Skip to Content
Former Member
Feb 07, 2011 at 01:53 PM

Need help debugging SAML token signatures


Hello experts,

I am trying to set up a scenario, where my Web Service client (non-SAP) requests a SAML 1.1 assertion from its STS with confirmation method = sender-vouches.

The client inserts the received token into its SOAP request and signs

- the body and timestamp and

- the security token reference

The produce message looks very similar to the one I found in the wiki at:

My Web Service provider (AS ABAP 7.0 EHP 2 - the current trial server) rejects the message with the following error message:

CX_WS_SECURITY_FAULT : An exception occurred: XML Signature digest error for reference wssecurity_signature_id_21 | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00C line: 234

Somewhere later in the trace, I find: ... with internal error id 1001

wssecurity_signature_id_21 is the id of the body part in my SOAP request.

I imported the sender's signer cert in every truststore in STRUST (System PSE an all WS-Security and SAML ones). I have also executed report WSS_SETUP for initial configuration. My provider is set up to require no transport level security and SAML for authentication.

How do I debug this type of issue?

Is there documentation how to interpret the error message?

- Didn't I sign the correct elements?

- Was the certificate or its signer untrusted? [I even tried with self-signed certs.]

- Did I chose an inconvenient transform or canonicalization algorithm?

- ...

I tried reviewing the code of CL_ST_CRYPTO in SE80 - however, not being an ABAP expert, I didn't even find CM00C line 234 and I don't think I should try or need to do this.

What am I doing wrong and more importantly - how would I figure this out myself?

Tried to post the SOAP message, but this messed up the entire formatting...

Edited by: Jens Wanske on Feb 7, 2011 3:02 PM