Security and Identity Management
Page tree
Skip to end of metadata
Go to start of metadata

This wiki page describes how to collect traces in case of problems with SAML 2.0 authentication in AS Java or AS ABAP.

Table of Contents

What we need to know when you open a new SAML2 incident

Opening a new incident can be a bit confusing at times, and time can be wasted when it's opened in the incorrect component.

Important, if the SAML environment is Abap, then use BC-SEC-LGN-SML, if Java system, then BC-JAS-SEC-SML

Following these simple steps can speed up the procees and ensure you get a speedy reply.

1. The system which acts as service provider is: 

 a. SAP NetWeaver Java

 b. SAP NetWeaver ABAP

 

2. What identity provider are you using?   

 a. SAP Identity Provider  

 b. Third-party identity provider.

 

Please specify.  

 3. Have you configured/ Do you plan to configure SSL on SAP NetWeaver ABAP server?

 a. Yes 

 b. No  

 

4. Do you plan to use proxy or SAP Web dispatcher in your landscape?  

 a. Yes  

 b. No

 

5. Is your service provider accessible from outside your corporate network?

 a. Yes

 b. No

 

6. Is your identity provider accessible from outside your corporate network?

 a. Yes  

 b. No

 

7. How are users authenticated at identity provider?  

  a. Username and password  

  b. X.509 certificate authentication

  c. SPNego/Windows intergrated authentication

  d. Other. Please specify

 

 8. What is the client end-users use?  

  a. Web browser 

  b. Mobile device

  c. NetWeaver business client

  d. Other. Please specify

 

9. Does the problem happen for all users or only a group of users are affected?

 

10. Does the problem happen on all computers/devices or only some computers/devices are affected?

 

 

 

Troubleshooting SAML 2.0 in AS Java

In case of problems with SAML 2.0 authentication, use SAP Note Troubleshooting Wizard. In the note you will find instractions how to collect traces and analyse the problem. For SAML 2.0 related issues, use incident "SAML 2.0 (Debug)".
In case you have AS Java system with version lower than 7.20 included in the scenario, use SAP Note Web diagtool for collecting traces to collect traces.
Support component: BC-JAS-SEC-SML

List of SAP Notes for Known Problems

SAML2 identity provider functionality & SPNEGO improvements
Small improvements and fixes in security plugins

Troubleshooting SAML 2.0 in AS ABAP

Refer to the following table to choose the tool to troubleshoot the problem.

Type of ProblemTools to be Used for Problem Analysis
General problem with SAML 2.0 configurationSecurity Diagnostic Tool
General problem with SAML 2.0 authenticationSecurity Diagnostic Tool + HTTP Watch/Fiddler/SAML Tracer
Problem with signature verification or SAML 2.0 message decryptionSecurity Diagnostic Tool + SM50/SEC_TRACE_ANALYZER
Problem with SAML 2.0 authentication when Web Dispatcher or Proxy is configuredSecurity Diagnostic Tool + SM50/SEC_TRACE_ANALYZER +

SMICM + HTTPWatch/Fiddler/SAML Tracer

 

Security Diagnostic Tool 

For versions 7.02 SP7 or higher, 7.30 SP 3 or higher, 7.31:

  1. Access the following URL: http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> in a browser
  2. Click "Start" button.
  3. Reproduce your scenario.  Important! Use different browser session to execute scenario steps (preferably another browser)
  4. Stop diagtool and review the traces.
  5. Traces are opened in new browser window. Important! Save traces as HTML file if you would like to attach it to incident for further investigation.
    More information can be found at Diagnosing SAML 2.0 Problems with the Security Diagnostic Tool for ABAP
    For other versions use SAP Note Trace analysis for logon problems and set trace level of component "Security" to 3 or refer to Server Traces section below.
  6. Check the Guided Answers and try to find the error and possible solution.

SEC_TRACE_ANALYZER

Use SAP Note Tracing and troubleshooting security events in http communication with the AS ABAP

Server Traces

How to Increase Server Trace Level

  1. Open transaction SM51. Select relevant server by double-clicking it. Transaction SM50 opens.
  2. Select all work processes in the table of “Work Processes of AS Instance <server name>”
  3. Go to menu “Administration”->”Trace”->”Active Components”. Set “Trace Level” to 3 and select components “Security” and “ICF”. Click button Save.
  4. Reproduce your scenario.
  5. Go to menu “Administration”->”Trace”->”Active Components”. A dialog opens. Click button “Default Values”.
  6. Open transaction SM51. Select relevant server by selecting it in the table.
  7. Open menu “Go To”->”Information”->”Trace Search”. Trace search dialog appear. Enter pattern “SAML2” and click “Search”.

  8. Review the result list. You will find similar entries:

        Search <server name>

        Trace File <trace file name>

         Pattern >SAML2<

  9. Copy the trace file name(s) where you see traces containing pattern “SAML2”.

How to Download Trace file

  1. Open transaction AL11. Select “DIR_HOME” line by double-clicking it.
  2. Use keyboard combination “Ctrl+F” to search for file name. When found, select the corresponding line and click button “Download File as Text” - key combination “Shift+F5”.

ICM Trace

How to Increase ICM Trace and Download ICM Trace File

  1. Start transaction SMICM.
  2. Open menu “Go To”->”Trace Level”->”Set”. A dialog opens. Set “New Trace Level” to 3 and click “Change” (button like a pencil).
  3. Reproduce your scenario.
  4. Open menu “Go To”->”Trace Level”->”Set”. A dialog opens. Click button “Default Values”.
  5. To download file locally, open menu “Go To”->”Trace File”->”Save Locally”.

HTTP Trace

You can capture HTTP traffic using tools like HTTPWatch, Fiddler or SAML Tracer.

HTTPWatch

Download from https://www.httpwatch.com/download/ and intall it. HTTPWatch documentation is available at http://help.httpwatch.com/#introduction.html

After capturing HTTP traffic, save the log as .hwl file so that it can analyzed later. 

Fiddler

Download from https://www.telerik.com/download/fiddler . Documentation is available at http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurefiddler.

It is very important to configure Fiddler to decrypt HTTPS traffic before capturing traces. More information can be found at http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS

Capture traffic and save it to .saz file by choosing menu File->Save->All Sessions... .

Check KBA  How to use Fiddler to collect HTTP and HTTPS traces? for more details.

 

SAML Tracer

Firefox plug-in for viewing SAML messages sent through the browser during single sign-on and single logout.

 Download and install from https://addons.mozilla.org/bg/firefox/addon/saml-tracer/.  

 

Support component: BC-SEC-LGN-SML

List of SAP Notes for Known Problems by Release and SP

Check wiki page SAML 2.0 for AS ABAP: List of SAP Notes for Known Problems