We are currently trying to enable SSO for our SAP web services via SAML Token Profiles. PingFederate is serving as our issuing party in this situation with SAP being the relying party. After reading documentation we've settled on using the SAML holder-of-key subject confirmation method with a symmetric proof key being used by the attesting party to prove that SAML 2.0 token is valid. We believe we have everything setup correctly (certificate exchanges between SAP and PingFederate) but we're still running into signature digest validation errors in SAP on the SAML 2.0 token (not the holder-of-key signature). I'd like to see what issues may exist or workarounds that one may have had to incorporate for this process. We have a .NET 4.5 app that is calling a test SAP web service that we configured for message-level SAML SSO.
We've done the following:
We can see the proper payload being delivered to SAP when viewing the error log using transaction SRT_UTIL but the digest value that SAP is calculating doesn't the digest value that in the <Signature></Signature> block that PingFederate generated with the SAML assertion. I've attached a screen shot of the SRT_UTIL error log.
**I recreated this question, per guidance for unanswered questions after the site migration**