cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configure SSO SAML with SAP IAS ADFS and S/4HANA Cloud... relaystate problem with SAML

Go to solution
pmortera001
Discoverer

‎01-30-2020 3:29 AM - edited ‎02-03-2024 7:42 PM


Hello,

We are cofiguring the SSO SAML in the clients SAP IAS (SAP Identity Authetication Service - xxxxxx.accounts.ondemand.com) using a Corporate Identity provider (ADFS) to connect to a S/4HANA Cloud (https://myxxxxx.s4hana.ondemand.com).
We are having problems with the parameter RELAYSTATE. in the IAS it has a ID "ouc....." but when it sends it to the ADFS, the ID changes (ARC.....). When it comes to the S/4HANA Cloud, it gives us an SAML error page "SAML2 service not accessible" (No RelayState mapping found for RelayState value arcd48a0f).
We have in the ACS URL: https://myxxxxxx.s4hana.ondemand.com/sap/saml2/sp/acs/100

We have looked help.sap.com & blogs and we havenn't seen any way to disable or to bypass the relaystate problem. How can we bypass it?

best regards,..

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Amith_Nair
Advisor
Advisor
‎01-30-2020 3:30 AM
0 Kudos

Hi pmortera001

We have a had a recent Q answered for ADFS identity provider with S4HANA Cloud. You can find the link here:

https://answers.sap.com/questions/13243409/view.html

In Parallel, I would also request you to raise an incident with SAP using the component: BC-IAM-IDS which is for Identity Authorization Service or with Cloud Operations: XX-S4C-OPR-SRV to debug the issue further.

Thank you!

Amith Nair

Show replies
Show replies
pmortera001
Discoverer
‎01-30-2020 3:57 AM
0 Kudos

Hello,

Thank oyu for your help. But All the info in the doc we have already. The problem is when we have tried and its us an error in the S/4hana cloud. "SAML2 service not accessible". No RelayState mapping found for RelayState value arc5d9bae.

Is there a way to disable the relaystate in the s/4hana cloud?

best regards.

Amith_Nair
Advisor
Advisor
‎01-30-2020 4:46 AM
0 Kudos

Hi pmortera001

So here is the thing I found: This error is thrown by the system because a protected resource was accessed using one protocol, host name and port, but IDP is returning the SAML 2.0 response to a different protocol, host name or port.

Resolution

What is important here is that you need to access the SP in the same way IDP will contact it when sending the SAML 2.0 response e.g. use the same protocol, host name and port.

Especially when you use a proxy server in front of AS ABAP, you need to ensure the protocol, host and port in the URL which you access protected resource are same as in the URL which SAML 2.0 response is sent to.

I am not sure, if this is something that are addressed at UI level, or will need backend access to TCODE SM59 and hence I will wait to hear back from SAP upon raising an incident with SAP.

Here are the reference link to your problem statement.

https://launchpad.support.sap.com/#/notes/0002332686

https://launchpad.support.sap.com/#/notes/0002326063

Answers (6)

Answers (6)

former_member656059
Discoverer
‎02-28-2020 11:06 AM
0 Kudos

Hello

We are facing the same issue. We see the relay state error in the browser when the call comes back to S4 Hana. I have opened a message for SAP and I am working with them. In the SAML trace we also see the message

Failed to authenticate user.

Show replies
Show replies
pmortera001
Discoverer
‎01-31-2020 6:40 AM
0 Kudos

Hello Amith,

I call the S/4hana Cloud (https://myxxxxx.s4hana.ondemand.com) then its delivers it to the IAS (https://xxxxx.accounts.ondemand.com/) that depending of the emails adres uses the IAS authentication or goes to the ADFS.

When it goes to the ADFS it returns to the IAS and then to the URL of the S/4hana Cloud (https://myxxxxxx.s4hana.ondemand.com/sap/saml2/sp/acs/100) and gives me the error.

The problem is that the S/4hana cloud of what I know is that its web, it does not have any tcodes.

best regards.

Show replies
Show replies
Amith_Nair
Advisor
Advisor
‎02-03-2020 8:04 AM
0 Kudos

You will have to provide the SAML trace logs to SAP Support( IAM Team) for evaluating this problem. They will have some ground work to analyze your issue.

thanks!

Amith Nair

former_member132363
Active Contributor
‎01-30-2020 3:30 AM
0 Kudos

Here are some SAP resources you may review based on your topic "s/4hana cloud"

SAP S/4HANA Cloud - SAP Help Portal

With SAP S/4HANA Cloud 1908, SAP is providing a new generation of business applications ? simple enterprise software for big data and agility. This product.

https://help.sap.com/viewer/product/SAP_S4HANA_CLOUD/1908.500/en-US

SAP S/4HANA Cloud | APIs | SAP API Business Hub

SAP S/4HANA Cloud, the next generation digital core designed to help you run simple in a digital economy.

https://api.sap.com/package/SAPS4HANACloud

SAP Best Practices for SAP S/4HANA Cloud

Integrate human resources services for growth and sustainability: Gain a competitive edge in the global marketplace and enable growth and sustainability by?...

https://rapid.sap.com/bp/#/browse/categories/sap_s%254hana/areas/cloud/packageversions/BP_CLD_ENTPR

Show replies
Show replies
former_member132363
Active Contributor
‎01-30-2020 3:30 AM
0 Kudos

The cloud identity provider is the central tool used for granting and managing access to systems and application in the SAP Cloud ecosystem. Accordingly, both the quality and production systems have independent cloud identity providers. Using the cloud identity provider and potentially the SAP cloud platfrom (depending on the use-case) different single sign on scenarios are supported. For instance see [this reference documentation](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/626b17331b4d4014b8790d3aea70b240.html) to understand how SSO could be configured with Microsoft Azure. From this link you may also navigate to other SSO scenarios like forwarding all SSO requests to corporate identity provider.

I hope this answered your question! If it did, please mark it as the 'Best Answer' so I can continue learning and answering questions in the community.

Show replies
Show replies
former_member132363
Active Contributor
‎01-30-2020 3:29 AM
0 Kudos

Here are some SAP resources you may review based on your topic "s/4hana cloud"

SAP S/4HANA Cloud - SAP Help Portal

With SAP S/4HANA Cloud 1908, SAP is providing a new generation of business applications ? simple enterprise software for big data and agility. This product.

https://help.sap.com/viewer/product/SAP_S4HANA_CLOUD/1908.500/en-US

SAP S/4HANA Cloud | APIs | SAP API Business Hub

SAP S/4HANA Cloud, the next generation digital core designed to help you run simple in a digital economy.

https://api.sap.com/package/SAPS4HANACloud

SAP Best Practices for SAP S/4HANA Cloud

Integrate human resources services for growth and sustainability: Gain a competitive edge in the global marketplace and enable growth and sustainability by?...

https://rapid.sap.com/bp/#/browse/categories/sap_s%254hana/areas/cloud/packageversions/BP_CLD_ENTPR

Show replies
Show replies
former_member132363
Active Contributor
‎01-30-2020 3:29 AM
0 Kudos

The cloud identity provider is the central tool used for granting and managing access to systems and application in the SAP Cloud ecosystem. Accordingly, both the quality and production systems have independent cloud identity providers. Using the cloud identity provider and potentially the SAP cloud platfrom (depending on the use-case) different single sign on scenarios are supported. For instance see [this reference documentation](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/626b17331b4d4014b8790d3aea70b240.html) to understand how SSO could be configured with Microsoft Azure. From this link you may also navigate to other SSO scenarios like forwarding all SSO requests to corporate identity provider.

I hope this answered your question! If it did, please mark it as the 'Best Answer' so I can continue learning and answering questions in the community.

Show replies
Show replies
Ask a Question