cancel
Showing results for 
Search instead for 
Did you mean: 

Issue SAML2 SLO for SAPUI5 App on NetWeaver Java 7.50

gregorw
Active Contributor
0 Kudos

Hello SAP NetWeaver Java and SAML experts,

we've deployed a standalone SAPUI5 application to a SAP NetWeaver Java 7.50 with a very current Support Package Stack. This applicaiton is secured using SAML for authentication of the user. This part is working fine. But now we are requested to support also a logout from the application. But when I simply call https://<FQDN>/saml2/sp/slo (SLO = Single Log-Out / Logoff) I get the following error message:

  Error: Service Provider SLO endpoint has not received SAML2 message.

This URL needs to be accessed by a POST request that contains a SAML2 LogoutRequest.

On SAP Cloud Platform that is easy for HTML5 applications when you define the Parameter logoutPage in the neo-app.json:

"logoutPage": "/webapp/logout.html",
like I did in my project HTML5UserAPI which you can test live at:

https://html5userapi-a5a504e08.dispatcher.hana.ondemand.com

here the defined page creates the required LogoutRequest that is sent to the SAP ID Service which acts here as the SAML Identity Provider (IdP).

Now the question is: Is there a similar service for a SAP NetWeaver Java 7.50 provided by SAP?

Best regards
Gregor

Accepted Solutions (0)

Answers (2)

Answers (2)

0 Kudos

Hi Gregor,

I was searching till i dropped also for the url. But it is much easier.
The Single Logout (to the IDP) happens automagically during Logout (e.g. call of MastHeadLogoutComponent).
You just need to configure the SLO Endpoint of the IDP in the SP.
/nwa/auth -> Trusted Providers -> EndPoints -> Single Log Out Endpoints -> Add:
Binding: e.g. Redirect or POST
Location URL: https://<yourcompanidp.com>/cgi/tmlogout or the correct url of your idp

Good luck,
Lars

gregorw
Active Contributor
0 Kudos

Hi Lars,

thanks for your comment. The SAP Portal isn't installed on this AS Java. So we don't have the MastHeadLogoutComponent. Do you know about an alternative? In the moment we solved the issue by calling a endpoint at our IdP that does the logout and redirects back to the login page.

Best regards
Gregor

oppancs
Contributor
0 Kudos

Dear Gregor,


If I am correctly understand your scenario, further configuration is needed in AS Java side. I guess the NW Java acts here as a service provider. If so you can check the following SAP Help:


https://help.sap.com/doc/saphelp_nw74/7.4.16/en-US/bc/3385f2311a4181bddf0faa2e3e8a9a/frameset.htm


In more details this is what you need to set in NetWeaver Administrator (NWA) -> Authentication and Single Sign-On (http://<host>:<port>/nwa/auth) -> SAML 2.0 -> Service Provider Settings- > here you can find "Single Log-Out Service" where you can maintain the desired configuration.


In case it does not help (you think everything is correctly maintained) you can trigger specific traces that might help to identify the issue by turning on SAML trace as followings:


1. Access the Troubleshooting Wizard in the URL http://<host>:<port>/tshw.
2. Choose the incident "SAML 2.0 (Debug)" according to KBA: 1921472 - How to use the Troubleshooting Wizard for collecting traces using custom locations [VIDEO]
3. Start diagnostic tool.
4. Reproduce the issue.
5. Stop diagnostic tool.


Best Regards,
Barnabás Paksi

gregorw
Active Contributor
0 Kudos

Hi Barnabás,

I think that my SP Settings for the SLO are correctly configured. In the moment I can't get my head around how I can start the logout. As I've described above my current approach would be to send a HTTP GET to https://<FQDN>/saml2/sp/slo by letting the User just simply click a link. But for the SLO service that seems not to be good enough. It seems that the request hitting this endpoint must be a HTTP POST containing a correctly crafted SAML LogoutRequest XML as the payload. Hope for further tips.

Best regards
Gregor