Skip to Content

How to make a IDP initiated SAML call work in HANA2?

May 10, 2017 at 05:14 AM


avatar image

Hi HANA and SAML Experts,

In short:

How to make RelayState or an application path work in HANA when Identify Provider (IDP) is directly calling the Assertion Consumer Service (login.xscfunc) instead of doing the round trips when calling a resource at first (like package/MyCode.xsjs)?

We face that issue on HANA and Identify Providers like OKTA or OneLogin, etc

What works:

We followed many tutorials and finally came to a stage where a resource call to a xsjs work:

It would redirect to the IDP when not yet authenticated , the user has to login into IDP, The IDP redirects back to HANA with SAML assertion. Then after successful SAML assertion, the redirect to the resource happens successfully. A resource is something like :

The problem:

However the IDP is offering a App button, where when clicked the SSO Assertion Consumer Service is called directly. In HANA that is

Assertion is sent directly, there was no request to resource before and no redirect. In HANA 2 even with RelayState to a resource - or even with Service Provider maintaining Default Application Path,

It always wants to read it own redirect information and cookie.


When IDP makes this call to ASC directly it ends up with 500 error in login.xscfunc and message “No cookie with target path found in request”.


Do you have any suggestion for us what do in order to enable a “IDP initiated SAML call”?

Where would we maintain the target url, HANA would not accept just an url in RelayState.

We are on HANA 2 hosted in AWS - it’s not HCP.

Thank you so much in advance!


10 |10000 characters needed characters left characters exceeded


Did you solve this issue, we got the same issue



* Please Login or Register to Answer, Follow or Comment.

0 Answers