Skip to Content

AppToAppSSO from HTML5 app to HANA XS is not working ?

Hi,

I've configured my Cloud Identity account as an IDP for my HANA system at the SAP Cloud Platform. I've also setup the same SAML integration for my application at the same Cloud Platform account to be able to use same authentication for both HANA and HTML5 application. This blog represents pretty much what I've done.

https://blogs.sap.com/2016/03/21/principal-propagation-between-html5-and-sap-hana-xs-on-sap-hana-cloud-platform/

So, the problem is; I could reach my xs services directly by using the IDP configured. Which makes me to assume that SSO is configured successfully. On the other hand, I cannot reach those services through the DESTINATION. Destination type is AppToAppSSO. The error message returning is ;

StatusCode in ResponseMessage != OK; please refer to the database trace for more information

And the trace message is ;

- XSSession XSSessionLifecycle.cpp(00333) : Assertion authentication for user failed with reason: Unable to verify XML signature(StatusCode: , StatusMessage: )

- XSRequestHandler RequestHandler.cpp(00808) : exception 1: no.1000090 (HttpClient/Web/WebEntityBase.h:78)
Reached unreachable code
exception throw location:

Any ideas ?

Huseyin.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Dec 02, 2017 at 08:34 PM

    XML errors usually indicates that the SAML cert hasn't been properly inserted into the trust store.

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 04, 2017 at 05:57 AM

    Hi Michael,

    Thanks for the hint. How can I be sure that SAML cert is properly inserted ? Is there a way to check it ? At the xs admin console there 3 certs installed and I can see from the url one of them is what I needed.

    And SAML works when I pasted the xsodata url to the browser. If the cert wasn't inserted properly, do you think this could work ?

    It does not work via the destination :/

    Add comment
    10|10000 characters needed characters exceeded

    • Maybe get more detailed tracing could shed more light on whats configured wrong:

      ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') SET ('trace', 'authentication') = 'debug' with reconfigure;

      For HTTP based logins via SAP HANA XS, please execute:

      ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') SET ('trace', 'authorization') = 'info' WITH RECONFIGURE;

      ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') SET ('trace', 'authentication') = 'debug' with reconfigure;

      ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') SET ('trace', 'xssession') = 'debug' with reconfigure;

      ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') SET ('trace', 'xsauthentication') = 'debug' with reconfigure;

      ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') SET ('trace', 'xsrequesthandler')='debug' WITH RECONFIGURE

      Reproduce the error you mentioned above.

      Turn off the above traces:

      ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'authorization') WITH RECONFIGURE;

      ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') UNSET ('trace', 'authentication');

      ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') UNSET ('trace', 'authentication');

      ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') UNSET ('trace', 'xssession');

      ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') UNSET ('trace', 'xsauthentication');

      ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'SYSTEM') UNSET ('trace', 'xsrequesthandler')='debug' WITH RECONFIGURE

      Also, did you run a HTTPWatch trace? That could also help to see whats going on

  • Mar 29 at 05:26 PM

    Hi Huseyin,

    I am facing the same issue. Have you managed to solve it?

    Thanks

    Peter

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 19 at 08:37 PM

    Dear Huseyin/Peter,

    As Michael mentioned, SAML cert hasn't been properly inserted into the trust store.


    The validation of the certificate is failing on HANA side. Please see the following hints:


    1. In SAP HANA Cockpit, configure "Certificate Store" and "Certificate Collections" applications. You will need appropriate roles. For more see SAP help document


    https://help.sap.com/viewer/product/SAP_HANA_PLATFORM/2.0.00/en-US


    Refer Tile Catalog: SAP HANA Certificate Management - SAP HANA Administration Guide - SAP Library

    2. Go to Application -> HANA Authentication, copy the 'Identity Provider's Certificate' (Including BEGIN CERTIFICATE and END CERTIFICATE) and save it into a file (eg. bo.cer)


    3. On the HANA DB host add the bo certificate into the HANA server pse (as <sid>adm):


    cd $SECUDIR
    sapgenpse maintain_pk -a bo.cer -p sapsrv.pse

    Import your Idp's token signing certificate and its CA certificate. Then add your certificate to the collection named "SAML".


    4. Restart the database


    For more see the follofing SAP Documentations:


    https://wiki.scn.sap.com/wiki/x/CQJuGg
    https://blogs.sap.com/2015/03/14/use-saml-to-enable-sso-for-your-xs-app-on-sap-hana-sps-09-rev-92-or-later/
    https://help.sap.com/doc/eb75509ab0fd1014a2c6ba9b6d252832/1.0.12/en-US/SAP_HANA_Administration_Guide_en.pdf
    https://blogs.sap.com/2016/03/21/principal-propagation-between-html5-and-sap-hana-xs-on-sap-hana-cloud-platform/ .
    SAP Note: 2374226 - SAP HANA DB: SAML Logon from BI Platform to SAP HANA Database is not working


    Best Regards
    Barnabás Paksi

    Add comment
    10|10000 characters needed characters exceeded