Skip to Content

404 Missing Page /BOE/logon.jsp

I'm starting enable SAML authentication for SAP BO 4.2 SP7 with ADFS 3.0 following
sap note: 1795949 - Trusted Authentication with SAML Single Sign-On BI 4.x
and Blog: https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/

In the blog, many people still struck the final step to test login and receive the redirect page from ADFS url like
https://<Tomcat hostname>:port/BOE/logon.jsp

404 Missing Page, The result appear the same on IE and Chrome.

The redirect page's changing from /BOE/saml/metadata to /BOE/logon.jsp after I fix the issue

...
"
DEBUG SAMLAuthenticationProvider:93 - Error validating SAML message
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a4700g0cabdg17464305h8hh0b7dgje
"
...

Following sap note: 2753932 - InResponseToField of the Response doesn't correspond to sent message - Front-End SAML Authentication on BI

This issue cannot fix by delete encryption tab on ADFS, Changing use SHA-1

In the springsaml.log that I debug also says
"
2019-05-07 17:43:17 INFO SAMLDefaultLogger:127 - AuthNResponse;SUCCESS;{My client IP Address};https://{BOE URL}:443/BOE/saml/metadata;http://{ADFS}/adfs/services/trust;wiwatsan.nga; https://excelsior-dev.cpf.co.th:443/BOE/saml/SSO" ID="_f687f411-a093-4e27-be07-ebaf80989dc9" InResponseTo="a497jfh0f6128cg81a2i5e97h6e5ga4" IssueInstant="2019-05-07T10:43:16.913Z" Version="2.0"> http://{ADFS}/adfs/services/trust http://{ADFS}/adfs/services/trust http://www.w3.org/2000/09/xmldsig#"> Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"/> Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> URI="#_0f4b609a-4cdd-4a71-801b-05969a9ec03e"> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"/> Algorithm=" xRq7HTll2rWBHpSU6hQJoufFOhg= SBn57cAQbVuhWbAMnz/3Wsw7RIOJt95bOTaZmFWFE4nkXIq1sTbEkyo29LNAypHqNTArcJa7aLRc871zjuUZd/XImRW3OC9hY4YdTijPMH5QECEVAtkij5g7n1NTQBzxByRPGmtD+39Cu4zezFTNM+s9HqSi5XFZLjFwc9PEeQtTXYx+UI9mP0jUnh5rORbKzerOw7J2XSRoOtGyEiSznDeAehJuWK12btsQS9rqfYE6Rc8MMyiZXbwVbBRUURtHwCCFvNybkY8NctEcTNvFsxEXwq4Pj1vKqXJEaHEFCZnSfaukn2A0jZC+AMxjhNoDrtndMq3EA0nswIVh2GzANA== http://www.w3.org/2000/09/xmldsig#sha1"/> xRq7HTll2rWBHpSU6hQJoufFOhg= SBn57cAQbVuhWbAMnz/3Wsw7RIOJt95bOTaZmFWFE4nkXIq1sTbEkyo29LNAypHqNTArcJa7aLRc871zjuUZd/XImRW3OC9hY4YdTijPMH5QECEVAtkij5g7n1NTQBzxByRPGmtD+39Cu4zezFTNM+s9HqSi5XFZLjFwc9PEeQtTXYx+UI9mP0jUnh5rORbKzerOw7J2XSRoOtGyEiSznDeAehJuWK12btsQS9rqfYE6Rc8MMyiZXbwVbBRUURtHwCCFvNybkY8NctEcTNvFsxEXwq4Pj1vKqXJEaHEFCZnSfaukn2A0jZC+AMxjhNoDrtndMq3EA0nswIVh2GzANA== xmlns=" MIIGyjCCBbKgAwIBAgIQeHC0vcDvbD/gvycIk3BzwTANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xODA4MjQwMDAwMDBaFw0yMDA4MjEyMzU5NTlaMFgxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxFDASBgNVBAMMCyouY3BmLmNvLnRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7OUMB+1Mfy9Wv/Bw8Tz8RCEolt2N9d/RHiMFUpPbSENsarhcS8On3mn1GIEZqnF4aofh5Sl5Sz4qvoCm8G8JQExUqIGV0l4byC3pwxYt14JLdg4TSH1/jqih7o1GgIeP2kGyxI8tRsQT0423WRiBEGMx0B0DaOXvHzQ315iDqfGr737VkgsLMKnYJCoEDVFVynDbrFkrE9TCYE3seegt84jxaNg7bB88TvJyOAWpfu20oMhuuYB5zQkA854hnhKCUumn7nmB0hWcRe6F1oYlwP2sUVxgP/HTFLanH9ZweV3F8AaHf7k0Oga4OUhqbt8QCKln+8r5rhS/Xt4r+gfaswIDAQABo4IDVTCCA1EwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHAvxGuOAyA6OaFFEDXYkRHQ4N5PMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAhBgNVHREEGjAYggsqLmNwZi5jby50aIIJY3BmLmNvLnRoMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWVp9Bp+AAAEAwBHMEUCIAmUfcscxIj02L0nRIdcyutCOiLyjow8j4Oqs8sf1pgxAiEA4khfDHyLjAr/Rp3oi4z1B04miDSeVnhjQun6LcMTITUAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWVp9BpdAAAEAwBHMEUCIQCYDYEcKEfYE2V3E3XHyoWNik/uHPn0A15JcfJhDgoZCgIgIWtrqRJFdxGUM6vLidLdYMSf6Gz0JVj1U7BVK9TdMn8AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWVp9Bo1AAAEAwBHMEUCIFxwu/OyDmrd4bM+XAZ7VqmmCRJ/nzPDEgoSvTfFDTx4AiEA15mgThlCwPV9F/YTTMGNWdU1eSpoTTSCKbnG3yk1X1EwDQYJKoZIhvcNAQELBQADggEBAHzlVS3Ey/nn48FRHcxyNMe7VNMFCup/eEfaIHt6GIYEImVcmr2CZecUm/mXOaU2hQWJ1U6QDfNxIUE+wh4yR/gV6tw4+xLAFrr3At6LBFuM5F5ystJfiEa7VAy9JeMvbq/e+B372lVyklMSRrhI30/TSyrpPX1qKp4r9yadR8V5Py0tmQoZyG/bIBaL5MoY7e6ftgUU98On9zU72CRnbVTGKAdzgvSHpOLbgzadX4mePbW1oxTS0GiUPFGjlNbtUeIx5Vris5yoqVzBK4Z9WHTUpPM2Am8S3vfzCRV+Rd0hzVQUoK0avoEX3W+FD6w2Tssu7UsaxkdOW9lsMQkDgk4= wiwatsan.nga http://www.w3.org/2000/09/xmldsig#"> MIIGyjCCBbKgAwIBAgIQeHC0vcDvbD/gvycIk3BzwTANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xODA4MjQwMDAwMDBaFw0yMDA4MjEyMzU5NTlaMFgxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxFDASBgNVBAMMCyouY3BmLmNvLnRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7OUMB+1Mfy9Wv/Bw8Tz8RCEolt2N9d/RHiMFUpPbSENsarhcS8On3mn1GIEZqnF4aofh5Sl5Sz4qvoCm8G8JQExUqIGV0l4byC3pwxYt14JLdg4TSH1/jqih7o1GgIeP2kGyxI8tRsQT0423WRiBEGMx0B0DaOXvHzQ315iDqfGr737VkgsLMKnYJCoEDVFVynDbrFkrE9TCYE3seegt84jxaNg7bB88TvJyOAWpfu20oMhuuYB5zQkA854hnhKCUumn7nmB0hWcRe6F1oYlwP2sUVxgP/HTFLanH9ZweV3F8AaHf7k0Oga4OUhqbt8QCKln+8r5rhS/Xt4r+gfaswIDAQABo4IDVTCCA1EwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHAvxGuOAyA6OaFFEDXYkRHQ4N5PMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAhBgNVHREEGjAYggsqLmNwZi5jby50aIIJY3BmLmNvLnRoMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWVp9Bp+AAAEAwBHMEUCIAmUfcscxIj02L0nRIdcyutCOiLyjow8j4Oqs8sf1pgxAiEA4khfDHyLjAr/Rp3oi4z1B04miDSeVnhjQun6LcMTITUAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWVp9BpdAAAEAwBHMEUCIQCYDYEcKEfYE2V3E3XHyoWNik/uHPn0A15JcfJhDgoZCgIgIWtrqRJFdxGUM6vLidLdYMSf6Gz0JVj1U7BVK9TdMn8AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWVp9Bo1AAAEAwBHMEUCIFxwu/OyDmrd4bM+XAZ7VqmmCRJ/nzPDEgoSvTfFDTx4AiEA15mgThlCwPV9F/YTTMGNWdU1eSpoTTSCKbnG3yk1X1EwDQYJKoZIhvcNAQELBQADggEBAHzlVS3Ey/nn48FRHcxyNMe7VNMFCup/eEfaIHt6GIYEImVcmr2CZecUm/mXOaU2hQWJ1U6QDfNxIUE+wh4yR/gV6tw4+xLAFrr3At6LBFuM5F5ystJfiEa7VAy9JeMvbq/e+B372lVyklMSRrhI30/TSyrpPX1qKp4r9yadR8V5Py0tmQoZyG/bIBaL5MoY7e6ftgUU98On9zU72CRnbVTGKAdzgvSHpOLbgzadX4mePbW1oxTS0GiUPFGjlNbtUeIx5Vris5yoqVzBK4Z9WHTUpPM2Am8S3vfzCRV+Rd0hzVQUoK0avoEX3W+FD6w2Tssu7UsaxkdOW9lsMQkDgk4= wiwatsan.nga Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> https://excelsior-dev.cpf.co.th :443/BOE/saml/SSO"/> https://excelsior-dev.cpf.co.th:443/BOE/saml/metadata urn:federation:authentication:windows ; 2019-05-07 17:43:17 DEBUG XmlWebApplicationContext:322 - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationSuccessEvent[source=org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities] 2019-05-07 17:43:17 DEBUG SAMLProcessingFilter:317 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities 2019-05-07 17:43:17 DEBUG XmlWebApplicationContext:322 - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent[source=org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities] 2019-05-07 17:43:17 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /logon.jsp 2019-05-07 17:43:17 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/BOE/logon.jsp' 2019-05-07 17:43:17 DEBUG HttpSessionSecurityContextRepository:292 - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@1d884871: Authentication: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities' 2019-05-07 17:43:17 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/favicon.ico' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/images/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/css/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/logout.jsp' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 1 of 9 in additional filter chain; firing Filter: 'MetadataGeneratorFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 2 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2019-05-07 17:43:17 DEBUG HttpSessionSecurityContextRepository:158 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@1d884871: Authentication: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 3 of 9 in additional filter chain; firing Filter: 'FilterChainProxy' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/login/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/logout/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/metadata/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/sso/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/ssohok/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/singlelogout/**' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/saml/discovery/**' 2019-05-07 17:43:17 DEBUG FilterChainProxy:180 - /logon.jsp has no matching filters 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 2019-05-07 17:43:17 DEBUG AnonymousAuthenticationFilter:107 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.providers.ExpiringUsernameAuthenticationToken@1d884871: Principal: wiwatsan.nga; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2019-05-07 17:43:17 DEBUG FilterChainProxy:337 - /logon.jsp at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 2019-05-07 17:43:17 DEBUG AntPathRequestMatcher:104 - Checking match of request : '/logon.jsp'; against '/bi' 2019-05-07 17:43:17 DEBUG FilterSecurityInterceptor:185 - Public object - authentication not attempted 2019-05-07 17:43:17 DEBUG XmlWebApplicationContext:322 - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.PublicInvocationEvent[source=FilterInvocation: URL: /logon.jsp] 2019-05-07 17:43:17 DEBUG FilterChainProxy:323 - /logon.jsp reached end of additional filter chain; proceeding with original chain 2019-05-07 17:43:17 DEBUG ExceptionTranslationFilter:115 - Chain processed normally 2019-05-07 17:43:17 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed 2019-05-07 17:43:22 DEBUG MetadataManager:1017 - Executing metadata refresh task
"

If anyone can implement this feature successfully, please suggest.

Many thanks,
Ng, Wiwatsan

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • May 10 at 01:00 PM

    Hello,

    It's hard to tell what's going on with this issue as the behavior indicates that something non-standard or expected was set. When you land on a 404 error page for BOE/saml/sso, that's the catch-all error response for something wrong in the SAML workflow. The springsaml.log should provide a clear error as to why it failed.

    However, based on the information you provided, you're landing on an explicit page that would not normally occur with a standard configuration (BOE/logon.jsp). This value might be hard-specified somewhere such as the AD FS Relying trust end-point URLs or the securitycontext.xml.
    ---

    Authenticated: true; Details: null; Not granted any authorities] 2019-05-07 17:43:17 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /logon.jsp 2019-05-07 17:43:17 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/BOE/logon.jsp'

    ---

    If any non-standard changes were made to the securitycontext.xml, I would recommend restoring them. I would then generate a fresh metadata from the SP (Tomcat) and verify that all of the endpoint URLs are set to their default. There should be no explicit reference to logon.jsp.

    Re-import the metadata in to AD FS and make sure that none of the end-points there are changed from the default. For example, BOE/saml/sso is part of the endpoint URLs that need to be set. This should not be changed, even though it generates a 404 when accessing this URL manually.

    Regards.

    Add comment
    10|10000 characters needed characters exceeded