Skip to Content
Oct 17, 2019 at 11:33 PM

Why would AS JAVA SAML2LoginModule abort if correct attributes are passed in SAML response?



I've configured my AS JAVA application to use SAML2 with the goal of creating a logon ticket to be passed to my AS ABAP application (CRM in the browser).

The problem I'm running into is this (steps in order):

1) The SAML authentication is sent and a SAML response is received from the Identity Provider.

2) Upon receipt of the SAML response, the SAML2LoginModule is configured to take two attributes (R3User & SAP Client) and put those into a logon ticket to be sent to the ABAP application. This step fails.

3) in the JAVA log, two entries related to the SAML2LoginModule are found.

a) the first log entry says, LOGIN FAILED, details = Authentication Challenge due to missing credentials

b) the second log entry says: LOGIN OK, details - Consumed signed Assertion, and attributes and value equal correct SAP client and correct R3User ID that exists in the AS ABAP system.

So, what is confusing is that two SAML2 log entries say seemingly opposing things. The first fails with 'missing credentials' message and the second entry is OK with the expected SAML attributes being passed.

Further, when checking if a logon ticket is created, I do see that MYSAPSSO is both sent and received by the browser.

So, not sure what to change with regards to the SAML configuration to get this to successfully log the user into the AS ABAP system through the browser?

Any help, direction is appreciated.