Skip to Content
Oct 18, 2016 at 08:00 PM

Have you successfully configured SAML holder-of-key with an external STS (PingFederate)?


Hello All,

We are currently trying to enable SSO for our SAP web services via SAML Token Profiles. PingFederate is serving as our issuing party in this situation with SAP being the relying party. After reading documentation we've settled on using the SAML holder-of-key subject confirmation method with a symmetric proof key being used by the attesting party to prove that SAML 2.0 token is valid. We believe we have everything setup correctly (certificate exchanges between SAP and PingFederate) but we're still running into signature digest validation errors in SAP on the SAML 2.0 token (not the holder-of-key signature). I'd like to see what issues may exist or workarounds that one may have had to incorporate for this process. We have a .NET 4.5 app that is calling a test SAP web service that we configured for message-level SAML SSO.

We've done the following:

  • Imported signing certificate from PingFederate using STRUST transaction
  • BASIS team has setup trust relationship with external STS (PingFederate) using SAML2 transaction; web service policy was also setup
  • Test web service was configured to use message level SAML authentication via holder-of-key wtih external STS using SOAMANAGER transaction
  • Followed steps outlined here: SSO with an external STS

We can see the proper payload being delivered to SAP when viewing the error log using transaction SRT_UTIL but the digest value that SAP is calculating doesn't the digest value that in the <Signature></Signature> block that PingFederate generated with the SAML assertion. I've attached a screen shot of the SRT_UTIL error log.

**I recreated this question, per guidance for unanswered questions after the site migration**