Skip to Content

Why would AS JAVA SAML2LoginModule abort if correct attributes are passed in SAML response?

Hello,

I've configured my AS JAVA application to use SAML2 with the goal of creating a logon ticket to be passed to my AS ABAP application (CRM in the browser).

The problem I'm running into is this (steps in order):

1) The SAML authentication is sent and a SAML response is received from the Identity Provider.

2) Upon receipt of the SAML response, the SAML2LoginModule is configured to take two attributes (R3User & SAP Client) and put those into a logon ticket to be sent to the ABAP application. This step fails.

3) in the JAVA log, two entries related to the SAML2LoginModule are found.

a) the first log entry says, LOGIN FAILED, details = Authentication Challenge due to missing credentials

b) the second log entry says: LOGIN OK, details - Consumed signed Assertion, and attributes and value equal correct SAP client and correct R3User ID that exists in the AS ABAP system.

So, what is confusing is that two SAML2 log entries say seemingly opposing things. The first fails with 'missing credentials' message and the second entry is OK with the expected SAML attributes being passed.

Further, when checking if a logon ticket is created, I do see that MYSAPSSO is both sent and received by the browser.

So, not sure what to change with regards to the SAML configuration to get this to successfully log the user into the AS ABAP system through the browser?

Any help, direction is appreciated.

Add a comment
10|10000 characters needed characters exceeded

  • Hi Paul,

    Uups, I wasn't aware that transient users would work on AS JAVA at all.

    Just to be shure: Your ABAP system is too old to perform SAML2 authentication by itself?

    For error analysis on AS JAVA side, did you already use the "Security Troubleshooting Wizard" available in NWA ->Troubleshooting -> Logs and Traces? This usually helps a lot to get more detailed error information for login problems.

    Good luck! Lutz

  • Hi Lutz, Thanks for the information. Here is more better description of my scenario: *Note, I'm using the solution provided in this SAP Wiki:
    https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0+and+ABAP+Systems+Supporting+SAP+Logon+Tickets

    1) AS JAVA has been setup as the Service Provider
    2) an external group has been setup as the Identity Provider
    3) trust between the two SAML IP and SP has been setup
    4) Identify federation has been setup on the SAML SP, using virtual users since the UME does not store the user ID.
    *Additionally, the ID of the user coming from the Identity Provider is identical to the ID in the target ABAP system.
    5) The target ABAP system has been setup to trust the AS Java system.
    6) A Java application provided by SAP is used to redirect user to the Identity Provider to authenticate, once authenticated they are returned to the Java application that will evaluate the SAML response, authenticate the user, create a logon ticket and redirect the user back to the originally accessed application.
    6) on the ABAP system, a link has been to the Java application to initiate all of this. At this point, all steps laid out in the wiki have been followed, and there is a MYSAPSSO2 cookie is created in the Java application and sent to the ABAP system (which is setup to accept logon tickets).

    However, the user is still not logged in and in the Java log, the only warning is this logon error that LOGIN FAILED for the SAML2LoginModule stating 'Authentication Challenge due to missing credentials.

    Any additional thoughts? Appreciate the feedback.

    Paul

  • Hi Paul, I don't quite get your scenario.

    You have to take care of three steps:

    • Authenticate to your AS JAVA
    • Creation of the MYSAPSSO2 ticket for the AS JAVA (!) which might contain an additional user-ID for SSO
    • SSO to your AS ABAP making use of the AS JAVA's MYSAPSSO2 cookie (as long as you don't configure assertion tickets to be used for AS ABAP)

    What is your AS JAVA user ID and your user repository?

    What is your AS ABAP user ID? (is mapping needed?)

    A MYSAPSSO2 ticket is always created for the original system (in this case AS JAVA) and contains the original systems SID (e.g "J2E"), Client (default "000" for AS JAVA), the User ID and optionally a mapped SSO User ID for the backends.

    Regards, Lutz

Related questions

0 Answers

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.