Review list of common problems below and in case you cannot find solution for your problem check wiki page Troubleshooting SAML 2.0 Scenarios, section "Troubleshooting SAML 2.0 in AS ABAP".
| Number | Problem | Reason | Solution |
|---|---|---|---|
| 1 | When opеning transaction SAML2, Web Dynpro application UI is opened in a browser and it returns "HTTP 500 Internal Server Error" | Some of the webdynpro ICF services is not active | Check 1088717 - Active services for Web Dynpro ABAP in transaction SICF, section Services for Web Dynpro ABAP for instuctions how to solve the problem or 2389051 - ICF service for Clickjacking Framing Protection is not active |
| 2 | “Signing Keypair” and “Encryption Keypair” fields which can be found at SAML 2.0 configuration UI, “Local Provider” tab->”General Settings” tab are empty. | PSEs have not been created when configuring local SP | Check if the latest version of SAP Crypto library is installed. To check the version of SAP Crypto library, go to STRUST, menu Environment->Display SSF version. |
| 3 | When downloading SAML 2 Service Provider metadata you get the following error: Service Cannot be reached The termination occurred in system with error code 403 and for the reason Forbidden. | Activate the necessary Internet Communication Framework (ICF) services. To use the service provider, you must manually activate the following two ICF services:
| |
| 4 | When downloading signed metadata of the ABAP service provider, you get an error. | Check if latest version of SAP Crypto lib is installed. Check in transaction STRUST if PSEs “SSF SAML Service Provider - S” and “SSF SAML Service Provider - E” exist. It is recommended that both PSEs have RSA algorithm. | |
| 5 | When adding new trusted identity provider using SAML 2.0 Configuration UI, save fails. | Check if the user you use to do the configuration has permissions to change the PSE files using transaction STRUST. Check if the PSE for your Service Provider is locked - this can happen, if you had started transaction STRUST and leave open the PSE "SSF SAML2 Service Provider - S" | |
| 6 | You are performing SAML 2.0 authentication and you get the following error: CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. | SSL server certificate of identity provider is not imported in “SSL Client Standard” PSE. | Import SSL server certificate of the identity provider in “SSL Client Standard” PSE. |
| 7 | You are performing SAML 2.0 authentication and you get the following error: CX_SAML20_ASSERTION: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid. | Synchronize the clocks of identity provider and service provider or check the “Clock Skew Tolerance” property which can be found in SAML 2.0 UI, "Local Provider" tab-> "General Settings". | |
| 8 | When uploading metadata file of trusted identity provider, you get the following error: "Error when uploading; the file name is invalid or the file is too large" | SAP Note 1791729 - FileUpload error: "Error when uploading; the file name is invalid or the file is too large" should fix the problem | |
| 9 | You are performing SAML 2.0 authentication and you get the following error: “No RelayState mapping found for RelayState value ouc…” | You get this error because you access a protected resource using one host name, but identity provider is returning the SAML 2.0 response to a different host name. | What is important here is that you need to access the SP in the same way IDP will contact it when sending the SAML 2.0 response e.g. use the same host name and port. |
| 10 | You have configured reverse proxy/web dispatcher in front of AS ABAP and SAML 2.0 authentication is not successful | Check the following links Wiki page on using proxies SAP Web Dispatcher SAML 2.0 Service Provider for AS ABAP and Web Dispatcher or Proxy Check Note 833960 - supported Application Gateway Configurations | |
| 11 | SAML 2.0 authentication fails with exception like this: CX_SAML20_CORE: Parameter 1- was either incorrectly set or not set in method CONVERT_NAMEID. Long text: Parameter 1- was either incorrectly set or not set in method CONVERT_NAMEID. at CL_SAML20_ENTITY->CONVERT_NAMEID(Line 14) at CL_SAML20_FEDERATION->GET_SAP_USER_ID_FROM_USREXTID(Line 36) at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 297) at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 81) .... or like this:Caused by: CX_SAML20_CORE: Parameter was either incorrectly set or not set in method CONVERT_NAMEID at CL_SAML20_ENTITY->CONVERT_NAMEID(Line 32) at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 130) at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27) ... | The reason is that the IdP doesn't send the name ID format in the subject. It's assumed to be unspecified in this case, but SAML 2.0 code doesn't take this into account. | Example on ADFS: You want to configure ADFS to send the given name as a name ID. 1. Create a Claim rule and map the SAM-Account-Name LDAP attribute to the "Given Name" Output Claim Type. 2. Create a second, transform rule. Transform the incoming claim type "Given name" to the output claim type: "Name ID" with Outgoing name ID format = "Unspecified". If you are not able to send the unspecified name ID format from the IDP, check for correction instructions in one of these two SAP notes: 1832685 and 1914139. |
| 12 | After SAML 2.0 logoff from NWBC an error page appears with content like: "Internal error. Fatal error, no response generated" | Implement SAP Note 1939183 | |
| 13 | ADFS is configured as IDP and you get the following error at IDP side: Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage) | SAML 2.0 SP uses signature algorithm SHA-1 to sign the messages | Configure SAML 2.0 SP to sign messages using signature algorithm SHA-256. In SAML2 transaction, "Trusted Providers" tab, select your trusted IDP, choose tab "Signature and Encryption". In section "Certificates and Algorithms" use dropdown "Digest algorithm" to select SHA-256. SHA-256 signature algorithm is supported starting from following sevice packs: 7.40 SP6 7.31 SP11 7.30 SP11 7.02 SP16 |
| 14 | Call to webgui URL protected with SAML 2.0 fails with message like "Method of BOR object doesn't exist" or webgui applications are not displayed correctly. | Webgui call requires special handling of HTTP parameters | |
| 15 | When doing IdP-initiated authentication, you get an error: CX_SAML20_CORE: HTTP data for SAML2 logon in client XXX are too large (>4 KB). | Implement SAP Note 2072454 - SAML 2.0 authentication with IdP SSO fails with exception "HTTP data for SAML2 logon in client XXX are too large (>4 KB)" | |
| 16 | You are using SAML 2.0 authentication with Fiori Launchpad. Service like "/sap/opu/odata/..." responds with: <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Body> <env:Fault> <faultcode>env:Client</faultcode> <faultstring>Rejected by policy. (from client)</faultstring> </env:Fault> </env:Body> </env:Envelope> | The Logon Procedure 'SAML Logon' is not allowed for the ICF node 'sap/opu/odata/..' Default Logon Procedure has to be used and SPNego is not in the "Logon Procedure List". | Follow the steps: 1. Go to transaction 'SICF' and press 'Execute' 2. Expand the 'default host' along the nodes 'sap'->'opu'->'odata'. 4. Open the node 'odata' 5. Select the tab 'Logon Data' 6. Field 'Procedure': Select the value 'Standard' from the drop-down list. 7. Save the node settings. |
| 17 | You are performing SAML 2.0 authentication and you get the following error: "The validation of message 'Response' failed. Long text: The validation of message 'Response' failed. Entity <name of entity> is not defined in the element 'AudienceRestriction'." | IdP is not sending correct value in AudienceRestriction element. | According to SAML 2.0 specification section 2.5.1.4, AudienceRestriction must contain the name of the Service Provider the SAMLResponse is sent to. Contact IdP administrators and ask them to change/correct this behaviour. |