Skip to Content
0

AppToAppSSO from HTML5 app to HANA XS is not working ?

Dec 01, 2017 at 08:16 PM

220

avatar image

Hi,

I've configured my Cloud Identity account as an IDP for my HANA system at the SAP Cloud Platform. I've also setup the same SAML integration for my application at the same Cloud Platform account to be able to use same authentication for both HANA and HTML5 application. This blog represents pretty much what I've done.

https://blogs.sap.com/2016/03/21/principal-propagation-between-html5-and-sap-hana-xs-on-sap-hana-cloud-platform/

So, the problem is; I could reach my xs services directly by using the IDP configured. Which makes me to assume that SSO is configured successfully. On the other hand, I cannot reach those services through the DESTINATION. Destination type is AppToAppSSO. The error message returning is ;

StatusCode in ResponseMessage != OK; please refer to the database trace for more information

And the trace message is ;

- XSSession XSSessionLifecycle.cpp(00333) : Assertion authentication for user failed with reason: Unable to verify XML signature(StatusCode: , StatusMessage: )

- XSRequestHandler RequestHandler.cpp(00808) : exception 1: no.1000090 (HttpClient/Web/WebEntityBase.h:78)
Reached unreachable code
exception throw location:

Any ideas ?

Huseyin.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Michael Healy
Dec 02, 2017 at 08:34 PM
0

XML errors usually indicates that the SAML cert hasn't been properly inserted into the trust store.

Share
10 |10000 characters needed characters left characters exceeded
Huseyin Dereli Dec 04, 2017 at 05:57 AM
0

Hi Michael,

Thanks for the hint. How can I be sure that SAML cert is properly inserted ? Is there a way to check it ? At the xs admin console there 3 certs installed and I can see from the url one of them is what I needed.

And SAML works when I pasted the xsodata url to the browser. If the cert wasn't inserted properly, do you think this could work ?

It does not work via the destination :/

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Maybe get more detailed tracing could shed more light on whats configured wrong:

ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') SET ('trace', 'authentication') = 'debug' with reconfigure;

For HTTP based logins via SAP HANA XS, please execute:

ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') SET ('trace', 'authorization') = 'info' WITH RECONFIGURE;

ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') SET ('trace', 'authentication') = 'debug' with reconfigure;

ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') SET ('trace', 'xssession') = 'debug' with reconfigure;

ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') SET ('trace', 'xsauthentication') = 'debug' with reconfigure;

ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') SET ('trace', 'xsrequesthandler')='debug' WITH RECONFIGURE

Reproduce the error you mentioned above.

Turn off the above traces:

ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'authorization') WITH RECONFIGURE;

ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'authentication');

ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') UNSET ('trace', 'authentication');

ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') UNSET ('trace', 'xssession');

ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') UNSET ('trace', 'xsauthentication');

ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') UNSET ('trace', 'xsrequesthandler')='debug' WITH RECONFIGURE

Also, did you run a HTTPWatch trace? That could also help to see whats going on

0
Peter Hrebik Mar 29 at 05:26 PM
0

Hi Huseyin,

I am facing the same issue. Have you managed to solve it?

Thanks

Peter

Share
10 |10000 characters needed characters left characters exceeded
Barnabas Zoltan Paksi
Apr 19 at 08:37 PM
0

Dear Huseyin/Peter,

As Michael mentioned, SAML cert hasn't been properly inserted into the trust store.


The validation of the certificate is failing on HANA side. Please see the following hints:


1. In SAP HANA Cockpit, configure "Certificate Store" and "Certificate Collections" applications. You will need appropriate roles. For more see SAP help document


https://help.sap.com/viewer/product/SAP_HANA_PLATFORM/2.0.00/en-US


Refer Tile Catalog: SAP HANA Certificate Management - SAP HANA Administration Guide - SAP Library

2. Go to Application -> HANA Authentication, copy the 'Identity Provider's Certificate' (Including BEGIN CERTIFICATE and END CERTIFICATE) and save it into a file (eg. bo.cer)


3. On the HANA DB host add the bo certificate into the HANA server pse (as <sid>adm):


cd $SECUDIR
sapgenpse maintain_pk -a bo.cer -p sapsrv.pse

Import your Idp's token signing certificate and its CA certificate. Then add your certificate to the collection named "SAML".


4. Restart the database


For more see the follofing SAP Documentations:


https://wiki.scn.sap.com/wiki/x/CQJuGg
https://blogs.sap.com/2015/03/14/use-saml-to-enable-sso-for-your-xs-app-on-sap-hana-sps-09-rev-92-or-later/
https://help.sap.com/doc/eb75509ab0fd1014a2c6ba9b6d252832/1.0.12/en-US/SAP_HANA_Administration_Guide_en.pdf
https://blogs.sap.com/2016/03/21/principal-propagation-between-html5-and-sap-hana-xs-on-sap-hana-cloud-platform/ .
SAP Note: 2374226 - SAP HANA DB: SAML Logon from BI Platform to SAP HANA Database is not working


Best Regards
Barnabás Paksi

Share
10 |10000 characters needed characters left characters exceeded