cancel
Showing results for 
Search instead for 
Did you mean: 

SSO/SAML 2.0 - Getting "No default application path is configured for ACS endpoint" error message

jill_diesman
Participant

Hello,

As far as I can tell so far, SAML authentication is correctly configured on the service provider and identity provider side. Our IdP is ADFS.

The problem is after the user is authenticated, the user gets the screen with error message "No default application path is configured for ACS endpoint". If I then re-enter the original URL in the browser, the application is loaded as expected, without any errors (this is how we know SAML authentication is taking place successfully).

If I update the SAML configuration by entering a Default Application Path at SAML Configuration > Local Provider tab > Service Provider Settings tab > Assertion Consumer Service section, then this default application path is what is loaded after SAML authentication takes place, which clearly is not what we want to happen.

I have looked at the following resources with, but have still not found a solution:

Any help is very much appreciated.

Best regards,

Jill

dieter_braitsch
Explorer
0 Kudos

Dear Jill
I have got exactly the same problem as you described. How did you solve the problem?

I have set up SAML on Netweaver ABAP 753, that works perfectly. I am now on an older 740 SP8 System with the described problem. Any feedback would be appreciated.

Best regards, Dieter

Accepted Solutions (0)

Answers (1)

Answers (1)

geferson_hess
Participant

Hello Jill,

That's the idea of setting up a default application path. It will always redirect to that path.

If it is an IdP-initiated sso, there is no way to know what service will be accessed, because a service wasn't accessed in the SP side yet.
The only way to create this kind of behavior is by using RelayStates with an SP-initiated SSO.

Regards

jill_diesman
Participant
0 Kudos

Hello Geferson,

Thank you for replying, however I'm confused. Our scenario is an SP-initiated SSO, which I thought meant the original URL provided was saved and would be used once SAML authentication had taken place. I also thought it was IP-initiated SSO that required the use of RelatyStates, not SP-initiated SSO.

My understanding of this comes from the following SAP Help document:

Mapping Relay States to Applications

“Use this procedure to protect application URLs when performing identity provider-initiated Single Sign-On (SSO). Security Assertion Markup Language (SAML) 2.0 uses a RelayState parameter to restore the original application URL so that the user can return to the application with a SAML assertion. The RelayState has to be sent from the identity provider as a URL or POST parameter. Exposing the application URL in SAML messages can be a security risk. For service provider-initiated SSO, the service provider saves the URL and places the name of the cookie in the relay state. For identity provider-initiated SSO this option is not available. Instead you can have the identity provider place an alias for the application in the relay state and map the alias to the application on the service provider.”

Perhaps I am misunderstanding the SAP Help document?

Regards,
Jill

geferson_hess
Participant
0 Kudos

Hi Jill,

My bad. I thought you are using IdP initiated.
Anyway, you still need to configure RelayState. The URL is saved in the RelayState cookie and sent to the IdP. The IdP will them return to the correct address.

In the Default Application Path documentation, we have:
"the service provider redirects the requests according to the value of the RelayState parameter. If the identity provider sends a request without a relay state, the service provider redirects the user to the default application path."

That's basically the behavior.

Regards,
Geferson Hess

jill_diesman
Participant
0 Kudos

Hi Geferson,

Thanks very much for helping me with this. I still have some confusion...how is the RelayState configured?

Regards,
Jill Diesman

geferson_hess
Participant
0 Kudos

Hi,

Refer to the example in the link.
Basically, you map a name for an application path.

You can find more information about its functionality here: https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf


Regards,