cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML SSO not redirecting to iDP Azure AD

former_member189462
Participant

on ‎11-10-2022 11:20 AM

0 Kudos

Hi experts,

We are in the process of configuring the SSO access to SAP Fiori through the SAP Web Dispatcher (SWD) using SAML and AzureAD (AAD) as the Idp.

After completing application creation on AAD side and after importing the XML federation file and base 64 cert in Tx SAML2 (local provider), SAML configuration was enabled.

The access to Fiori is being done through a public DNS (e.g. https://fiori.abc.com) created for this scenario.

At the first try got the SAP Fiori logon page prompting for user and password.

Checking on the SWD profile parameters it was detected a typo in the http redirect parameter.

A wrong URL had been used….https://fiorid.abc.com instead of https://fiori.abc.com

After correcting that and hitting the external DNS https://fiori.abc.com we were redirected this time to the Idp (AAD) and the Miscrosoft Login page was obtained. The SSO process failed however with the following error detected on the

Security Diagnostic Tool:

SAML20 SP (client 200 😞 Exception raised:

SAML20 SAML20 CX_SAML20_FEDERATION: Format 'emailAddress' is not supported for user assignment. Long text: Format 'emailAddress' is not supported for user assignment.

SAML20 at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)

SAML20 at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)

SAML20 at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)

SAML20 at CL_SAML20_RESPONSE->VALIDATE(Line 64)

SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)

SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 350)

SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2405)

After performing some corrections on “identity federation section” under Tx SAML2 we did a new test but we got again the SAP Fiori logon page. The odd thing is that nothing is recorded in the “Security Diag Tool”.

As of that second test we were not able to get redirected to the Idp again. No Microsoft login page is being obtained and as it was mentioned nothing is being logged on the diag tool for SAML2.

We were not able to find any error or failure on the SWD side either.

Could you please suggest what to check or what kind of troubleshooting should we do?

Thanks

Show replies
Show replies
former_member189462
Participant
‎11-10-2022 9:03 PM
0 Kudos

I would like to add that the only logged activity on the "Security Diag Tool" are reladted to the changes made on the SAML2 transaction.

These are the entries:

SAML20 SP (client 200 😞 Can't get SAML20_USER_MAINTENANCE_DEFN BAdI: No implementation was selected for the current BAdI

Thanks

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

bglobee
Active Participant
‎11-21-2022 5:15 PM
0 Kudos

did you try tracing using the report SEC_TRACE_ANALYZER ?

security diag tool does not capture any error if the SAML layer was ok. may be the token provided by IdP is rejected by the SAP system. SEC_TRACE_ANALYZER will provide some insights. Note: Increase ICM trace level to 2 or 3 to capture more granular error details.

Show replies
Show replies
Ask a Question