cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML Login to SAP CP CF using Azure AD B2C results in the error message "Invalid signature"

gregorw
Active Contributor

on ‎03-29-2020 10:45 AM

0 Kudos

Hello SAP CP Cloud Foundry SAML Experts,

I've successfully setup my SAP Cloud Platform Cloud Foundry Trial Environment to use my Azure Active Directory (Azure AD) for the authentication of users. Now I want also to try Azure AD B2C. I've configured my tenant according to the guide Register a SAML application in Azure AD B2C. It works just fine using the Neo environment. But unfortunately in Cloud Foundry I get the following error message when I try to authenticate:

Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Requester, status message is Invalid signature.

Looking forward for your input.

Best regards
Gregor

CC: iinside mariusobert hobruche

Show replies
Show replies
gregorw
Active Contributor
‎03-30-2020 7:10 AM
0 Kudos

As tobias.hofmann asked on Twitter:

Based on the metadata files that I get for Azure AD and Azure AD B2C both are using the same algorithm for the signature:

<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

MartinRaepple
Active Participant
‎04-06-2020 2:37 PM
0 Kudos

Hi Gregor,

hope you are doing good! Long time no see!

I checked out your scenario with a B2C tenant on my side and my CF Trial account. After some edits in the manifest file of the registered app in the B2C tenant I was able to successfully federate the CF subaccount with my tenant. Here is a short summary of what I did in the app manifest (in Azure Portal under <Your B2C tenant> -> App registrations (preview) -> <Your app> -> Manifest):

  • Change/add the "identifierUris" to contain the value of the <issuer> element in SAML request sent by CF UAA, e.g. ["https://4457e38dtrial.authentication.eu10.hana.ondemand.com"] in my case
  • Add the following element (sample) to the "replyUrlsWithType". This value must match Your AssertionConsumerService URL (can also be found in the SAML request):

{
"url":"https://4457e38dtrial.authentication.eu10.hana.ondemand.com/saml/SSO/alias/4457e38dtrial.aws-live-eu10",
"type":"Web"
}

Hope this helps to get setup working. Otherwise let me know and we can setup a short call 😉

Best regards

Martin

Show replies
Show replies
gregorw
Active Contributor
‎04-06-2020 4:45 PM
0 Kudos

Hi Martin,

great to get a reply from you. I'm doing great. Hope you like your new position at Microsoft :-).

I've already got this entries in my Azure AD B2C App Manifest. The bit strange thing is that in my S-User but also My P-User Trial the URL for the authentication is https://<User>trial-01.authentication.eu10.hana.ondemand.com instead of https://<User>trial.authentication.eu10.hana.ondemand.com.

Looking forward to talk to you directly.

CU
Gregor

former_member242366
Explorer
‎09-20-2020 9:23 AM
0 Kudos

Hi ,

I am able to configure Azure B2c with Sap CF. However not able to recieve the user attributes like name and email. How do I map my SAMl Attributes from Azure B2C to SAP Cloud Foundry?

Thanks,

Parth

Ask a Question