOLbgzadX4mePbW1oxTS0GiUPFGjlNbtUeIx5Vris5yoqVzBK4Z9WHTUpPM2Am8S3vfzCRV+Rd0hzVQUoK0avoEX3W+FD6w2Tssu7UsaxkdOW9lsMQkDgk4= wiwatsan.nga http://www.w3.org/2000/09/xmldsig#"> MIIGyjCCBbKgAwIBAgIQeHC0vcDvbD/gvycIk3BzwTANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xODA4MjQwMDAwMDBaFw0yMDA4MjEyMzU5NTlaMFgxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxFDASBgNVBAMMCyouY3BmLmNvLnRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7OUMB+1Mfy9Wv/Bw8Tz8RCEolt2N9d/RHiMFUpPbSENsarhcS8On3mn1GIEZqnF4aofh5Sl5Sz4qvoCm8G8JQExUqIGV0l4byC3pwxYt14JLdg4TSH1/jqih7o1GgIeP2kGyxI8tRsQT0423WRiBEGMx0B0DaOXvHzQ315iDqfGr737VkgsLMKnYJCoEDVFVynDbrFkrE9TCYE3seegt84jxaNg7bB88TvJyOAWpfu20oMhuuYB5zQkA854hnhKCUumn7nmB0hWcRe6F1oYlwP2sUVxgP/HTFLanH9ZweV3F8AaHf7k0Oga4OUhqbt8QCKln+8r5rhS/Xt4r+gfaswIDAQABo4IDVTCCA1EwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHAvxGuOAyA6OaFFEDXYkRHQ4N5PMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAhBgNVHREEGjAYggsqLmNwZi5jby50aIIJY3BmLmNvLnRoMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWVp9Bp+AAAEAwBHMEUCIAmUfcscxIj02L0nRIdcyutCOiLyjow8j4Oqs8sf1pgxAiEA4khfDHyLjAr/Rp3oi4z1B04miDSeVnhjQun6LcMTITUAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWVp9BpdAAAEAwBHMEUCIQCYDYEcKEfYE2V3E3XHyoWNik/uHPn0A15JcfJhDgoZCgIgIWtrqRJFdxGUM6vLidLdYMSf6Gz0JVj1U7BVK9TdMn8AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWVp9Bo1AAAEAwBHMEUCIFxwu/OyDmrd4bM+XAZ7VqmmCRJ/nzPDEgoSvTfFDTx4AiEA15mgThlCwPV9F/YTTMGNWdU1eSpoTTSCKbnG3yk1X1EwDQYJKoZIhvcNAQELBQADggEBAHzlVS3Ey/nn48FRHcxyNMe7VNMFCup/eEfaIHt6GIYEImVcmr2CZecUm/mXOaU2hQWJ1U6QDfNxIUE+wh4yR/gV6tw4+xLAFrr3At6LBFuM5F5ystJfiEa7VAy9JeMvbq/e+B372lVyklMSRrhI30/TSyrpPX1qKp4r9yadR8V5Py0tmQoZyG/bIBaL5MoY7e6ftgUU98On9zU72CRnbVTGKAdzgvSHpOLbgzadX4mePbW1oxTS0GiUPFGjlNbtUeIx5Vris5yoqVzBK4Z9WHTUpPM2Am8S3vfzCRV+Rd0hzVQUoK0avoEX3W+FD6w2Tssu7UsaxkdOW9lsMQkDgk4= wiwatsan.nga Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> https://excelsior-dev.cpf.co.th :443/BOE/saml/SSO"/> https://excelsior-dev.cpf.co.th:443/BOE/saml/metadata urn:federation:authentication:windows ; 2019-05-07 17:43:17 DEBUG XmlWebApplicationContext:322 - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationSuccessEvent[source=org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities] 2019-05-07 17:43:17 DEBUG SAMLProcessingFilter:317 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities 2019-05-07 17:43:17 DEBUG XmlWebApplicationContext:322 - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent[source=org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities] 2019-05-07 17:43:17 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /logon.jsp 2019-05-07 17:43:17 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/BOE/logon.jsp' 2019-05-07 17:43:17 DEBUG HttpSessionSecurityContextRepository:292 - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@1d884871: Authentication: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities' 2019-05-07 17:43:17 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/favicon.ico' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/images/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/css/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/logout.jsp' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 1 of 9 in additional filter chain; firing Filter: 'MetadataGeneratorFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 2 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2019-05-07 17:43:17 DEBUG HttpSessionSecurityContextRepository:158 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@1d884871: Authentication: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 3 of 9 in additional filter chain; firing Filter: 'FilterChainProxy' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/login/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/logout/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/metadata/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/sso/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/ssohok/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/singlelogout/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/discovery/**' 2019-05-07 17:43:17 DEBUG FilterChainProxy:180 - /logon.jsp has no matching filters 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 2019-05-07 17:43:17 DEBUG AnonymousAuthenticationFilter:107 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/bi' 2019-05-07 17:43:17 DEBUG FilterSecurityInterceptor:185 - Public object - authentication not attempted 2019-05-07 17:43:17 DEBUG XmlWebApplicationContext:322 - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.PublicInvocationEvent[source=FilterInvocation: URL: /logon.jsp] 2019-05-07 17:43:17 DEBUG FilterChainProxy:323 - /logon.jsp reached end of additional filter chain; proceeding with original chain 2019-05-07 17:43:17 DEBUG ExceptionTranslationFilter:115 - Chain processed normally 2019-05-07 17:43:17 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed 2019-05-07 17:43:22 DEBUG MetadataManager:1017 - Executing metadata refresh task
"

If anyone can implement this feature successfully, please suggest.

Many thanks,
Ng, Wiwatsan

Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Posted on May 10, 2019 at 01:00 PM

    Hello,

    It's hard to tell what's going on with this issue as the behavior indicates that something non-standard or expected was set. When you land on a 404 error page for BOE/saml/sso, that's the catch-all error response for something wrong in the SAML workflow. The springsaml.log should provide a clear error as to why it failed.

    However, based on the information you provided, you're landing on an explicit page that would not normally occur with a standard configuration (BOE/logon.jsp). This value might be hard-specified somewhere such as the AD FS Relying trust end-point URLs or the securitycontext.xml.
    ---

    Authenticated: true; Details: null; Not granted any authorities] 2019-05-07 17:43:17 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /logon.jsp 2019-05-07 17:43:17 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/BOE/logon.jsp'

    ---

    If any non-standard changes were made to the securitycontext.xml, I would recommend restoring them. I would then generate a fresh metadata from the SP (Tomcat) and verify that all of the endpoint URLs are set to their default. There should be no explicit reference to logon.jsp.

    Re-import the metadata in to AD FS and make sure that none of the end-points there are changed from the default. For example, BOE/saml/sso is part of the endpoint URLs that need to be set. This should not be changed, even though it generates a 404 when accessing this URL manually.

    Regards.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.