This wiki page describes how to collect traces in case of problems with SAML 2.0 authentication in AS Java or AS ABAP.
Table of Contents
What we need to know when you open a new SAML2 incident
Opening a new incident can be a bit confusing at times, and time can be wasted when it's opened in the incorrect component.
Important, if the SAML environment is Abap, then use BC-SEC-LGN-SML, if Java system, then BC-JAS-SEC-SML
Following these simple steps can speed up the procees and ensure you get a speedy reply.
1. The system which acts as service provider is:
a. SAP NetWeaver Java
b. SAP NetWeaver ABAP
2. What identity provider are you using?
a. SAP Identity Provider
b. Third-party identity provider.
3. Have you configured/ Do you plan to configure SSL on SAP NetWeaver ABAP server?
4. Do you plan to use proxy or SAP Web dispatcher in your landscape?
5. Is your service provider accessible from outside your corporate network?
6. Is your identity provider accessible from outside your corporate network?
7. How are users authenticated at identity provider?
a. Username and password
b. X.509 certificate authentication
c. SPNego/Windows intergrated authentication
d. Other. Please specify
8. What is the client end-users use?
a. Web browser
b. Mobile device
c. NetWeaver business client
d. Other. Please specify
9. Does the problem happen for all users or only a group of users are affected?
10. Does the problem happen on all computers/devices or only some computers/devices are affected?
Troubleshooting SAML 2.0 in AS Java
In case of problems with SAML 2.0 authentication, use SAP Note Troubleshooting Wizard. In the note you will find instractions how to collect traces and analyse the problem. For SAML 2.0 related issues, use incident "SAML 2.0 (Debug)".
In case you have AS Java system with version lower than 7.20 included in the scenario, use SAP Note Web diagtool for collecting traces to collect traces.
Support component: BC-JAS-SEC-SML
List of SAP Notes for Known Problems
Troubleshooting SAML 2.0 in AS ABAP
Refer to the following table to choose the tool to troubleshoot the problem.
|Type of Problem||Tools to be Used for Problem Analysis|
|General problem with SAML 2.0 configuration||Security Diagnostic Tool|
|General problem with SAML 2.0 authentication||Security Diagnostic Tool + HTTP Watch/Fiddler/SAML Tracer|
|Problem with signature verification or SAML 2.0 message decryption||Security Diagnostic Tool + SM50/SEC_TRACE_ANALYZER|
|Problem with SAML 2.0 authentication when Web Dispatcher or Proxy is configured||Security Diagnostic Tool + SM50/SEC_TRACE_ANALYZER +|
SMICM + HTTPWatch/Fiddler/SAML Tracer
Security Diagnostic Tool
For versions 7.02 SP7 or higher, 7.30 SP 3 or higher, 7.31:
- Access the following URL: http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> in a browser
- Click "Start" button.
- Reproduce your scenario. Important! Use different browser session to execute scenario steps (preferably another browser)
- Stop diagtool and review the traces.
- Traces are opened in new browser window. Important! Save traces as HTML file if you would like to attach it to incident for further investigation.
More information can be found at Diagnosing SAML 2.0 Problems with the Security Diagnostic Tool for ABAP
For other versions use SAP Note Trace analysis for logon problems and set trace level of component "Security" to 3 or refer to Server Traces section below.
- Check the Guided Answers and try to find the error and possible solution.
How to Increase Server Trace Level
- Open transaction SM51. Select relevant server by double-clicking it. Transaction SM50 opens.
- Select all work processes in the table of “Work Processes of AS Instance <server name>”
- Go to menu “Administration”->”Trace”->”Active Components”. Set “Trace Level” to 3 and select components “Security” and “ICF”. Click button Save.
- Reproduce your scenario.
- Go to menu “Administration”->”Trace”->”Active Components”. A dialog opens. Click button “Default Values”.
- Open transaction SM51. Select relevant server by selecting it in the table.
- Open menu “Go To”->”Information”->”Trace Search”. Trace search dialog appear. Enter pattern “SAML2” and click “Search”.
Review the result list. You will find similar entries:
Search <server name>
Trace File <trace file name>
- Copy the trace file name(s) where you see traces containing pattern “SAML2”.
How to Download Trace file
- Open transaction AL11. Select “DIR_HOME” line by double-clicking it.
- Use keyboard combination “Ctrl+F” to search for file name. When found, select the corresponding line and click button “Download File as Text” - key combination “Shift+F5”.
How to Increase ICM Trace and Download ICM Trace File
- Start transaction SMICM.
- Open menu “Go To”->”Trace Level”->”Set”. A dialog opens. Set “New Trace Level” to 3 and click “Change” (button like a pencil).
- Reproduce your scenario.
- Open menu “Go To”->”Trace Level”->”Set”. A dialog opens. Click button “Default Values”.
- To download file locally, open menu “Go To”->”Trace File”->”Save Locally”.
You can capture HTTP traffic using tools like HTTPWatch, Fiddler or SAML Tracer.
After capturing HTTP traffic, save the log as .hwl file so that it can analyzed later.
Download from https://www.telerik.com/download/fiddler . Documentation is available at http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurefiddler.
It is very important to configure Fiddler to decrypt HTTPS traffic before capturing traces. More information can be found at http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS.
Capture traffic and save it to .saz file by choosing menu File->Save->All Sessions... .
Check KBA How to use Fiddler to collect HTTP and HTTPS traces? for more details.
Firefox plug-in for viewing SAML messages sent through the browser during single sign-on and single logout.
Download and install from https://addons.mozilla.org/bg/firefox/addon/saml-tracer/.
Support component: BC-SEC-LGN-SML
List of SAP Notes for Known Problems by Release and SP
Check wiki page SAML 2.0 for AS ABAP: List of SAP Notes for Known Problems