We have NW 7.02 SP12 and have enabled SAML2 to allow us to provide SSO to ABAP WebDynpros by way of MS ADFS.

After configuring SAML in line with all the relevant docs/notes/troubleshooting info, we are able to go to the ADFS URL (https://<IDP HOST>/adfs/ls/IdpInitiatedSignon.aspx), and pick our SAP Service Provider that we setup in SAML and provided the metadata file back to the ADFS.

We are challenged for our Windows/AD credentials and then after providing them are passed into the SAP ABAP web dynpro that we setup for SAML authentication, and also as the default endpoint in this test.  The logs show successful logon.

When we try to access that same SAP Web Dynpro by direct URL (https://<sap host>/sap/bc/xyz), we get redirected to the ADFS host for the Windows credentials, and then get taken back to the SAP ABAP Web logon screen with the errors

"Logon Failed at Identity Provider (http://<ADFS host>/adfs/services/trust)"

"SAML Response Status: [urn:oasis:names:tc:SAML2.0:status:Responder]"

"Message from the identity provider: [urn:oasis:names:tc:SAML2.0:status:Responder]"

The SAML Diagnostics trace in SAP reveals no error.  The SM21 log reveals no error.  So, this doesn't look so much like a SAML error but an ABAP AS error processing the assertion that's being sent back by the ADFS and then SAP is somehow not trusting the assertion in this method.

In the successful test of the IdP URL initiated call, the SAML Diag trace shows that the user ID (in below example, userID: JSMITH) is successfully being kicked over to SAP and then authenticated. 

In the (un successful) SAP URL initiated test, the SAML Diag trace doesn't indicate any of this (but also no errors)

Thoughts?

IDP Iniitated SAML

Client Server Work Process Time Severity User Message Callstack

100 USH-B-SC-SE2 2 02:01:31:851 Debug SAPSYS

HTTP request headers:

~request_line:  POST /sap/saml2/sp/acs/100 HTTP/1.1

~request_method:  POST

~request_uri:  /sap/saml2/sp/acs/100

~path:  /sap/saml2/sp/acs/100

~path_translated:  /sap/saml2/sp/acs/100

~server_protocol:  HTTP/1.1

host:  <SP Host>:8003

~server_name:  <SP Host>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

referer:  https://<IDP HOST>/adfs/ls/auth/integrated/?SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9Ol638%2bWr%2fBet86ZNz55%2b9tHv%2f%2bl5vnN%2f7%2f7%2b9v3pp%2fvb%2b%2fsPDraz3YcH23vne%2fcfZNneg%2ftZ9lH6k3ndFNXys4%2f2xjsfpWdNs87Plk2bLVv6aGd3f3tnb3vv%2fpudvUc7u4%2f27o0f3n%2fwUx%2blT6mXYpm1%2fOa8bVfNo7t3p810%2b7yZ5ZfjaVWuF5Mio18Wd7PZeXO3bO5%2blJ5UyyYH4HW9fFRlTdE8WmaLvHnUTh%2b9Pv7i%2bSPC4dFUGj1aL5tVPi3Oi3z2UfpuUS6bRzzSzW%2bv6qqtqPuPjh7zWGp5dfNLWdPkNcby0RHGcsNQqO1lMc2bu229btrHd6Wfo8c0ulkBKM179vn4eD0r8uU0f0VUrYspPnUfHr0%2b3SPQy3xKfdkP3a%2fBS3cdEvRHnzOO%2fh8%3d&Signature=UdDjDRi1cugjPfoVH%2bUVys0fwbbyPdhhMLrhZlxN0Sou4ELClET5F1pZDFGvhQX0ZK8m1zwFh7ZlhDnrxc9auPUBp2tfURHfSZSgBvB%2bFs7N110RDP7ImC2Y%2bIKvURdIapJ9561L6iZ6EvQHll%2bBvV3ur4Q7ZjkCrNrnDCnGv4ResdJkkrnsFrXIfJRl0ElFb2hJoWVXvM%2bN%2bJiFd%2fMmKE8l2yuOSsrlVAzDNxkNmrcLFmZrrjUZkUNBJ3Qc%2bZ%2bX3VJrbd0I3rG1YPfLpN4HgKjA5zO4dKOh28CttByQq25RzefuDvVkN1%2bbws7TfDMMxsw%2bw4jell9yQ6ewd9rpog%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256

connection:  keep-alive

content-type:  application/x-www-form-urlencoded

content-length:  7921

~server_name_expanded:  <SP Host>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

~script_name:  /sap/saml2

~path_info:  /sp/acs/100

~script_name_expanded:  /sap/public/bc/sec/saml2

~path_info_expanded:  /sp/acs/100

~path_translated_expanded:  /sap/public/bc/sec/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:148 Info SAPSYS

SAML20 SP (client 100 ): Raw SAML response:

PHNhbWxwOlJlc3BvbnNlIElEPSJfOTZhM2NmZjYtM2JjYy00YWFkLThmMTktZmQwMWMyMzliY2NmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yNVQwMjowMTozMC4xMDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly91c2gtYi1zYy1zZTIuY29sdW1iaWEuY3NjOjgwMDMvc2FwL3NhbWwyL3NwL2Fjcy8xMDAiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vY3NjLWZzZGV2LmNvbHVtYmlhLmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPjwvc2FtbHA6U3RhdHVzPjxFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjx4ZW5jOkVuY3J5cHRlZERhdGEgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMjU2LWNiYyIgLz48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGU6RW5jcnlwdGVkS2V5IHhtbG5zOmU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PGU6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIj48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+PC9lOkVuY3J5cHRpb25NZXRob2Q+PEtleUluZm8+PGRzOlg1MDlEYXRhIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOUlzc3VlclNlcmlhbD48ZHM6WDUwOUlzc3Vlck5hbWU+Q049U0UyX1NTRkFfUzJTVlBFLCBPVT1JMDAyMDU5NzM4NywgT1U9U0FQIFdlYiBBUywgTz1TQVAgVHJ1c3QgQ29tbXVuaXR5LCBDPURFPC9kczpYNTA5SXNzdWVyTmFtZT48ZHM6WDUwOVNlcmlhbE51bWJlcj45MDI5MTk4NDk2NzM1ODMyPC9kczpYNTA5U2VyaWFsTnVtYmVyPjwvZHM6WDUwOUlzc3VlclNlcmlhbD48L2RzOlg1MDlEYXRhPjwvS2V5SW5mbz48ZTpDaXBoZXJEYXRhPjxlOkNpcGhlclZhbHVlPlV6VVZLRndtejFLY2RLY29VcVpnbEY4R1ZnWk9CbEJ6bWljL1VQVzROUDMweFRNcmh2czZ4eUFRckwrZElyQytDYlJUVjZOc0ZaOExjb1gydEJkZW9hc1dySC82Ymo5TWxxMlFoTHQvdXJSeUV4MFJWUlhtMFA4SnpyUGRpTFgxTVhsaHFOZ3MzQUxpd081RXI1TkNKcDh5aWovQVpsblpuZjExUUFOdDhjRT08L2U6Q2lwaGVyVmFsdWU+PC9lOkNpcGhlckRhdGE+PC9lOkVuY3J5cHRlZEtleT48L0tleUluZm8+PHhlbmM6Q2lwaGVyRGF0YT48eGVuYzpDaXBoZXJWYWx1ZT4wZ2J0cjZJamp6RUZtRi9EMk1jb3Q3OXJ4ZHRHNEl2Q0o0YWtRa0xHNnViSW5VcmFIUG5ta3FDdjJWSmpOODhFWmo5TWloUFBXUStnWHQyY2pkVWVGUzliam1CS0J4RXFLemxnbFN0Sk5GT1dsU0orb2kvL1ovT1U3Snl6UmFOcEVVU1lNQVRLRUhyaTFDK0dMeUpra21uQzdpUnFrbjBqMEM0QjNpWEtjdER0RlAxbnQ3Rm9oS1dPa2dDNlNRZFJiNnY5ZHQyVjEyWUQ2N0thcnJBdFpCWEQ4WVFwODBPLzhmUHAzZjdHdTBQZWNWU3pLTnFaaFdFb1lsZnhsdWZORldONk9SMFJVcDdHSVNHMlgvZWJVY3ZTUU1yZ2ZuOWxhRE5XdTNyMFM3VGw1YmQxbDBtVkc4bTBndmhsSHFxT0FoZnBMdmNHeWp0LytwVmtWb3crK2drc3lNMThSYUN2NjJDTDdyd1J0MWlWZU5Ub2FJNUJJS2FUTXBveFZXSTRZejRlWFlsbkFZcWxzMnl5aDlFVWpLb25jODJwdFpDQjFlaERCSWZpenhIQXJKdmNGM1RtYXlmTVBJUENkeEo3clBhRnJWNjNHb3Blc1Axdm5NWEZXZjhoTEd2VkZjdnVsZFhEbWsxTklpL25xZy9NeWVPeDlaMUdNRndDTWFDU1VnbU5XSGV4Z1llaGFPTEM0V3E2bFU3WmhxaVo4MnJHSmJwYm13cEUrdHB2OGpobmdOWEYra2JrN2ZidlhSdHhuUExmZG1jNmZtZWJJYUJKVDNJM0JzQ0QwTHZpU2FVbUNOSFdzeUc3eFZqTkxTdU9jSnk1Z0NZbTI1L2krRDhPRVQ1dHF5UU9lN0JRclNNVkNCQ1NoeS9naW1BSlBlVUcyejU0bUViYTk2RVFIZk1Ybi94Z0JoNjluaDNUYVJsa0Fzd1lJck9EZUh3ZnNpMnlPYTgzL3hhZzVFMnBPMlBlSkd0cDVLRmhGZ0F4YWdXMUtSc3JWTTNVSklhVjlrZEZyMVM4SFFla2xJQU80SkVnZXp0Z0tRWGZDTGMyMU5yMXFUTVNqRlo4UGFoeEk1NTd0UDRiMjJOK09FaFVTK29pNFlJMTNXVkg4bVBiZGdZclE3Skxjc3doY2hjZy9XWXZTS3VLK0JyL3Q3V0VUQzNQVDVrSXdNekZJVUhhUEVDRThZZmJQWGlER3IxUXEvRG4zdFBVVi9yN3hLcHJWVTM5R0hqY2JDcStRekVMTFNCZndzME85Vk5tWUtMUnVadi8xbExBaXNCcjJxTlVyYkt6SXVrUUJMSDZIZU9kaCtHa2txYWo3R2lEei9YeG9PVFZJY21LQVk4V0NSTkFPclpRa3BTMy83WTA2NkpNNWtZRlV6Y1l4aldGem1vdnVBeUpBaGxNWldySlg2dkFmaDgvRmZabXdzZEd1aEtUQ1FqUFltTExvb3o1RjJFc1dBcWFzL3h1ZXE4OVkxaTloaUZnZHhESFFBa20xR0hlc004NDdoOFoxSDA5SGFDODRvVEwxbzkxbWZWMFBYdmo0aHBaM0t2MFdsRytEUFZmMTdYNjlZemhPd3dLNzJYeVhtTTNVM05oeXlrZTBiQWNJUy8yUEhFL3E0NVNuUFpkQXpxQU0waVpvMnRHSjJtcURzVDFzeFFURHFXanJ3KytpMXhHSDU3NktrTzYxbTdnTWIwTEk5Sk5JU2ZvemZWYXZEckwvbTF1OVcrVjV1UG1IcU44YWJQVnk3QzhoUHowRUtrZmZBRDEzY1JkS0V6NS84UWYrOWl0RmhRenZ0UE5aVDRiV1JWVHNkY09BQkRVQVNGRmhXY2V4QUJaeEpEU2puR1IxcUFUMUVsWTJod3dzT3FKSkdacTBGSjk2OVl0d1g3UmM2TFNFUXhuL1JZc2VCOStqQXJFQURYbmN3SjQxSUV6eUIyYnlvOFdOTmsrbWFRTXR2anptZUJQTmJSQlFpallBOTFQaWUrR2RSaWZYZkdyd1ZwbkR0TExTOGlGakFtcGxRUUsyK0dEUm93bmpkYkpFRGk1THM2K29oQVFvNUpGbGhwKzJ0bXZ2bDRKeE1kdFRkMTJYbmx5eW1LUjB3TTlSMEloMTllTUdLSXJ4NXlkUk9oTWFwL0lqZ1EvOGhNSmZwZkp4RVYwME00dFgwU2sxNDFwbTJjK1ErN0dhc2tEU0VMcXh0RmVod20wQ0pkSWdOTTluSUZBVVByaHpaSUhiUnNJclE2d3F3b3BOZ1hvRDBCazVlaUh6Qkd6ZkU4YlRIajBoNGxBUmtrcG5hNkpnU1VPdmVkNVNxbWtYR2pmcStTSjFjSW1CMEkwVThyeVVFV3F4TnE2V1IvWnFrb1UxaXlrL0d2TmIwYU9nOFQ4ZkhwR3NsYUp0cUFkVXgxWnZrSS9HcmwxSEtUVUlnSWJzOWF6TThtSC9mclhYS3J6Y2RNQVJ3TVYyL21ZNlFCdHFSanNGdTFsZEZrTS9Xb09WL2dlQ1dBUjhuZU5uZ0NMaXNPTkhKODZFbHNCZXUvcHpwYkdlNGZPc3pqVHVmYkpVOU92amVXd0RvcHhmTHdnbEZyZlVLNE1sbHkzeEMrSllaS0o5WGU3aWFDbzFRTHFDeXJKaW5IUWFLaWZueS9zQzBFV1MwSUpGQmpYS2NQNTlLTW13Nk8yd3FJZW93VGYySUthdEJuRXArTWFndXlYeXY4UStsYm9mdEc4M0pOMXZRcEVMMXlqbDVtSU45U2RJQTJaUEJ0eCtOREFUSGg4aWEweVFWTGhrdVQ2OEJXY3J3eWd4cndFeWJrY3k0VGpzbEM2bzVreWcvQ3pyMHZ6UWt0MDNoRkpRUEN0RXU0UjV1d2pCQVB3QnBOY20wOXlTU0VYejZJOGhHckxHZzlKS0pDY0Vzb1BpdUNvZG9LcFdPbjVncDV0ZVhYc0dEdlJwVUlzemxvZ09HNjgwL3MzR24vR0JYaitnT2t3S28zRytVLzRONUhUVnVLV1lZSWp2aSt2T3RUdk5GcVg5ZTM1NGlVMDVKcy9TUllCTEtXd0tIQS9vQzdLOGtKcGJIdFBQaTBOaFBmS084MWl2aUE5NENJZlM5b3JvMHJSS1lzcjUzQjNEeTRsaXd1azFtM3BzZERaeWZOVTMxaHdTWUErdm9KYUpHc255TDNPK0lQU1YwdWh4WllrUnNwbDR6Q3dtWU1DWUZMRitKb0JvY05qMzlLSHhHSHdtMTVWendaVlI5cjY5R0JyR2JheUwxWnVjQVRNWWRJQkNlbkdLdVpSb2pxZVdvdVllSWozVUx6N3h6OGVrZXo2RmZPZGpGTGtpazNKSkJPOTNWTkcvZUVmcWszVkpMdEpzaWY4MDVsalBlWEk5ZU1kR1hhRC9KL0Vqc1pGYUxlN0pIRkRjN0duTG9iTEFTazFFT0k4c24wYzN0Ui84SmNSRjRXK0kzNWVadit0cTA4RkpQZklXdTB6azE5Q3VMdTBCNm90dW5aYWtjb0ZrMG9iUUtHTzR4NGFWY29DVG1Ob3ZQUC9LaGZhNklVclRjRlBJbTRhMmtia1JWakZQMGFQQklRRzlXUis1YzU2U0pmdlFCVXFUbzZkaFQ5dDVNNjU1QWNsNTNYYzJvZ1BiVkNEbEFVQUJWYmxIcG1WR2VTRDRQL1hFMWFUT0RpZjJKUVZRSkh3M1dzWlU4d0hPSWJBcVlZTi9iNUtzV1VVY0tLMnVpKzlaQ3FpTXNTek1PUFZ4Q1pPMmRzdFR1YUVhZTVjMnVGdDNBSHNWcWQzQmNGV2JMbWVjWmlxWU8xWGhsTEIzVkJyczFvWmx0cTM2VzR0a05RS29Oc1JGbnI0VmhScXNoWGdLZTkyQVhKRS9HSUxQNUU3bHFUTkpsYUVXdnROMTdqOFRXTXdGM21TdUF3U1NqWWVNeXM4OHUybTYwbHorSVBuSE5CUUM2K1ZNblRWM2k1Y3lGSDhRVlRFVGNDR1BXZmE0ZmI5TWdMNkc1NXkwMVY1SERiM0h2am1GVDBuYlNDL2pjTW9ZMlROTHkxbVVMZTdueFZpL0pmdWhLMkVFZGJiZzFENWNlY1VUVUkrZ05wZ0FvRHVhWjR6WlFYOGMyanV4cVVaUzREWUoyVlhCMmRiakJVYXlkZVlMTWw3dFVpM2gvUFBXYjJ6S2VsQUlUdlVpdlZMSW5xdHNQblBwYlZYL05aVVJSZWxDaG8zdUZzS3MreE1WTmErTUNLWVViOEVaZXNwb0hwYzRFMUJsU0d1dmZNUEs5azZ2dzhUTXlQRzRtc2Z0aU1CS2FQcnVHMzBGaVQvZkQ3azlnVW1YQUUyb0hCQVpNdDd5b2p1ZWhLSDZzcjRUN0VzaFY2QmQ3L1pKWXRudmNaeWdWTFMvMkFpZmlCVmNnQjNqTmZ6bXBIYXdmNVVxdlF0a0xXdVN3Qy9EdUtndnBsTkJhcXRlS1B2cEtnYTJ4QW1PUFpzN3N1U1Q5azhYbzlYbVVTWFRFbVlqam9tSTY5OXpNSi9BT3Q2dW9tZVN3REZ3YWRtUWlva3IzYlhOMCtrNmx2M21nNVNnZE5KL1dBZlUrVmliMEtNZGpGZVJnWU1ZODVJTnBrUDlYeG10MTc1RjREdjBBcFA3VW1tKzZUd2tFUXBwOWV2bkJocmcxdnZCdE5FNlc5dEMvMGtoWkd6MW9MaWV2VldlcUY4RWdncG5NTzNJN0l1RkRkK3ZKdGJ0M0FqaDVVRU1nK05BdWg3eVphaFlzcXlvSURocHRjb3JmWVloTE1qaUVqTityVjNSRlB2NDM2TkpzYnpPRmRtbExucnZWRUxKRlYxc3hmTXI2bmp5UndkTi9ZNHFvMHpiRTRXUU1PTEFRRU1wZUtkOWJjZmpKQ2FydDUrcUkzaWRMbTlJakJUamxOWm5aTE5FVW5sU1R5MzlGS1FLRks3NGlDN1hVWVZIWDIwOERkeFF3aitzeld2WUcwd2xYdE5YT3J1bW83WEJvODNuOUJ1RlZscm43ZGdodVgyMG4va0g2cSs0THc3R3JLaEQrdSszb05SWW1hM3ZHeDZBSkFjNFc3bTc0NU9TcGxvNlhsOCtFbGd6aGZFT3NWOHVoaWZzSElZSU9ldm01cFNpbmdSdUpBN2tkcG1MWmpQNW1IdTFoUEZoWDB2U0xQanZkUXdPV0M4ZGF4M04zODVVSVlFRkFtc0dCS3l5a1dtWXVnUk1mT20vdlN1VmY0SCtwZ3RXaVNHSldJMCtVTDZEVkcvK1lpT01GVFRnREkyeTVVUndFa2IvMzgzNUdxZ3NSNjJmWWlXVzlZOVE3SW1GR3A5cmQyeDdLTkprSUZ5UU1TcXVWbjlxZCt2TWtIQU9XTk9vajFxYjJUN2hrc1Z2VDVZODhhK3ZML1IrWjFJUmtZd0hGbU12d2VydzVkRGo1QWg1T0RZVWM0NEZFOTYzcWQ4MlJQbFJOeUh2L2xoZ3ZDclo3ajdjSCtRNnlWcDQ1RkNSd3l2TWpoVXRQb3JxRjRDOS84RW5VOWVRUVY2QTZCWWNrTTFxNnBxa2QwbjwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48L0VuY3J5cHRlZEFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:205 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is POST

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:349 Info SAPSYS

SAML20 SP (client 100 ): Calling transformation:SAML2_RESPONSE was successful.

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:391 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:393 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP Host>:8003/sap/zapp?sap-client=100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:396 Info SAPSYS

SAML20 SP (client 100 ): Incoming Response

SAML20 Binding:          POST

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Success

SAML20 <samlp:Response ID="_96a3cff6-3bcc-4aad-8f19-fd01c239bccf"

SAML20                 Version="2.0"

SAML20                 IssueInstant="2014-02-25T02:01:30.101Z"

SAML20                 Destination="https://<SP Host>:8003/sap/saml2/sp/acs/100"

SAML20                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

SAML20                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <samlp:Status>

SAML20     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

SAML20   </samlp:Status>

SAML20   <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20     <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"

SAML20                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

SAML20       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />

SAML20       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20         <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

SAML20           <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

SAML20

SAML20             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

SAML20           </e:EncryptionMethod>

SAML20           <KeyInfo>

SAML20             <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20               <ds:X509IssuerSerial>

SAML20                 <ds:X509IssuerName>CN=SE2_SSFA_S2SVPE, OU=I0020597387,

SAML20                 OU=SAP Web AS, O=SAP Trust Community,

SAML20                 C=DE</ds:X509IssuerName>

SAML20                 <ds:X509SerialNumber>

SAML20                 9029198496735832</ds:X509SerialNumber>

SAML20               </ds:X509IssuerSerial>

SAML20             </ds:X509Data>

SAML20           </KeyInfo>

SAML20           <e:CipherData>

SAML20             <e:CipherValue>

SAML20             UzUVKFwmz1KcdKcoUqZglF8GVgZOBlBzmic/UPW4NP30xTMrhvs6xyAQrL+dIrC+CbRTV6NsFZ8LcoX2tBdeoasWrH/6bj9Mlq2QhLt/urRyEx0RVRXm0P8JzrPdiLX1MXlhqNgs3ALiwO5Er5NCJp8yij/AZlnZnf11QANt8cE=</e:CipherValue>

SAML20           </e:CipherData>

SAML20         </e:EncryptedKey>

SAML20       </KeyInfo>

SAML20       <xenc:CipherData>

SAML20         <xenc:CipherValue>

SAML20         0gbtr6IjjzEFmF/D2Mcot79rxdtG4IvCJ4akQkLG6ubInUraHPnmkqCv2VJjN88EZj9MihPPWQ+gXt2cjdUeFS9bjmBKBxEqKzlglStJNFOWlSJ+oi//Z/OU7JyzRaNpEUSYMATKEHri1C+GLyJkkmnC7iRqkn0j0C4B3iXKctDtFP1nt7FohKWOkgC6SQdRb6v9dt2V12YD67KarrAtZBXD8YQp80O/8fPp3f7Gu0PecVSzKNqZhWEoYlfxlufNFWN6OR0RUp7GISG2X/ebUcvSQMrgfn9laDNWu3r0S7Tl5bd1l0mVG8m0gvhlHqqOAhfpLvcGyjt/+pVkVow++gksyM18RaCv62CL7rwRt1iVeNToaI5BIKaTMpoxVWI4Yz4eXYlnAYqls2yyh9EUjKonc82ptZCB1ehDBIfizxHArJvcF3TmayfMPIPCdxJ7rPaFrV63GopesP1vnMXFWf8hLGvVFcvuldXDmk1NIi/nqg/MyeOx9Z1GMFwCMaCSUgmNWHexgYehaOLC4Wq6lU7ZhqiZ82rGJbpbmwpE+tpv8jhngNXF+kbk7fbvXRtxnPLfdmc6fmebIaBJT3I3BsCD0LviSaUmCNHWsyG7xVjNLSuOcJy5gCYm25/i+D8OET5tqyQOe7BQrSMVCBCShy/gimAJPeUG2z54mEba96EQHfMXn/xgBh69nh3TaRlkAswYIrODeHwfsi2yOa83/xag5E2pO2PeJGtp5KFhFgAxagW1KRsrVM3UJIaV9kdFr1S8HQeklIAO4JEgeztgKQXfCLc21Nr1qTMSjFZ8PahxI557tP4b22N+OEhUS+oi4YI13WVH8mPbdgYrQ7JLcswhchcg/WYvSKuK+Br/t7WETC3PT5kIwMzFIUHaPECE8YfbPXiDGr1Qq/Dn3tPUV/r7xKprVU39GHjcbCq+QzELLSBfws0O9VNmYKLRuZv/1lLAisBr2qNUrbKzIukQBLH6HeOdh+Gkkqaj7GiDz/XxoOTVIcmKAY8WCRNAOrZQkpS3/7Y066JM5kYFUzcYxjWFzmovuAyJAhlMZWrJX6vAfh8/FfZmwsdGuhKTCQjPYmLLooz5F2EsWAqas/xueq89Y1i9hiFgdxDHQAkm1GHesM847h8Z1H09HaC84oTL1o91mfV0PXvj4hpZ3Kv0WlG+DPVf17X69YzhOwwK72XyXmM3U3Nhyyke0bAcIS/2PHE/q45SnPZdAzqAM0iZo2tGJ2mqDsT1sxQTDqWjrw++i1xGH576KkO61m7gMb0LI9JNISfozfVavDrL/m1u9W+V5uPmHqN8abPVy7C8hPz0EKkffAD13cRdKEz5/8Qf+9itFhQzvtPNZT4bWRVTsdcOABDUASFFhWcexABZxJDSjnGR1qAT1ElY2hwwsOqJJGZq0FJ969YtwX7Rc6LSEQxn/RYseB9+jArEADXncwJ41IEzyB2byo8WNNk+maQMtvjzmeBPNbRBQijYA91Pie+GdRifXfGrwVpnDtLLS8iFjAmplQQK2+GDRownjdbJEDi5Ls6+ohAQo5JFlhp+2tmvvl4JxMdtTd12XnlyymKR0wM9R0Ih19eMGKIrx5ydROhMap/IjgQ/8hMJfpfJxEV00M4tX0Sk141pm2c+Q+7GaskDSELqxtFehwm0CJdIgNM9nIFAUPrhzZIHbRsIrQ6wqwopNgXoD0Bk5eiHzBGzfE8bTHj0h4lARkkpna6JgSUOved5SqmkXGjfq+SJ1cImB0I0U8ryUEWqxNq6WR/ZqkoU1iyk/GvNb0aOg8T8fHpGslaJtqAdUx1ZvkI/Grl1HKTUIgIbs9azM8mH/frXXKrzcdMARwMV2/mY6QBtqRjsFu1ldFkM/WoOV/geCWAR8neNngCLisONHJ86ElsBeu/pzpbGe4fOszjTufbJU9OvjeWwDopxfLwglFrfUK4Mlly3xC+JYZKJ9Xe7iaCo1QLqCyrJinHQaKifny/sC0EWS0IJFBjXKcP59KMmw6O2wqIeowTf2IKatBnEp+MaguyXyv8Q+lboftG83JN1vQpEL1yjl5mIN9SdIA2ZPBtx+NDATHh8ia0yQVLhkuT68BWcrwygxrwEybkcy4TjslC6o5kyg/Czr0vzQkt03hFJQPCtEu4R5uwjBAPwBpNcm09ySSEXz6I8hGrLGg9JKJCcEsoPiuCodoKpWOn5gp5teXXsGDvRpUIszlogOG680/s3Gn/GBXj+gOkwKo3G+U/4N5HTVuKWYYIjvi+vOtTvNFqX9e354iU05Js/SRYBLKWwKHA/oC7K8kJpbHtPPi0NhPfKO81iviA94CIfS9oro0rRKYsr53B3Dy4liwuk1m3psdDZyfNU31hwSYA+voJaJGsnyL3O+IPSV0uhxZYkRspl4zCwmYMCYFLF+JoBocNj39KHxGHwm15VzwZVR9r69GBrGbayL1ZucATMYdIBCenGKuZRojqeWouYeIj3ULz7xz8ekez6FfOdjFLkik3JJBO93VNG/eEfqk3VJLtJsif805ljPeXI9eMdGXaD/J/EjsZFaLe7JHFDc7GnLobLASk1EOI8sn0c3tR/8JcRF4W+I35eZv+tq08FJPfIWu0zk19CuLu0B6otunZakcoFk0obQKGO4x4aVcoCTmNovPP/Khfa6IUrTcFPIm4a2kbkRVjFP0aPBIQG9WR+5c56SJfvQBUqTo6dhT9t5M655Acl53Xc2ogPbVCDlAUABVblHpmVGeSD4P/XE1aTODif2JQVQJHw3WsZU8wHOIbAqYYN/b5KsWUUcKK2ui+9ZCqiMsSzMOPVxCZO2dstTuaEae5c2uFt3AHsVqd3BcFWbLmecZiqYO1XhlLB3VBrs1oZltq36W4tkNQKoNsRFnr4VhRqshXgKe92AXJE/GILP5E7lqTNJlaEWvtN17j8TWMwF3mSuAwSSjYeMys88u2m60lz+IPnHNBQC6+VMnTV3i5cyFH8QVTETcCGPWfa4fb9MgL6G55y01V5HDb3HvjmFT0nbSC/jcMoY2TNLy1mULe7nxVi/JfuhK2EEdbbg1D5cecUTUI+gNpgAoDuaZ4zZQX8c2juxqUZS4DYJ2VXB2dbjBUaydeYLMl7tUi3h/PPWb2zKelAITvUivVLInqtsPnPpbVX/NZURRelCho3uFsKs+xMVNa+MCKYUb8EZespoHpc4E1BlSGuvfMPK9k6vw8TMyPG4msftiMBKaPruG30FiT/fD7k9gUmXAE2oHBAZMt7yojuehKH6sr4T7EshV6Bd7/ZJYtnvcZygVLS/2AifiBVcgB3jNfzmpHawf5UqvQtkLWuSwC/DuKgvplNBaqteKPvpKga2xAmOPZs7suST9k8Xo9XmUSXTEmYjjomI699zMJ/AOt6uomeSwDFwadmQiokr3bXN0+k6lv3mg5SgdNJ/WAfU+Vib0KMdjFeRgYMY85INpkP9Xxmt175F4Dv0ApP7Umm+6TwkEQpp9evnBhrg1vvBtNE6W9tC/0khZGz1oLievVWeqF8EggpnMO3I7IuFDd+vJtbt3Ajh5UEMg+NAuh7yZahYsqyoIDhptcorfYYhLMjiEjN+rV3RFPv436NJsbzOFdmlLnrvVELJFV1sxfMr6njyRwdN/Y4qo0zbE4WQMOLAQEMpeKd9bcfjJCart5+qI3idLm9IjBTjlNZnZLNEUnlSTy39FKQKFK74iC7XUYVHX208DdxQwj+szWvYG0wlXtNXOrumo7XBo83n9BuFVlrn7dghuX20n/kH6q+4Lw7GrKhD+u+3oNRYma3vGx6AJAc4W7m745OSplo6Xl8+ElgzhfEOsV8uhifsHIYIOevm5pSingRuJA7kdpmLZjP5mHu1hPFhX0vSLPjvdQwOWC8dax3N385UIYEFAmsGBKyykWmYugRMfOm/vSuVf4H+pgtWiSGJWI0+UL6DVG/+YiOMFTTgDI2y5URwEkb/3835GqgsR62fYiWW9Y9Q7ImFGp9rd2x7KNJkIFyQMSquVn9qd+vMkHAOWNOoj1qb2T7hksVvT5Y88a+vL/R+Z1IRkYwHFmMvwerw5dDj5Ah5ODYUc44FE963qd82RPlRNyHv/lhgvCrZ7j7cH+Q6yVp45FCRwyvMjhUtPorqF4C9/8EnU9eQQV6A6BYckM1q6pqkd0n</xenc:CipherValue>

SAML20       </xenc:CipherData>

SAML20     </xenc:EncryptedData>

SAML20   </EncryptedAssertion>

SAML20 </samlp:Response>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:401 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP Host>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP Host>:8003/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:413 Debug SAPSYS

SAML20 SP (client 100 ): m_is_resp_signed - , m_is_signed -

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:434 Info SAPSYS

SAML20 SP (client 100 ):  Decrypted data:

SAML20 <Assertion ID="_b95be371-7724-4c3e-ba09-261f10347d64"

SAML20            IssueInstant="2014-02-25T02:01:30.100Z"

SAML20            Version="2.0"

SAML20            xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   <Issuer>http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20     <ds:SignedInfo>

SAML20       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

SAML20       <ds:Reference URI="#_b95be371-7724-4c3e-ba09-261f10347d64">

SAML20         <ds:Transforms>

SAML20           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

SAML20           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20         </ds:Transforms>

SAML20         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

SAML20         <ds:DigestValue>

SAML20         25MbGBIBAceJ7ucOi5mh+tNg3geg/Zs4LVsykD+RNEU=</ds:DigestValue>

SAML20       </ds:Reference>

SAML20     </ds:SignedInfo>

SAML20     <ds:SignatureValue>

SAML20     jN4dPvk8DLyD3aZVIkK1XQfLifBh0Ng1YaIEWrhxi1+85kZYaYtBD/AiGhfDNLQRN/9HC8RFJJBgVEYYtwOoSOkAOkMXt4m281Qi0kPV2fm5BppgOdoY/gEZtoXnlbnAffbQXbowB46NmYUvxUBX2kRs6u+HT88zi4XFgI9eGe9UM+M8XVWzwRRpRNTTnGe7z4s/EQ6Z5fWbFHHIIr9o90CkkREc9Lwgqw7lPAN9hjOBU9NmrOHwfzRqyY174GABuwAVUAR7CADY5C0N1puo66Z6v7dp0JI4JW3jrrHnt35v2D9DZa+aYf7287C7OKBkr5EMo258KGmKZfGRaMkPeg==</ds:SignatureValue>

SAML20     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20       <ds:X509Data>

SAML20         <ds:X509Certificate>

SAML20         MIIC6DCCAdCgAwIBAgIQVMIeZ6PUobZJrFlrJlSscDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBjc2MtZnNkZXYuY29sdW1iaWEuY29tMB4XDTEzMDYyOTIyMjA0OVoXDTE0MDYyOTIyMjA0OVowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gY3NjLWZzZGV2LmNvbHVtYmlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1RqUtpqyhuSxsRTp3qlRpAQsrdgnuqZwgvIBucMTG8yKDUa3Ppi/FvbG8l8cpSHSuiFyAKwj1ZIbNPcnOoOsDIGXOs9pCzyGISVLR56IEd7EjizuBYH/EjtnCIp5nehUq6rvHWeZc0eAOvd+rOAMDTf+T0akT7UAmBPLig+Yfavay3HZyHV+gILmi/3v5VINYKjS/yLR3CFwt3l0MAhcqMw1FVAIfdxbSMw1S7wGQb88PyT4r1Uk3+Fix6BdKkdNNbrMEem3ZpkpCz6Wo+lP+QL9Wx3Dc/ADovsQa46Rx/pPdvc2q3tNrCuyAIuFNzY+Q610hey/xMQxNtRvXntGcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0zX4Otk/Qq2CxlEc3CKAGWlccGNJEMkBRYvkpITkRKgxWU6jgEhAKnDn4Cg4Wved1hDejnzJi8QwzUvhvU3s3aFrV6nd5hMvcVpYhGKwJUoX5wu1bydeUwbxeMZoWYowVAP+MzWPqh3i/0vP6sUIu5UuWI9Km66Wc2kCR0dSKHRNc62GHLYoJKIxrKG4qsTTwcI4A6340Z3PPaSoFAtl6K9zu5OYk4Tlsr3ljO/qn73UbYfudwxSGWv8Upbmk6Xbe3H03zb6OGD3QXvU2WpH7iLfe8IxadcH37GmQ6krf0bXPpYWh5COGyE00fx+IBPQ9sKeYKXjrli2IWbvoV1xg==</ds:X509Certificate>

SAML20       </ds:X509Data>

SAML20     </KeyInfo>

SAML20   </ds:Signature>

SAML20   <Subject>

SAML20     <NameID>JSMITH</NameID>

SAML20     <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20       <SubjectConfirmationData NotOnOrAfter="2014-02-25T02:06:30.101Z"

SAML20                                Recipient="https://<SP Host>:8003/sap/saml2/sp/acs/100" />

SAML20     </SubjectConfirmation>

SAML20   </Subject>

SAML20   <Conditions NotBefore="2014-02-25T02:01:30.098Z"

SAML20               NotOnOrAfter="2014-02-25T03:01:30.098Z">

SAML20     <AudienceRestriction>

SAML20       <Audience>SE2Connect</Audience>

SAML20     </AudienceRestriction>

SAML20   </Conditions>

SAML20   <AuthnStatement AuthnInstant="2014-02-25T02:01:30.033Z"

SAML20                   SessionIndex="_b95be371-7724-4c3e-ba09-261f10347d64">

SAML20     <AuthnContext>

SAML20       <AuthnContextClassRef>

SAML20       urn:federation:authentication:windows</AuthnContextClassRef>

SAML20     </AuthnContext>

SAML20   </AuthnStatement>

SAML20 </Assertion>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:441 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP Host>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP Host>:8003/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:446 Info SAPSYS

SAML20 SP (client 100 ): Started authentication for access to path:

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:450 Info SAPSYS

SAML20 SP (client 100 ): NameID jsmith (Format ) mapped to user ID jsmith

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:461 Info jsmith

SAML20 SP (client 100 ): CALL 'SAML login': SY-SUBRC = 0, PWDCHG = 0, CONTEXT_REF = B980AFFF9DC011E3B12F005056850025

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:466 Info jsmith

SAML20 SP (client 100 ): SAML session created (security context ref: B980AFFF9DC011E3B12F005056850025, reason: SSO)

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:479 Debug jsmith

SAML20 SP (client 100 ): Current request method is POST, request method as read by OUC cookie is 

Show/hide callstack

SAP URL initiated SAML

Client Server Work Process Time Severity User Message Callstack

100 USH-B-SC-SE2 2 02:04:33:780 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is GET

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:783 Debug SAPSYS

HTTP request headers:

~request_line:  GET /sap/zapp/ContractList HTTP/1.1

~request_method:  GET

~request_uri:  /sap/zapp/ContractList

~path:  /sap/zapp/ContractList

~path_translated:  /sap/zapp/ContractList

~server_protocol:  HTTP/1.1

host:  <SP HOST>:8003

~server_name:  <SP HOST>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

connection:  keep-alive

~server_name_expanded:  <SP HOST>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:785 Info SAPSYS

SAML20 SP (client 100 ): IdP 'http://<IDP HOST>/adfs/services/trust' selected (source: Default Configuration)

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:788 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:789 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP HOST>:8003/sap/zapp/ContractList

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:792 Debug SAPSYS

SAML20 SP (client 100 ): Got comparison method from IDP:0

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:795 Debug SAPSYS

SAML20 SP (client 100 ): Relay state: ID=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf, value=GET#0y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%3D%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:808 Info SAPSYS

SAML20 SP (client 100 ): Outgoing AuthnRequest

SAML20 Binding:          REDIR

SAML20 Signed:           True

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Destination:      https://<IDP HOST>/adfs/ls/

SAML20 <samlp:AuthnRequest ID="S00505685-0025-1ee3-a7b8-25619ae3f12f"

SAML20                     Version="2.0"

SAML20                     IssueInstant="2014-02-25T02:04:33Z"

SAML20                     Destination="https://<IDP HOST>/adfs/ls/"

SAML20                     ForceAuthn="false"

SAML20                     IsPassive="false"

SAML20                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   SE2Connect</saml:Issuer>

SAML20   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

SAML20 </samlp:AuthnRequest>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:810 Debug SAPSYS

SAML20 SP (client 100 ): URL to redirect https://<IDP HOST>/adfs/ls/?SAMLRequest=fZFRS8MwFIX%2FSsl7lzRd57ysheEUCirDiQ%2B%2BZekNC7RJ7U2H%2FnvTDmQ%2B6Fs43HO%2Bc8iGVNf2sB3Dyb3gx4gUknpXsoMQhShW6yIVQhZphpin6ua4TmWxym4V5iaThiVvOJD1rmRyIVhSE41YOwrKhSiJbJkKGR2vQoJYQp6%2Fs2QXCdapMLtOIfQEnGvSqaEGzwvt27E7WhUfHVeNId4SZ8mDHzTOJUtmVEs4wfaKyJ7xR%2FnsWkcwDyrZODjwiiyBUx0SBA2H7dMjxKLQDz74SGLVZrqGufdw5f%2FfHrE4TANYdbiXd9451GHDr6IuuT08R2%2B92%2FvW6q9pQ6fC39HZIpsV26RmPoXRUY%2FaGosN49WF8Puvqm8%3D&RelayState=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=pWKCA5zyQfiXesrmCwBC2UMz6ytSGrJvDeuKcswLeO42%2BbCHMJNKOFJ38DbIrc0WVvPfG8ildQ8wEolU0%2FKE9aNTNF2XyIEjbdnt76sxyafwWq6FbrIQ%2B6YqCuiGNGNVmGz8iTTTGSbqJ0IHYlf3YK0jSBZcSGZAnFREt8Te4Lg%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:133 Debug SAPSYS

HTTP request headers:

~request_line:  POST /sap/saml2/sp/acs/100 HTTP/1.1

~request_method:  POST

~request_uri:  /sap/saml2/sp/acs/100

~path:  /sap/saml2/sp/acs/100

~path_translated:  /sap/saml2/sp/acs/100

~server_protocol:  HTTP/1.1

host:  <SP HOST>:8003

~server_name:  <SP HOST>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

referer:  https://<IDP HOST>/adfs/ls/auth/integrated/?SAMLRequest=fZFRS8MwFIX%2FSsl7lzRd57ysheEUCirDiQ%2B%2BZekNC7RJ7U2H%2FnvTDmQ%2B6Fs43HO%2Bc8iGVNf2sB3Dyb3gx4gUknpXsoMQhShW6yIVQhZphpin6ua4TmWxym4V5iaThiVvOJD1rmRyIVhSE41YOwrKhSiJbJkKGR2vQoJYQp6%2Fs2QXCdapMLtOIfQEnGvSqaEGzwvt27E7WhUfHVeNId4SZ8mDHzTOJUtmVEs4wfaKyJ7xR%2FnsWkcwDyrZODjwiiyBUx0SBA2H7dMjxKLQDz74SGLVZrqGufdw5f%2FfHrE4TANYdbiXd9451GHDr6IuuT08R2%2B92%2FvW6q9pQ6fC39HZIpsV26RmPoXRUY%2FaGosN49WF8Puvqm8%3D&RelayState=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=pWKCA5zyQfiXesrmCwBC2UMz6ytSGrJvDeuKcswLeO42%2BbCHMJNKOFJ38DbIrc0WVvPfG8ildQ8wEolU0%2FKE9aNTNF2XyIEjbdnt76sxyafwWq6FbrIQ%2B6YqCuiGNGNVmGz8iTTTGSbqJ0IHYlf3YK0jSBZcSGZAnFREt8Te4Lg%3D

cookie:  oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf=GET%230y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%253D%253D

connection:  keep-alive

content-type:  application/x-www-form-urlencoded

content-length:  3766

~server_name_expanded:  <SP HOST>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

~script_name:  /sap/saml2

~path_info:  /sp/acs/100

~script_name_expanded:  /sap/public/bc/sec/saml2

~path_info_expanded:  /sp/acs/100

~path_translated_expanded:  /sap/public/bc/sec/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:409 Info SAPSYS

SAML20 SP (client 100 ): Raw SAML response:

PHNhbWxwOlJlc3BvbnNlIElEPSJfOTExNDBhOGMtOTNlZC00MDNlLTk4YTctOWQ3NjI2MDYwMWIzIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yNVQwMjowNDozOS40MTdaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly91c2gtYi1zYy1zZTIuY29sdW1iaWEuY3NjOjgwMDMvc2FwL3NhbWwyL3NwL2Fjcy8xMDAiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89IlMwMDUwNTY4NS0wMDI1LTFlZTMtYTdiOC0yNTYxOWFlM2YxMmYiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9jc2MtZnNkZXYuY29sdW1iaWEuY29tL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI185MTE0MGE4Yy05M2VkLTQwM2UtOThhNy05ZDc2MjYwNjAxYjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5nZzlTeUxGUmhlR2srelZBZlF4NHo0S0I0Q0xLS2RqbmEzNHNRUitzdGJRPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5lMFRXZXNnUnFieFYvcDNMSFFRQ1NIVTBlU2tKelVwVUxRRi9IcVF5c09FczROODlHNm5ncEFqYlhZaldvdC9vem9ZenM1aEQ1WGpwL2pCZk8yakpiNzdPODFUalZpakg0QmRlT3pyRUhFT3hlRTBod21wdGQwK2FjVmdMYlVJQ0trbDF2SkFZSDMrOUkxcmJZUzd0R1JtcUQydE9YQ01kUURIVzQxYWl3WjZsVGY4eDBNNTZyd0tIRGwvY0tjdHkrNlNiWWdhV0lWeVZzKys5b3B1eW8zc2tQSkF6akQvSVR0ZVRmWmxHbW52TXJVZ3QxdjR0blpKWFdJazJhUHpPbGx1bUREcTAzcHVwYWJBbFkyUUlNYlhlVmhGTmo4YlUvQmNFU0Z1WmhDbCtKTDI1eE1hMGFxYnJiOTBwU2k1aXczR0NsQmk3dHdMcFozZDBYeW5hYWc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM2RENDQWRDZ0F3SUJBZ0lRVk1JZVo2UFVvYlpKckZsckpsU3NjREFOQmdrcWhraUc5dzBCQVFzRkFEQXdNUzR3TEFZRFZRUURFeVZCUkVaVElGTnBaMjVwYm1jZ0xTQmpjMk10Wm5Oa1pYWXVZMjlzZFcxaWFXRXVZMjl0TUI0WERURXpNRFl5T1RJeU1qQTBPVm9YRFRFME1EWXlPVEl5TWpBME9Wb3dNREV1TUN3R0ExVUVBeE1sUVVSR1V5QlRhV2R1YVc1bklDMGdZM05qTFdaelpHVjJMbU52YkhWdFltbGhMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSzFScVV0cHF5aHVTeHNSVHAzcWxScEFRc3JkZ251cVp3Z3ZJQnVjTVRHOHlLRFVhM1BwaS9GdmJHOGw4Y3BTSFN1aUZ5QUt3ajFaSWJOUGNuT29Pc0RJR1hPczlwQ3p5R0lTVkxSNTZJRWQ3RWppenVCWUgvRWp0bkNJcDVuZWhVcTZydkhXZVpjMGVBT3ZkK3JPQU1EVGYrVDBha1Q3VUFtQlBMaWcrWWZhdmF5M0haeUhWK2dJTG1pLzN2NVZJTllLalMveUxSM0NGd3QzbDBNQWhjcU13MUZWQUlmZHhiU013MVM3d0dRYjg4UHlUNHIxVWszK0ZpeDZCZEtrZE5OYnJNRWVtM1pwa3BDejZXbytsUCtRTDlXeDNEYy9BRG92c1FhNDZSeC9wUGR2YzJxM3ROckN1eUFJdUZOelkrUTYxMGhleS94TVF4TnRSdlhudEdjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZDB6WDRPdGsvUXEyQ3hsRWMzQ0tBR1dsY2NHTkpFTWtCUll2a3BJVGtSS2d4V1U2amdFaEFLbkRuNENnNFd2ZWQxaERlam56Smk4UXd6VXZodlUzczNhRnJWNm5kNWhNdmNWcFloR0t3SlVvWDV3dTFieWRlVXdieGVNWm9XWW93VkFQK016V1BxaDNpLzB2UDZzVUl1NVV1V0k5S202NldjMmtDUjBkU0tIUk5jNjJHSExZb0pLSXhyS0c0cXNUVHdjSTRBNjM0MFozUFBhU29GQXRsNks5enU1T1lrNFRsc3IzbGpPL3FuNzNVYllmdWR3eFNHV3Y4VXBibWs2WGJlM0gwM3piNk9HRDNRWHZVMldwSDdpTGZlOEl4YWRjSDM3R21RNmtyZjBiWFBwWVdoNUNPR3lFMDBmeCtJQlBROXNLZVlLWGpybGkySVdidm9WMXhnPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvS2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlJlc3BvbmRlciIgLz48L3NhbWxwOlN0YXR1cz48L3NhbWxwOlJlc3BvbnNlPg==

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:411 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is POST

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:417 Info SAPSYS

SAML20 SP (client 100 ): Calling transformation:SAML2_RESPONSE was successful.

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:423 Debug SAPSYS

SAML20 SP (client 100 ): Relay state cookie to parse: GET#0y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%3D%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:425 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:426 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP HOST>:8003/sap/zapp/ContractList

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:428 Info SAPSYS

SAML20 SP (client 100 ): Incoming Response

SAML20 Binding:          POST

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Responder

SAML20 <samlp:Response ID="_91140a8c-93ed-403e-98a7-9d76260601b3"

SAML20                 Version="2.0"

SAML20                 IssueInstant="2014-02-25T02:04:39.417Z"

SAML20                 Destination="https://<SP HOST>:8003/sap/saml2/sp/acs/100"

SAML20                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

SAML20                 InResponseTo="S00505685-0025-1ee3-a7b8-25619ae3f12f"

SAML20                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20     <ds:SignedInfo>

SAML20       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

SAML20       <ds:Reference URI="#_91140a8c-93ed-403e-98a7-9d76260601b3">

SAML20         <ds:Transforms>

SAML20           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

SAML20           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20         </ds:Transforms>

SAML20         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

SAML20         <ds:DigestValue>

SAML20         gg9SyLFRheGk+zVAfQx4z4KB4CLKKdjna34sQR+stbQ=</ds:DigestValue>

SAML20       </ds:Reference>

SAML20     </ds:SignedInfo>

SAML20     <ds:SignatureValue>

SAML20     e0TWesgRqbxV/p3LHQQCSHU0eSkJzUpULQF/HqQysOEs4N89G6ngpAjbXYjWot/ozoYzs5hD5Xjp/jBfO2jJb77O81TjVijH4BdeOzrEHEOxeE0hwmptd0+acVgLbUICKkl1vJAYH3+9I1rbYS7tGRmqD2tOXCMdQDHW41aiwZ6lTf8x0M56rwKHDl/cKcty+6SbYgaWIVyVs++9opuyo3skPJAzjD/ITteTfZlGmnvMrUgt1v4tnZJXWIk2aPzOllumDDq03pupabAlY2QIMbXeVhFNj8bU/BcESFuZhCl+JL25xMa0aqbrb90pSi5iw3GClBi7twLpZ3d0Xynaag==</ds:SignatureValue>

SAML20     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20       <ds:X509Data>

SAML20         <ds:X509Certificate>

SAML20         MIIC6DCCAdCgAwIBAgIQVMIeZ6PUobZJrFlrJlSscDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBjc2MtZnNkZXYuY29sdW1iaWEuY29tMB4XDTEzMDYyOTIyMjA0OVoXDTE0MDYyOTIyMjA0OVowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gY3NjLWZzZGV2LmNvbHVtYmlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1RqUtpqyhuSxsRTp3qlRpAQsrdgnuqZwgvIBucMTG8yKDUa3Ppi/FvbG8l8cpSHSuiFyAKwj1ZIbNPcnOoOsDIGXOs9pCzyGISVLR56IEd7EjizuBYH/EjtnCIp5nehUq6rvHWeZc0eAOvd+rOAMDTf+T0akT7UAmBPLig+Yfavay3HZyHV+gILmi/3v5VINYKjS/yLR3CFwt3l0MAhcqMw1FVAIfdxbSMw1S7wGQb88PyT4r1Uk3+Fix6BdKkdNNbrMEem3ZpkpCz6Wo+lP+QL9Wx3Dc/ADovsQa46Rx/pPdvc2q3tNrCuyAIuFNzY+Q610hey/xMQxNtRvXntGcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0zX4Otk/Qq2CxlEc3CKAGWlccGNJEMkBRYvkpITkRKgxWU6jgEhAKnDn4Cg4Wved1hDejnzJi8QwzUvhvU3s3aFrV6nd5hMvcVpYhGKwJUoX5wu1bydeUwbxeMZoWYowVAP+MzWPqh3i/0vP6sUIu5UuWI9Km66Wc2kCR0dSKHRNc62GHLYoJKIxrKG4qsTTwcI4A6340Z3PPaSoFAtl6K9zu5OYk4Tlsr3ljO/qn73UbYfudwxSGWv8Upbmk6Xbe3H03zb6OGD3QXvU2WpH7iLfe8IxadcH37GmQ6krf0bXPpYWh5COGyE00fx+IBPQ9sKeYKXjrli2IWbvoV1xg==</ds:X509Certificate>

SAML20       </ds:X509Data>

SAML20     </KeyInfo>

SAML20   </ds:Signature>

SAML20   <samlp:Status>

SAML20     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />

SAML20   </samlp:Status>

SAML20 </samlp:Response>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:430 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP HOST>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP HOST>:8003/saml2/sp/acs/100

Show/hide callstack

Hello Experts,

for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel  - works like a charm.

Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".

Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?

The entry in dev_wx for the log attempt is:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357]

N        GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11313]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

The parameters (which are working just fine under RHEL5) are:

snc/enable = 1

snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)

sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so

ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 1

ssf/name = SAPSECULIB

Installed packages on RHEL5 (all x86_64):

cyrus-sasl-gssapi-2.1.22-7.el5_8.1

krb5-libs-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-workstation-1.6.1-70.el5

libgssapi-0.10-2

pam_krb5-2.2.14-18.el5

and on RHEL6:

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64

krb5-libs-1.10.3-10.el6.x86_64

krb5-workstation-1.10.3-10.el6.x86_64

libgssglue-0.1-11.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

Any info is much appreciated.

Andreas Niewerth

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Hi,

I need to setup SSO in my SAP systems, using Kerberos, so that users from Windows terminals can login to a system using SAPGUI without giving a user/password.

I know it is possible because I have seen it somewhere in the past.

However, despite searching on SAP Help, I still cannot find the steps for it. I checked the following links, but they all talked about setup where SAP system is on Windows platform, but I cant find anything for AIX (or any other Unix/Linux flavor).

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

http://help.sap.com/saphelp_nwpi711/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm

Please help.

Regards,

Shitij

We have NW 7.02 SP12 and have enabled SAML2 to allow us to provide SSO to ABAP WebDynpros by way of MS ADFS.

After configuring SAML in line with all the relevant docs/notes/troubleshooting info, we are able to go to the ADFS URL (https://<IDP HOST>/adfs/ls/IdpInitiatedSignon.aspx), and pick our SAP Service Provider that we setup in SAML and provided the metadata file back to the ADFS.

We are challenged for our Windows/AD credentials and then after providing them are passed into the SAP ABAP web dynpro that we setup for SAML authentication, and also as the default endpoint in this test.  The logs show successful logon.

When we try to access that same SAP Web Dynpro by direct URL (https://<sap host>/sap/bc/xyz), we get redirected to the ADFS host for the Windows credentials, and then get taken back to the SAP ABAP Web logon screen with the errors

"Logon Failed at Identity Provider (http://<ADFS host>/adfs/services/trust)"

"SAML Response Status: [urn:oasis:names:tc:SAML2.0:status:Responder]"

"Message from the identity provider: [urn:oasis:names:tc:SAML2.0:status:Responder]"

The SAML Diagnostics trace in SAP reveals no error.  The SM21 log reveals no error.  So, this doesn't look so much like a SAML error but an ABAP AS error processing the assertion that's being sent back by the ADFS and then SAP is somehow not trusting the assertion in this method.

In the successful test of the IdP URL initiated call, the SAML Diag trace shows that the user ID (in below example, userID: JSMITH) is successfully being kicked over to SAP and then authenticated. 

In the (un successful) SAP URL initiated test, the SAML Diag trace doesn't indicate any of this (but also no errors)

Thoughts?

IDP Iniitated SAML

Client Server Work Process Time Severity User Message Callstack

100 USH-B-SC-SE2 2 02:01:31:851 Debug SAPSYS

HTTP request headers:

~request_line:  POST /sap/saml2/sp/acs/100 HTTP/1.1

~request_method:  POST

~request_uri:  /sap/saml2/sp/acs/100

~path:  /sap/saml2/sp/acs/100

~path_translated:  /sap/saml2/sp/acs/100

~server_protocol:  HTTP/1.1

host:  <SP Host>:8003

~server_name:  <SP Host>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

referer:  https://<IDP HOST>/adfs/ls/auth/integrated/?SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9Ol638%2bWr%2fBet86ZNz55%2b9tHv%2f%2bl5vnN%2f7%2f7%2b9v3pp%2fvb%2b%2fsPDraz3YcH23vne%2fcfZNneg%2ftZ9lH6k3ndFNXys4%2f2xjsfpWdNs87Plk2bLVv6aGd3f3tnb3vv%2fpudvUc7u4%2f27o0f3n%2fwUx%2blT6mXYpm1%2fOa8bVfNo7t3p810%2b7yZ5ZfjaVWuF5Mio18Wd7PZeXO3bO5%2blJ5UyyYH4HW9fFRlTdE8WmaLvHnUTh%2b9Pv7i%2bSPC4dFUGj1aL5tVPi3Oi3z2UfpuUS6bRzzSzW%2bv6qqtqPuPjh7zWGp5dfNLWdPkNcby0RHGcsNQqO1lMc2bu229btrHd6Wfo8c0ulkBKM179vn4eD0r8uU0f0VUrYspPnUfHr0%2b3SPQy3xKfdkP3a%2fBS3cdEvRHnzOO%2fh8%3d&Signature=UdDjDRi1cugjPfoVH%2bUVys0fwbbyPdhhMLrhZlxN0Sou4ELClET5F1pZDFGvhQX0ZK8m1zwFh7ZlhDnrxc9auPUBp2tfURHfSZSgBvB%2bFs7N110RDP7ImC2Y%2bIKvURdIapJ9561L6iZ6EvQHll%2bBvV3ur4Q7ZjkCrNrnDCnGv4ResdJkkrnsFrXIfJRl0ElFb2hJoWVXvM%2bN%2bJiFd%2fMmKE8l2yuOSsrlVAzDNxkNmrcLFmZrrjUZkUNBJ3Qc%2bZ%2bX3VJrbd0I3rG1YPfLpN4HgKjA5zO4dKOh28CttByQq25RzefuDvVkN1%2bbws7TfDMMxsw%2bw4jell9yQ6ewd9rpog%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256

connection:  keep-alive

content-type:  application/x-www-form-urlencoded

content-length:  7921

~server_name_expanded:  <SP Host>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

~script_name:  /sap/saml2

~path_info:  /sp/acs/100

~script_name_expanded:  /sap/public/bc/sec/saml2

~path_info_expanded:  /sp/acs/100

~path_translated_expanded:  /sap/public/bc/sec/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:148 Info SAPSYS

SAML20 SP (client 100 ): Raw SAML response:

PHNhbWxwOlJlc3BvbnNlIElEPSJfOTZhM2NmZjYtM2JjYy00YWFkLThmMTktZmQwMWMyMzliY2NmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yNVQwMjowMTozMC4xMDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly91c2gtYi1zYy1zZTIuY29sdW1iaWEuY3NjOjgwMDMvc2FwL3NhbWwyL3NwL2Fjcy8xMDAiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vY3NjLWZzZGV2LmNvbHVtYmlhLmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPjwvc2FtbHA6U3RhdHVzPjxFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjx4ZW5jOkVuY3J5cHRlZERhdGEgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMjU2LWNiYyIgLz48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGU6RW5jcnlwdGVkS2V5IHhtbG5zOmU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PGU6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIj48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+PC9lOkVuY3J5cHRpb25NZXRob2Q+PEtleUluZm8+PGRzOlg1MDlEYXRhIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOUlzc3VlclNlcmlhbD48ZHM6WDUwOUlzc3Vlck5hbWU+Q049U0UyX1NTRkFfUzJTVlBFLCBPVT1JMDAyMDU5NzM4NywgT1U9U0FQIFdlYiBBUywgTz1TQVAgVHJ1c3QgQ29tbXVuaXR5LCBDPURFPC9kczpYNTA5SXNzdWVyTmFtZT48ZHM6WDUwOVNlcmlhbE51bWJlcj45MDI5MTk4NDk2NzM1ODMyPC9kczpYNTA5U2VyaWFsTnVtYmVyPjwvZHM6WDUwOUlzc3VlclNlcmlhbD48L2RzOlg1MDlEYXRhPjwvS2V5SW5mbz48ZTpDaXBoZXJEYXRhPjxlOkNpcGhlclZhbHVlPlV6VVZLRndtejFLY2RLY29VcVpnbEY4R1ZnWk9CbEJ6bWljL1VQVzROUDMweFRNcmh2czZ4eUFRckwrZElyQytDYlJUVjZOc0ZaOExjb1gydEJkZW9hc1dySC82Ymo5TWxxMlFoTHQvdXJSeUV4MFJWUlhtMFA4SnpyUGRpTFgxTVhsaHFOZ3MzQUxpd081RXI1TkNKcDh5aWovQVpsblpuZjExUUFOdDhjRT08L2U6Q2lwaGVyVmFsdWU+PC9lOkNpcGhlckRhdGE+PC9lOkVuY3J5cHRlZEtleT48L0tleUluZm8+PHhlbmM6Q2lwaGVyRGF0YT48eGVuYzpDaXBoZXJWYWx1ZT4wZ2J0cjZJamp6RUZtRi9EMk1jb3Q3OXJ4ZHRHNEl2Q0o0YWtRa0xHNnViSW5VcmFIUG5ta3FDdjJWSmpOODhFWmo5TWloUFBXUStnWHQyY2pkVWVGUzliam1CS0J4RXFLemxnbFN0Sk5GT1dsU0orb2kvL1ovT1U3Snl6UmFOcEVVU1lNQVRLRUhyaTFDK0dMeUpra21uQzdpUnFrbjBqMEM0QjNpWEtjdER0RlAxbnQ3Rm9oS1dPa2dDNlNRZFJiNnY5ZHQyVjEyWUQ2N0thcnJBdFpCWEQ4WVFwODBPLzhmUHAzZjdHdTBQZWNWU3pLTnFaaFdFb1lsZnhsdWZORldONk9SMFJVcDdHSVNHMlgvZWJVY3ZTUU1yZ2ZuOWxhRE5XdTNyMFM3VGw1YmQxbDBtVkc4bTBndmhsSHFxT0FoZnBMdmNHeWp0LytwVmtWb3crK2drc3lNMThSYUN2NjJDTDdyd1J0MWlWZU5Ub2FJNUJJS2FUTXBveFZXSTRZejRlWFlsbkFZcWxzMnl5aDlFVWpLb25jODJwdFpDQjFlaERCSWZpenhIQXJKdmNGM1RtYXlmTVBJUENkeEo3clBhRnJWNjNHb3Blc1Axdm5NWEZXZjhoTEd2VkZjdnVsZFhEbWsxTklpL25xZy9NeWVPeDlaMUdNRndDTWFDU1VnbU5XSGV4Z1llaGFPTEM0V3E2bFU3WmhxaVo4MnJHSmJwYm13cEUrdHB2OGpobmdOWEYra2JrN2ZidlhSdHhuUExmZG1jNmZtZWJJYUJKVDNJM0JzQ0QwTHZpU2FVbUNOSFdzeUc3eFZqTkxTdU9jSnk1Z0NZbTI1L2krRDhPRVQ1dHF5UU9lN0JRclNNVkNCQ1NoeS9naW1BSlBlVUcyejU0bUViYTk2RVFIZk1Ybi94Z0JoNjluaDNUYVJsa0Fzd1lJck9EZUh3ZnNpMnlPYTgzL3hhZzVFMnBPMlBlSkd0cDVLRmhGZ0F4YWdXMUtSc3JWTTNVSklhVjlrZEZyMVM4SFFla2xJQU80SkVnZXp0Z0tRWGZDTGMyMU5yMXFUTVNqRlo4UGFoeEk1NTd0UDRiMjJOK09FaFVTK29pNFlJMTNXVkg4bVBiZGdZclE3Skxjc3doY2hjZy9XWXZTS3VLK0JyL3Q3V0VUQzNQVDVrSXdNekZJVUhhUEVDRThZZmJQWGlER3IxUXEvRG4zdFBVVi9yN3hLcHJWVTM5R0hqY2JDcStRekVMTFNCZndzME85Vk5tWUtMUnVadi8xbExBaXNCcjJxTlVyYkt6SXVrUUJMSDZIZU9kaCtHa2txYWo3R2lEei9YeG9PVFZJY21LQVk4V0NSTkFPclpRa3BTMy83WTA2NkpNNWtZRlV6Y1l4aldGem1vdnVBeUpBaGxNWldySlg2dkFmaDgvRmZabXdzZEd1aEtUQ1FqUFltTExvb3o1RjJFc1dBcWFzL3h1ZXE4OVkxaTloaUZnZHhESFFBa20xR0hlc004NDdoOFoxSDA5SGFDODRvVEwxbzkxbWZWMFBYdmo0aHBaM0t2MFdsRytEUFZmMTdYNjlZemhPd3dLNzJYeVhtTTNVM05oeXlrZTBiQWNJUy8yUEhFL3E0NVNuUFpkQXpxQU0waVpvMnRHSjJtcURzVDFzeFFURHFXanJ3KytpMXhHSDU3NktrTzYxbTdnTWIwTEk5Sk5JU2ZvemZWYXZEckwvbTF1OVcrVjV1UG1IcU44YWJQVnk3QzhoUHowRUtrZmZBRDEzY1JkS0V6NS84UWYrOWl0RmhRenZ0UE5aVDRiV1JWVHNkY09BQkRVQVNGRmhXY2V4QUJaeEpEU2puR1IxcUFUMUVsWTJod3dzT3FKSkdacTBGSjk2OVl0d1g3UmM2TFNFUXhuL1JZc2VCOStqQXJFQURYbmN3SjQxSUV6eUIyYnlvOFdOTmsrbWFRTXR2anptZUJQTmJSQlFpallBOTFQaWUrR2RSaWZYZkdyd1ZwbkR0TExTOGlGakFtcGxRUUsyK0dEUm93bmpkYkpFRGk1THM2K29oQVFvNUpGbGhwKzJ0bXZ2bDRKeE1kdFRkMTJYbmx5eW1LUjB3TTlSMEloMTllTUdLSXJ4NXlkUk9oTWFwL0lqZ1EvOGhNSmZwZkp4RVYwME00dFgwU2sxNDFwbTJjK1ErN0dhc2tEU0VMcXh0RmVod20wQ0pkSWdOTTluSUZBVVByaHpaSUhiUnNJclE2d3F3b3BOZ1hvRDBCazVlaUh6Qkd6ZkU4YlRIajBoNGxBUmtrcG5hNkpnU1VPdmVkNVNxbWtYR2pmcStTSjFjSW1CMEkwVThyeVVFV3F4TnE2V1IvWnFrb1UxaXlrL0d2TmIwYU9nOFQ4ZkhwR3NsYUp0cUFkVXgxWnZrSS9HcmwxSEtUVUlnSWJzOWF6TThtSC9mclhYS3J6Y2RNQVJ3TVYyL21ZNlFCdHFSanNGdTFsZEZrTS9Xb09WL2dlQ1dBUjhuZU5uZ0NMaXNPTkhKODZFbHNCZXUvcHpwYkdlNGZPc3pqVHVmYkpVOU92amVXd0RvcHhmTHdnbEZyZlVLNE1sbHkzeEMrSllaS0o5WGU3aWFDbzFRTHFDeXJKaW5IUWFLaWZueS9zQzBFV1MwSUpGQmpYS2NQNTlLTW13Nk8yd3FJZW93VGYySUthdEJuRXArTWFndXlYeXY4UStsYm9mdEc4M0pOMXZRcEVMMXlqbDVtSU45U2RJQTJaUEJ0eCtOREFUSGg4aWEweVFWTGhrdVQ2OEJXY3J3eWd4cndFeWJrY3k0VGpzbEM2bzVreWcvQ3pyMHZ6UWt0MDNoRkpRUEN0RXU0UjV1d2pCQVB3QnBOY20wOXlTU0VYejZJOGhHckxHZzlKS0pDY0Vzb1BpdUNvZG9LcFdPbjVncDV0ZVhYc0dEdlJwVUlzemxvZ09HNjgwL3MzR24vR0JYaitnT2t3S28zRytVLzRONUhUVnVLV1lZSWp2aSt2T3RUdk5GcVg5ZTM1NGlVMDVKcy9TUllCTEtXd0tIQS9vQzdLOGtKcGJIdFBQaTBOaFBmS084MWl2aUE5NENJZlM5b3JvMHJSS1lzcjUzQjNEeTRsaXd1azFtM3BzZERaeWZOVTMxaHdTWUErdm9KYUpHc255TDNPK0lQU1YwdWh4WllrUnNwbDR6Q3dtWU1DWUZMRitKb0JvY05qMzlLSHhHSHdtMTVWendaVlI5cjY5R0JyR2JheUwxWnVjQVRNWWRJQkNlbkdLdVpSb2pxZVdvdVllSWozVUx6N3h6OGVrZXo2RmZPZGpGTGtpazNKSkJPOTNWTkcvZUVmcWszVkpMdEpzaWY4MDVsalBlWEk5ZU1kR1hhRC9KL0Vqc1pGYUxlN0pIRkRjN0duTG9iTEFTazFFT0k4c24wYzN0Ui84SmNSRjRXK0kzNWVadit0cTA4RkpQZklXdTB6azE5Q3VMdTBCNm90dW5aYWtjb0ZrMG9iUUtHTzR4NGFWY29DVG1Ob3ZQUC9LaGZhNklVclRjRlBJbTRhMmtia1JWakZQMGFQQklRRzlXUis1YzU2U0pmdlFCVXFUbzZkaFQ5dDVNNjU1QWNsNTNYYzJvZ1BiVkNEbEFVQUJWYmxIcG1WR2VTRDRQL1hFMWFUT0RpZjJKUVZRSkh3M1dzWlU4d0hPSWJBcVlZTi9iNUtzV1VVY0tLMnVpKzlaQ3FpTXNTek1PUFZ4Q1pPMmRzdFR1YUVhZTVjMnVGdDNBSHNWcWQzQmNGV2JMbWVjWmlxWU8xWGhsTEIzVkJyczFvWmx0cTM2VzR0a05RS29Oc1JGbnI0VmhScXNoWGdLZTkyQVhKRS9HSUxQNUU3bHFUTkpsYUVXdnROMTdqOFRXTXdGM21TdUF3U1NqWWVNeXM4OHUybTYwbHorSVBuSE5CUUM2K1ZNblRWM2k1Y3lGSDhRVlRFVGNDR1BXZmE0ZmI5TWdMNkc1NXkwMVY1SERiM0h2am1GVDBuYlNDL2pjTW9ZMlROTHkxbVVMZTdueFZpL0pmdWhLMkVFZGJiZzFENWNlY1VUVUkrZ05wZ0FvRHVhWjR6WlFYOGMyanV4cVVaUzREWUoyVlhCMmRiakJVYXlkZVlMTWw3dFVpM2gvUFBXYjJ6S2VsQUlUdlVpdlZMSW5xdHNQblBwYlZYL05aVVJSZWxDaG8zdUZzS3MreE1WTmErTUNLWVViOEVaZXNwb0hwYzRFMUJsU0d1dmZNUEs5azZ2dzhUTXlQRzRtc2Z0aU1CS2FQcnVHMzBGaVQvZkQ3azlnVW1YQUUyb0hCQVpNdDd5b2p1ZWhLSDZzcjRUN0VzaFY2QmQ3L1pKWXRudmNaeWdWTFMvMkFpZmlCVmNnQjNqTmZ6bXBIYXdmNVVxdlF0a0xXdVN3Qy9EdUtndnBsTkJhcXRlS1B2cEtnYTJ4QW1PUFpzN3N1U1Q5azhYbzlYbVVTWFRFbVlqam9tSTY5OXpNSi9BT3Q2dW9tZVN3REZ3YWRtUWlva3IzYlhOMCtrNmx2M21nNVNnZE5KL1dBZlUrVmliMEtNZGpGZVJnWU1ZODVJTnBrUDlYeG10MTc1RjREdjBBcFA3VW1tKzZUd2tFUXBwOWV2bkJocmcxdnZCdE5FNlc5dEMvMGtoWkd6MW9MaWV2VldlcUY4RWdncG5NTzNJN0l1RkRkK3ZKdGJ0M0FqaDVVRU1nK05BdWg3eVphaFlzcXlvSURocHRjb3JmWVloTE1qaUVqTityVjNSRlB2NDM2TkpzYnpPRmRtbExucnZWRUxKRlYxc3hmTXI2bmp5UndkTi9ZNHFvMHpiRTRXUU1PTEFRRU1wZUtkOWJjZmpKQ2FydDUrcUkzaWRMbTlJakJUamxOWm5aTE5FVW5sU1R5MzlGS1FLRks3NGlDN1hVWVZIWDIwOERkeFF3aitzeld2WUcwd2xYdE5YT3J1bW83WEJvODNuOUJ1RlZscm43ZGdodVgyMG4va0g2cSs0THc3R3JLaEQrdSszb05SWW1hM3ZHeDZBSkFjNFc3bTc0NU9TcGxvNlhsOCtFbGd6aGZFT3NWOHVoaWZzSElZSU9ldm01cFNpbmdSdUpBN2tkcG1MWmpQNW1IdTFoUEZoWDB2U0xQanZkUXdPV0M4ZGF4M04zODVVSVlFRkFtc0dCS3l5a1dtWXVnUk1mT20vdlN1VmY0SCtwZ3RXaVNHSldJMCtVTDZEVkcvK1lpT01GVFRnREkyeTVVUndFa2IvMzgzNUdxZ3NSNjJmWWlXVzlZOVE3SW1GR3A5cmQyeDdLTkprSUZ5UU1TcXVWbjlxZCt2TWtIQU9XTk9vajFxYjJUN2hrc1Z2VDVZODhhK3ZML1IrWjFJUmtZd0hGbU12d2VydzVkRGo1QWg1T0RZVWM0NEZFOTYzcWQ4MlJQbFJOeUh2L2xoZ3ZDclo3ajdjSCtRNnlWcDQ1RkNSd3l2TWpoVXRQb3JxRjRDOS84RW5VOWVRUVY2QTZCWWNrTTFxNnBxa2QwbjwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48L0VuY3J5cHRlZEFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:205 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is POST

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:349 Info SAPSYS

SAML20 SP (client 100 ): Calling transformation:SAML2_RESPONSE was successful.

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:391 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:393 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP Host>:8003/sap/zapp?sap-client=100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:396 Info SAPSYS

SAML20 SP (client 100 ): Incoming Response

SAML20 Binding:          POST

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Success

SAML20 <samlp:Response ID="_96a3cff6-3bcc-4aad-8f19-fd01c239bccf"

SAML20                 Version="2.0"

SAML20                 IssueInstant="2014-02-25T02:01:30.101Z"

SAML20                 Destination="https://<SP Host>:8003/sap/saml2/sp/acs/100"

SAML20                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

SAML20                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <samlp:Status>

SAML20     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

SAML20   </samlp:Status>

SAML20   <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20     <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"

SAML20                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

SAML20       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />

SAML20       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20         <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

SAML20           <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

SAML20

SAML20             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

SAML20           </e:EncryptionMethod>

SAML20           <KeyInfo>

SAML20             <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20               <ds:X509IssuerSerial>

SAML20                 <ds:X509IssuerName>CN=SE2_SSFA_S2SVPE, OU=I0020597387,

SAML20                 OU=SAP Web AS, O=SAP Trust Community,

SAML20                 C=DE</ds:X509IssuerName>

SAML20                 <ds:X509SerialNumber>

SAML20                 9029198496735832</ds:X509SerialNumber>

SAML20               </ds:X509IssuerSerial>

SAML20             </ds:X509Data>

SAML20           </KeyInfo>

SAML20           <e:CipherData>

SAML20             <e:CipherValue>

SAML20             UzUVKFwmz1KcdKcoUqZglF8GVgZOBlBzmic/UPW4NP30xTMrhvs6xyAQrL+dIrC+CbRTV6NsFZ8LcoX2tBdeoasWrH/6bj9Mlq2QhLt/urRyEx0RVRXm0P8JzrPdiLX1MXlhqNgs3ALiwO5Er5NCJp8yij/AZlnZnf11QANt8cE=</e:CipherValue>

SAML20           </e:CipherData>

SAML20         </e:EncryptedKey>

SAML20       </KeyInfo>

SAML20       <xenc:CipherData>

SAML20         <xenc:CipherValue>

SAML20         0gbtr6IjjzEFmF/D2Mcot79rxdtG4IvCJ4akQkLG6ubInUraHPnmkqCv2VJjN88EZj9MihPPWQ+gXt2cjdUeFS9bjmBKBxEqKzlglStJNFOWlSJ+oi//Z/OU7JyzRaNpEUSYMATKEHri1C+GLyJkkmnC7iRqkn0j0C4B3iXKctDtFP1nt7FohKWOkgC6SQdRb6v9dt2V12YD67KarrAtZBXD8YQp80O/8fPp3f7Gu0PecVSzKNqZhWEoYlfxlufNFWN6OR0RUp7GISG2X/ebUcvSQMrgfn9laDNWu3r0S7Tl5bd1l0mVG8m0gvhlHqqOAhfpLvcGyjt/+pVkVow++gksyM18RaCv62CL7rwRt1iVeNToaI5BIKaTMpoxVWI4Yz4eXYlnAYqls2yyh9EUjKonc82ptZCB1ehDBIfizxHArJvcF3TmayfMPIPCdxJ7rPaFrV63GopesP1vnMXFWf8hLGvVFcvuldXDmk1NIi/nqg/MyeOx9Z1GMFwCMaCSUgmNWHexgYehaOLC4Wq6lU7ZhqiZ82rGJbpbmwpE+tpv8jhngNXF+kbk7fbvXRtxnPLfdmc6fmebIaBJT3I3BsCD0LviSaUmCNHWsyG7xVjNLSuOcJy5gCYm25/i+D8OET5tqyQOe7BQrSMVCBCShy/gimAJPeUG2z54mEba96EQHfMXn/xgBh69nh3TaRlkAswYIrODeHwfsi2yOa83/xag5E2pO2PeJGtp5KFhFgAxagW1KRsrVM3UJIaV9kdFr1S8HQeklIAO4JEgeztgKQXfCLc21Nr1qTMSjFZ8PahxI557tP4b22N+OEhUS+oi4YI13WVH8mPbdgYrQ7JLcswhchcg/WYvSKuK+Br/t7WETC3PT5kIwMzFIUHaPECE8YfbPXiDGr1Qq/Dn3tPUV/r7xKprVU39GHjcbCq+QzELLSBfws0O9VNmYKLRuZv/1lLAisBr2qNUrbKzIukQBLH6HeOdh+Gkkqaj7GiDz/XxoOTVIcmKAY8WCRNAOrZQkpS3/7Y066JM5kYFUzcYxjWFzmovuAyJAhlMZWrJX6vAfh8/FfZmwsdGuhKTCQjPYmLLooz5F2EsWAqas/xueq89Y1i9hiFgdxDHQAkm1GHesM847h8Z1H09HaC84oTL1o91mfV0PXvj4hpZ3Kv0WlG+DPVf17X69YzhOwwK72XyXmM3U3Nhyyke0bAcIS/2PHE/q45SnPZdAzqAM0iZo2tGJ2mqDsT1sxQTDqWjrw++i1xGH576KkO61m7gMb0LI9JNISfozfVavDrL/m1u9W+V5uPmHqN8abPVy7C8hPz0EKkffAD13cRdKEz5/8Qf+9itFhQzvtPNZT4bWRVTsdcOABDUASFFhWcexABZxJDSjnGR1qAT1ElY2hwwsOqJJGZq0FJ969YtwX7Rc6LSEQxn/RYseB9+jArEADXncwJ41IEzyB2byo8WNNk+maQMtvjzmeBPNbRBQijYA91Pie+GdRifXfGrwVpnDtLLS8iFjAmplQQK2+GDRownjdbJEDi5Ls6+ohAQo5JFlhp+2tmvvl4JxMdtTd12XnlyymKR0wM9R0Ih19eMGKIrx5ydROhMap/IjgQ/8hMJfpfJxEV00M4tX0Sk141pm2c+Q+7GaskDSELqxtFehwm0CJdIgNM9nIFAUPrhzZIHbRsIrQ6wqwopNgXoD0Bk5eiHzBGzfE8bTHj0h4lARkkpna6JgSUOved5SqmkXGjfq+SJ1cImB0I0U8ryUEWqxNq6WR/ZqkoU1iyk/GvNb0aOg8T8fHpGslaJtqAdUx1ZvkI/Grl1HKTUIgIbs9azM8mH/frXXKrzcdMARwMV2/mY6QBtqRjsFu1ldFkM/WoOV/geCWAR8neNngCLisONHJ86ElsBeu/pzpbGe4fOszjTufbJU9OvjeWwDopxfLwglFrfUK4Mlly3xC+JYZKJ9Xe7iaCo1QLqCyrJinHQaKifny/sC0EWS0IJFBjXKcP59KMmw6O2wqIeowTf2IKatBnEp+MaguyXyv8Q+lboftG83JN1vQpEL1yjl5mIN9SdIA2ZPBtx+NDATHh8ia0yQVLhkuT68BWcrwygxrwEybkcy4TjslC6o5kyg/Czr0vzQkt03hFJQPCtEu4R5uwjBAPwBpNcm09ySSEXz6I8hGrLGg9JKJCcEsoPiuCodoKpWOn5gp5teXXsGDvRpUIszlogOG680/s3Gn/GBXj+gOkwKo3G+U/4N5HTVuKWYYIjvi+vOtTvNFqX9e354iU05Js/SRYBLKWwKHA/oC7K8kJpbHtPPi0NhPfKO81iviA94CIfS9oro0rRKYsr53B3Dy4liwuk1m3psdDZyfNU31hwSYA+voJaJGsnyL3O+IPSV0uhxZYkRspl4zCwmYMCYFLF+JoBocNj39KHxGHwm15VzwZVR9r69GBrGbayL1ZucATMYdIBCenGKuZRojqeWouYeIj3ULz7xz8ekez6FfOdjFLkik3JJBO93VNG/eEfqk3VJLtJsif805ljPeXI9eMdGXaD/J/EjsZFaLe7JHFDc7GnLobLASk1EOI8sn0c3tR/8JcRF4W+I35eZv+tq08FJPfIWu0zk19CuLu0B6otunZakcoFk0obQKGO4x4aVcoCTmNovPP/Khfa6IUrTcFPIm4a2kbkRVjFP0aPBIQG9WR+5c56SJfvQBUqTo6dhT9t5M655Acl53Xc2ogPbVCDlAUABVblHpmVGeSD4P/XE1aTODif2JQVQJHw3WsZU8wHOIbAqYYN/b5KsWUUcKK2ui+9ZCqiMsSzMOPVxCZO2dstTuaEae5c2uFt3AHsVqd3BcFWbLmecZiqYO1XhlLB3VBrs1oZltq36W4tkNQKoNsRFnr4VhRqshXgKe92AXJE/GILP5E7lqTNJlaEWvtN17j8TWMwF3mSuAwSSjYeMys88u2m60lz+IPnHNBQC6+VMnTV3i5cyFH8QVTETcCGPWfa4fb9MgL6G55y01V5HDb3HvjmFT0nbSC/jcMoY2TNLy1mULe7nxVi/JfuhK2EEdbbg1D5cecUTUI+gNpgAoDuaZ4zZQX8c2juxqUZS4DYJ2VXB2dbjBUaydeYLMl7tUi3h/PPWb2zKelAITvUivVLInqtsPnPpbVX/NZURRelCho3uFsKs+xMVNa+MCKYUb8EZespoHpc4E1BlSGuvfMPK9k6vw8TMyPG4msftiMBKaPruG30FiT/fD7k9gUmXAE2oHBAZMt7yojuehKH6sr4T7EshV6Bd7/ZJYtnvcZygVLS/2AifiBVcgB3jNfzmpHawf5UqvQtkLWuSwC/DuKgvplNBaqteKPvpKga2xAmOPZs7suST9k8Xo9XmUSXTEmYjjomI699zMJ/AOt6uomeSwDFwadmQiokr3bXN0+k6lv3mg5SgdNJ/WAfU+Vib0KMdjFeRgYMY85INpkP9Xxmt175F4Dv0ApP7Umm+6TwkEQpp9evnBhrg1vvBtNE6W9tC/0khZGz1oLievVWeqF8EggpnMO3I7IuFDd+vJtbt3Ajh5UEMg+NAuh7yZahYsqyoIDhptcorfYYhLMjiEjN+rV3RFPv436NJsbzOFdmlLnrvVELJFV1sxfMr6njyRwdN/Y4qo0zbE4WQMOLAQEMpeKd9bcfjJCart5+qI3idLm9IjBTjlNZnZLNEUnlSTy39FKQKFK74iC7XUYVHX208DdxQwj+szWvYG0wlXtNXOrumo7XBo83n9BuFVlrn7dghuX20n/kH6q+4Lw7GrKhD+u+3oNRYma3vGx6AJAc4W7m745OSplo6Xl8+ElgzhfEOsV8uhifsHIYIOevm5pSingRuJA7kdpmLZjP5mHu1hPFhX0vSLPjvdQwOWC8dax3N385UIYEFAmsGBKyykWmYugRMfOm/vSuVf4H+pgtWiSGJWI0+UL6DVG/+YiOMFTTgDI2y5URwEkb/3835GqgsR62fYiWW9Y9Q7ImFGp9rd2x7KNJkIFyQMSquVn9qd+vMkHAOWNOoj1qb2T7hksVvT5Y88a+vL/R+Z1IRkYwHFmMvwerw5dDj5Ah5ODYUc44FE963qd82RPlRNyHv/lhgvCrZ7j7cH+Q6yVp45FCRwyvMjhUtPorqF4C9/8EnU9eQQV6A6BYckM1q6pqkd0n</xenc:CipherValue>

SAML20       </xenc:CipherData>

SAML20     </xenc:EncryptedData>

SAML20   </EncryptedAssertion>

SAML20 </samlp:Response>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:401 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP Host>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP Host>:8003/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:413 Debug SAPSYS

SAML20 SP (client 100 ): m_is_resp_signed - , m_is_signed -

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:434 Info SAPSYS

SAML20 SP (client 100 ):  Decrypted data:

SAML20 <Assertion ID="_b95be371-7724-4c3e-ba09-261f10347d64"

SAML20            IssueInstant="2014-02-25T02:01:30.100Z"

SAML20            Version="2.0"

SAML20            xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   <Issuer>http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20     <ds:SignedInfo>

SAML20       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

SAML20       <ds:Reference URI="#_b95be371-7724-4c3e-ba09-261f10347d64">

SAML20         <ds:Transforms>

SAML20           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

SAML20           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20         </ds:Transforms>

SAML20         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

SAML20         <ds:DigestValue>

SAML20         25MbGBIBAceJ7ucOi5mh+tNg3geg/Zs4LVsykD+RNEU=</ds:DigestValue>

SAML20       </ds:Reference>

SAML20     </ds:SignedInfo>

SAML20     <ds:SignatureValue>

SAML20     jN4dPvk8DLyD3aZVIkK1XQfLifBh0Ng1YaIEWrhxi1+85kZYaYtBD/AiGhfDNLQRN/9HC8RFJJBgVEYYtwOoSOkAOkMXt4m281Qi0kPV2fm5BppgOdoY/gEZtoXnlbnAffbQXbowB46NmYUvxUBX2kRs6u+HT88zi4XFgI9eGe9UM+M8XVWzwRRpRNTTnGe7z4s/EQ6Z5fWbFHHIIr9o90CkkREc9Lwgqw7lPAN9hjOBU9NmrOHwfzRqyY174GABuwAVUAR7CADY5C0N1puo66Z6v7dp0JI4JW3jrrHnt35v2D9DZa+aYf7287C7OKBkr5EMo258KGmKZfGRaMkPeg==</ds:SignatureValue>

SAML20     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20       <ds:X509Data>

SAML20         <ds:X509Certificate>

SAML20         MIIC6DCCAdCgAwIBAgIQVMIeZ6PUobZJrFlrJlSscDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBjc2MtZnNkZXYuY29sdW1iaWEuY29tMB4XDTEzMDYyOTIyMjA0OVoXDTE0MDYyOTIyMjA0OVowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gY3NjLWZzZGV2LmNvbHVtYmlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1RqUtpqyhuSxsRTp3qlRpAQsrdgnuqZwgvIBucMTG8yKDUa3Ppi/FvbG8l8cpSHSuiFyAKwj1ZIbNPcnOoOsDIGXOs9pCzyGISVLR56IEd7EjizuBYH/EjtnCIp5nehUq6rvHWeZc0eAOvd+rOAMDTf+T0akT7UAmBPLig+Yfavay3HZyHV+gILmi/3v5VINYKjS/yLR3CFwt3l0MAhcqMw1FVAIfdxbSMw1S7wGQb88PyT4r1Uk3+Fix6BdKkdNNbrMEem3ZpkpCz6Wo+lP+QL9Wx3Dc/ADovsQa46Rx/pPdvc2q3tNrCuyAIuFNzY+Q610hey/xMQxNtRvXntGcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0zX4Otk/Qq2CxlEc3CKAGWlccGNJEMkBRYvkpITkRKgxWU6jgEhAKnDn4Cg4Wved1hDejnzJi8QwzUvhvU3s3aFrV6nd5hMvcVpYhGKwJUoX5wu1bydeUwbxeMZoWYowVAP+MzWPqh3i/0vP6sUIu5UuWI9Km66Wc2kCR0dSKHRNc62GHLYoJKIxrKG4qsTTwcI4A6340Z3PPaSoFAtl6K9zu5OYk4Tlsr3ljO/qn73UbYfudwxSGWv8Upbmk6Xbe3H03zb6OGD3QXvU2WpH7iLfe8IxadcH37GmQ6krf0bXPpYWh5COGyE00fx+IBPQ9sKeYKXjrli2IWbvoV1xg==</ds:X509Certificate>

SAML20       </ds:X509Data>

SAML20     </KeyInfo>

SAML20   </ds:Signature>

SAML20   <Subject>

SAML20     <NameID>JSMITH</NameID>

SAML20     <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20       <SubjectConfirmationData NotOnOrAfter="2014-02-25T02:06:30.101Z"

SAML20                                Recipient="https://<SP Host>:8003/sap/saml2/sp/acs/100" />

SAML20     </SubjectConfirmation>

SAML20   </Subject>

SAML20   <Conditions NotBefore="2014-02-25T02:01:30.098Z"

SAML20               NotOnOrAfter="2014-02-25T03:01:30.098Z">

SAML20     <AudienceRestriction>

SAML20       <Audience>SE2Connect</Audience>

SAML20     </AudienceRestriction>

SAML20   </Conditions>

SAML20   <AuthnStatement AuthnInstant="2014-02-25T02:01:30.033Z"

SAML20                   SessionIndex="_b95be371-7724-4c3e-ba09-261f10347d64">

SAML20     <AuthnContext>

SAML20       <AuthnContextClassRef>

SAML20       urn:federation:authentication:windows</AuthnContextClassRef>

SAML20     </AuthnContext>

SAML20   </AuthnStatement>

SAML20 </Assertion>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:441 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP Host>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP Host>:8003/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:446 Info SAPSYS

SAML20 SP (client 100 ): Started authentication for access to path:

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:450 Info SAPSYS

SAML20 SP (client 100 ): NameID jsmith (Format ) mapped to user ID jsmith

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:461 Info jsmith

SAML20 SP (client 100 ): CALL 'SAML login': SY-SUBRC = 0, PWDCHG = 0, CONTEXT_REF = B980AFFF9DC011E3B12F005056850025

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:466 Info jsmith

SAML20 SP (client 100 ): SAML session created (security context ref: B980AFFF9DC011E3B12F005056850025, reason: SSO)

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:479 Debug jsmith

SAML20 SP (client 100 ): Current request method is POST, request method as read by OUC cookie is 

Show/hide callstack

SAP URL initiated SAML

Client Server Work Process Time Severity User Message Callstack

100 USH-B-SC-SE2 2 02:04:33:780 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is GET

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:783 Debug SAPSYS

HTTP request headers:

~request_line:  GET /sap/zapp/ContractList HTTP/1.1

~request_method:  GET

~request_uri:  /sap/zapp/ContractList

~path:  /sap/zapp/ContractList

~path_translated:  /sap/zapp/ContractList

~server_protocol:  HTTP/1.1

host:  <SP HOST>:8003

~server_name:  <SP HOST>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

connection:  keep-alive

~server_name_expanded:  <SP HOST>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:785 Info SAPSYS

SAML20 SP (client 100 ): IdP 'http://<IDP HOST>/adfs/services/trust' selected (source: Default Configuration)

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:788 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:789 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP HOST>:8003/sap/zapp/ContractList

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:792 Debug SAPSYS

SAML20 SP (client 100 ): Got comparison method from IDP:0

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:795 Debug SAPSYS

SAML20 SP (client 100 ): Relay state: ID=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf, value=GET#0y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%3D%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:808 Info SAPSYS

SAML20 SP (client 100 ): Outgoing AuthnRequest

SAML20 Binding:          REDIR

SAML20 Signed:           True

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Destination:      https://<IDP HOST>/adfs/ls/

SAML20 <samlp:AuthnRequest ID="S00505685-0025-1ee3-a7b8-25619ae3f12f"

SAML20                     Version="2.0"

SAML20                     IssueInstant="2014-02-25T02:04:33Z"

SAML20                     Destination="https://<IDP HOST>/adfs/ls/"

SAML20                     ForceAuthn="false"

SAML20                     IsPassive="false"

SAML20                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   SE2Connect</saml:Issuer>

SAML20   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

SAML20 </samlp:AuthnRequest>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:810 Debug SAPSYS

SAML20 SP (client 100 ): URL to redirect https://<IDP HOST>/adfs/ls/?SAMLRequest=fZFRS8MwFIX%2FSsl7lzRd57ysheEUCirDiQ%2B%2BZekNC7RJ7U2H%2FnvTDmQ%2B6Fs43HO%2Bc8iGVNf2sB3Dyb3gx4gUknpXsoMQhShW6yIVQhZphpin6ua4TmWxym4V5iaThiVvOJD1rmRyIVhSE41YOwrKhSiJbJkKGR2vQoJYQp6%2Fs2QXCdapMLtOIfQEnGvSqaEGzwvt27E7WhUfHVeNId4SZ8mDHzTOJUtmVEs4wfaKyJ7xR%2FnsWkcwDyrZODjwiiyBUx0SBA2H7dMjxKLQDz74SGLVZrqGufdw5f%2FfHrE4TANYdbiXd9451GHDr6IuuT08R2%2B92%2FvW6q9pQ6fC39HZIpsV26RmPoXRUY%2FaGosN49WF8Puvqm8%3D&RelayState=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=pWKCA5zyQfiXesrmCwBC2UMz6ytSGrJvDeuKcswLeO42%2BbCHMJNKOFJ38DbIrc0WVvPfG8ildQ8wEolU0%2FKE9aNTNF2XyIEjbdnt76sxyafwWq6FbrIQ%2B6YqCuiGNGNVmGz8iTTTGSbqJ0IHYlf3YK0jSBZcSGZAnFREt8Te4Lg%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:133 Debug SAPSYS

HTTP request headers:

~request_line:  POST /sap/saml2/sp/acs/100 HTTP/1.1

~request_method:  POST

~request_uri:  /sap/saml2/sp/acs/100

~path:  /sap/saml2/sp/acs/100

~path_translated:  /sap/saml2/sp/acs/100

~server_protocol:  HTTP/1.1

host:  <SP HOST>:8003

~server_name:  <SP HOST>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

referer:  https://<IDP HOST>/adfs/ls/auth/integrated/?SAMLRequest=fZFRS8MwFIX%2FSsl7lzRd57ysheEUCirDiQ%2B%2BZekNC7RJ7U2H%2FnvTDmQ%2B6Fs43HO%2Bc8iGVNf2sB3Dyb3gx4gUknpXsoMQhShW6yIVQhZphpin6ua4TmWxym4V5iaThiVvOJD1rmRyIVhSE41YOwrKhSiJbJkKGR2vQoJYQp6%2Fs2QXCdapMLtOIfQEnGvSqaEGzwvt27E7WhUfHVeNId4SZ8mDHzTOJUtmVEs4wfaKyJ7xR%2FnsWkcwDyrZODjwiiyBUx0SBA2H7dMjxKLQDz74SGLVZrqGufdw5f%2FfHrE4TANYdbiXd9451GHDr6IuuT08R2%2B92%2FvW6q9pQ6fC39HZIpsV26RmPoXRUY%2FaGosN49WF8Puvqm8%3D&RelayState=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=pWKCA5zyQfiXesrmCwBC2UMz6ytSGrJvDeuKcswLeO42%2BbCHMJNKOFJ38DbIrc0WVvPfG8ildQ8wEolU0%2FKE9aNTNF2XyIEjbdnt76sxyafwWq6FbrIQ%2B6YqCuiGNGNVmGz8iTTTGSbqJ0IHYlf3YK0jSBZcSGZAnFREt8Te4Lg%3D

cookie:  oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf=GET%230y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%253D%253D

connection:  keep-alive

content-type:  application/x-www-form-urlencoded

content-length:  3766

~server_name_expanded:  <SP HOST>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

~script_name:  /sap/saml2

~path_info:  /sp/acs/100

~script_name_expanded:  /sap/public/bc/sec/saml2

~path_info_expanded:  /sp/acs/100

~path_translated_expanded:  /sap/public/bc/sec/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:409 Info SAPSYS

SAML20 SP (client 100 ): Raw SAML response:

PHNhbWxwOlJlc3BvbnNlIElEPSJfOTExNDBhOGMtOTNlZC00MDNlLTk4YTctOWQ3NjI2MDYwMWIzIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yNVQwMjowNDozOS40MTdaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly91c2gtYi1zYy1zZTIuY29sdW1iaWEuY3NjOjgwMDMvc2FwL3NhbWwyL3NwL2Fjcy8xMDAiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89IlMwMDUwNTY4NS0wMDI1LTFlZTMtYTdiOC0yNTYxOWFlM2YxMmYiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9jc2MtZnNkZXYuY29sdW1iaWEuY29tL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI185MTE0MGE4Yy05M2VkLTQwM2UtOThhNy05ZDc2MjYwNjAxYjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5nZzlTeUxGUmhlR2srelZBZlF4NHo0S0I0Q0xLS2RqbmEzNHNRUitzdGJRPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5lMFRXZXNnUnFieFYvcDNMSFFRQ1NIVTBlU2tKelVwVUxRRi9IcVF5c09FczROODlHNm5ncEFqYlhZaldvdC9vem9ZenM1aEQ1WGpwL2pCZk8yakpiNzdPODFUalZpakg0QmRlT3pyRUhFT3hlRTBod21wdGQwK2FjVmdMYlVJQ0trbDF2SkFZSDMrOUkxcmJZUzd0R1JtcUQydE9YQ01kUURIVzQxYWl3WjZsVGY4eDBNNTZyd0tIRGwvY0tjdHkrNlNiWWdhV0lWeVZzKys5b3B1eW8zc2tQSkF6akQvSVR0ZVRmWmxHbW52TXJVZ3QxdjR0blpKWFdJazJhUHpPbGx1bUREcTAzcHVwYWJBbFkyUUlNYlhlVmhGTmo4YlUvQmNFU0Z1WmhDbCtKTDI1eE1hMGFxYnJiOTBwU2k1aXczR0NsQmk3dHdMcFozZDBYeW5hYWc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM2RENDQWRDZ0F3SUJBZ0lRVk1JZVo2UFVvYlpKckZsckpsU3NjREFOQmdrcWhraUc5dzBCQVFzRkFEQXdNUzR3TEFZRFZRUURFeVZCUkVaVElGTnBaMjVwYm1jZ0xTQmpjMk10Wm5Oa1pYWXVZMjlzZFcxaWFXRXVZMjl0TUI0WERURXpNRFl5T1RJeU1qQTBPVm9YRFRFME1EWXlPVEl5TWpBME9Wb3dNREV1TUN3R0ExVUVBeE1sUVVSR1V5QlRhV2R1YVc1bklDMGdZM05qTFdaelpHVjJMbU52YkhWdFltbGhMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSzFScVV0cHF5aHVTeHNSVHAzcWxScEFRc3JkZ251cVp3Z3ZJQnVjTVRHOHlLRFVhM1BwaS9GdmJHOGw4Y3BTSFN1aUZ5QUt3ajFaSWJOUGNuT29Pc0RJR1hPczlwQ3p5R0lTVkxSNTZJRWQ3RWppenVCWUgvRWp0bkNJcDVuZWhVcTZydkhXZVpjMGVBT3ZkK3JPQU1EVGYrVDBha1Q3VUFtQlBMaWcrWWZhdmF5M0haeUhWK2dJTG1pLzN2NVZJTllLalMveUxSM0NGd3QzbDBNQWhjcU13MUZWQUlmZHhiU013MVM3d0dRYjg4UHlUNHIxVWszK0ZpeDZCZEtrZE5OYnJNRWVtM1pwa3BDejZXbytsUCtRTDlXeDNEYy9BRG92c1FhNDZSeC9wUGR2YzJxM3ROckN1eUFJdUZOelkrUTYxMGhleS94TVF4TnRSdlhudEdjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZDB6WDRPdGsvUXEyQ3hsRWMzQ0tBR1dsY2NHTkpFTWtCUll2a3BJVGtSS2d4V1U2amdFaEFLbkRuNENnNFd2ZWQxaERlam56Smk4UXd6VXZodlUzczNhRnJWNm5kNWhNdmNWcFloR0t3SlVvWDV3dTFieWRlVXdieGVNWm9XWW93VkFQK016V1BxaDNpLzB2UDZzVUl1NVV1V0k5S202NldjMmtDUjBkU0tIUk5jNjJHSExZb0pLSXhyS0c0cXNUVHdjSTRBNjM0MFozUFBhU29GQXRsNks5enU1T1lrNFRsc3IzbGpPL3FuNzNVYllmdWR3eFNHV3Y4VXBibWs2WGJlM0gwM3piNk9HRDNRWHZVMldwSDdpTGZlOEl4YWRjSDM3R21RNmtyZjBiWFBwWVdoNUNPR3lFMDBmeCtJQlBROXNLZVlLWGpybGkySVdidm9WMXhnPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvS2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlJlc3BvbmRlciIgLz48L3NhbWxwOlN0YXR1cz48L3NhbWxwOlJlc3BvbnNlPg==

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:411 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is POST

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:417 Info SAPSYS

SAML20 SP (client 100 ): Calling transformation:SAML2_RESPONSE was successful.

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:423 Debug SAPSYS

SAML20 SP (client 100 ): Relay state cookie to parse: GET#0y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%3D%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:425 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:426 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP HOST>:8003/sap/zapp/ContractList

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:428 Info SAPSYS

SAML20 SP (client 100 ): Incoming Response

SAML20 Binding:          POST

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Responder

SAML20 <samlp:Response ID="_91140a8c-93ed-403e-98a7-9d76260601b3"

SAML20                 Version="2.0"

SAML20                 IssueInstant="2014-02-25T02:04:39.417Z"

SAML20                 Destination="https://<SP HOST>:8003/sap/saml2/sp/acs/100"

SAML20                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

SAML20                 InResponseTo="S00505685-0025-1ee3-a7b8-25619ae3f12f"

SAML20                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20     <ds:SignedInfo>

SAML20       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

SAML20       <ds:Reference URI="#_91140a8c-93ed-403e-98a7-9d76260601b3">

SAML20         <ds:Transforms>

SAML20           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

SAML20           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20         </ds:Transforms>

SAML20         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

SAML20         <ds:DigestValue>

SAML20         gg9SyLFRheGk+zVAfQx4z4KB4CLKKdjna34sQR+stbQ=</ds:DigestValue>

SAML20       </ds:Reference>

SAML20     </ds:SignedInfo>

SAML20     <ds:SignatureValue>

SAML20     e0TWesgRqbxV/p3LHQQCSHU0eSkJzUpULQF/HqQysOEs4N89G6ngpAjbXYjWot/ozoYzs5hD5Xjp/jBfO2jJb77O81TjVijH4BdeOzrEHEOxeE0hwmptd0+acVgLbUICKkl1vJAYH3+9I1rbYS7tGRmqD2tOXCMdQDHW41aiwZ6lTf8x0M56rwKHDl/cKcty+6SbYgaWIVyVs++9opuyo3skPJAzjD/ITteTfZlGmnvMrUgt1v4tnZJXWIk2aPzOllumDDq03pupabAlY2QIMbXeVhFNj8bU/BcESFuZhCl+JL25xMa0aqbrb90pSi5iw3GClBi7twLpZ3d0Xynaag==</ds:SignatureValue>

SAML20     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20       <ds:X509Data>

SAML20         <ds:X509Certificate>

SAML20         MIIC6DCCAdCgAwIBAgIQVMIeZ6PUobZJrFlrJlSscDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBjc2MtZnNkZXYuY29sdW1iaWEuY29tMB4XDTEzMDYyOTIyMjA0OVoXDTE0MDYyOTIyMjA0OVowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gY3NjLWZzZGV2LmNvbHVtYmlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1RqUtpqyhuSxsRTp3qlRpAQsrdgnuqZwgvIBucMTG8yKDUa3Ppi/FvbG8l8cpSHSuiFyAKwj1ZIbNPcnOoOsDIGXOs9pCzyGISVLR56IEd7EjizuBYH/EjtnCIp5nehUq6rvHWeZc0eAOvd+rOAMDTf+T0akT7UAmBPLig+Yfavay3HZyHV+gILmi/3v5VINYKjS/yLR3CFwt3l0MAhcqMw1FVAIfdxbSMw1S7wGQb88PyT4r1Uk3+Fix6BdKkdNNbrMEem3ZpkpCz6Wo+lP+QL9Wx3Dc/ADovsQa46Rx/pPdvc2q3tNrCuyAIuFNzY+Q610hey/xMQxNtRvXntGcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0zX4Otk/Qq2CxlEc3CKAGWlccGNJEMkBRYvkpITkRKgxWU6jgEhAKnDn4Cg4Wved1hDejnzJi8QwzUvhvU3s3aFrV6nd5hMvcVpYhGKwJUoX5wu1bydeUwbxeMZoWYowVAP+MzWPqh3i/0vP6sUIu5UuWI9Km66Wc2kCR0dSKHRNc62GHLYoJKIxrKG4qsTTwcI4A6340Z3PPaSoFAtl6K9zu5OYk4Tlsr3ljO/qn73UbYfudwxSGWv8Upbmk6Xbe3H03zb6OGD3QXvU2WpH7iLfe8IxadcH37GmQ6krf0bXPpYWh5COGyE00fx+IBPQ9sKeYKXjrli2IWbvoV1xg==</ds:X509Certificate>

SAML20       </ds:X509Data>

SAML20     </KeyInfo>

SAML20   </ds:Signature>

SAML20   <samlp:Status>

SAML20     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />

SAML20   </samlp:Status>

SAML20 </samlp:Response>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:430 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP HOST>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP HOST>:8003/saml2/sp/acs/100

Show/hide callstack

Hi All,

We have installed SAP NW SSO using secure login server on nw 7.3.We ahave installed sll and secure login client.

we can see x509 certificate in our secure login client but when we try to logon target abap system on which we have enabled snc

it gives error

server does not trust my certificate path.

please help

Hi all experts,

Really need your help in configuring SAP SSO between Windows 2008 R2 ADS & SAP Users.

I followed all the steps provided in SAP NW SSO SP4 SLL document from SAP.

But, I stuck up at couple of steps, the major is part is our ADS Administrator does'nt want to edit SPN for Kerberos user,

instead he suggested to use either RC4 or AES256.

During the SNC setup, I am facing  a below error in dev_w0 file:

SncInit(): found  snc/gssapi_lib=E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll

N    File "E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N  SncInit():   found snc/identity/as=p:CN=SAP/SAPServiceSID@<FQDN>.com

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]

N        GSS-API(maj): No credentials were supplied

N        GSS-API(min): No credentials found for this name (not logged on) (USER=SAPServiceAES)

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=SAP/SAPServiceSED@<FQDN>.com"

N  SncInit(): Fatal -- Accepting Credentials not available!

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11321]

Below is SNC Status:

E:\usr\sap\SID\SLL\windows-x86-64>snc.exe

Using command 'status -v', call with -h to see more commands

------------------------------------------------------------------------------

------------ status -------------------------------------------------------

------------------------------------------------------------------------------

Product version      : Secure Login Library 1.0 SP 4:
CryptoLib                 : 8.3.7.5

                                  : windows-x86-64

GSS library               : available

GSS library name    : secgss.dll

PSE directory           : (existing) E:\usr\sap\SID\DVEBMGS00\sec

PSE file                     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\pse.zip

STRUST cred file     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\cred_v2

SNC config file        : (existing) E:\usr\sap\SID\SLL\windows-x86-64\gss.xml

PSE accessible        : yes

PSE logged in          : yes

PSE credentials      : MasterPassword SystemDefault

Kerberos keyTab    : 12 entries

SAP/ServiceSID@<fqdn>.com (KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SAP/ServiceSID@<fqdn>.com(KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com (KeyType AES256)

SAP/ServiceSID@<fqdn>.com (KeyType RC4) 

SAP/ServiceSID@<fqdn>.com  (KeyType DES)

SAP/ServiceSID@<fqdn>.com  (KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SNC keys registered :  0 entries

Trusted certificates:

in PSE CN=SID, OU=<Cust. No.>, OU=SAP Web AS, O=SAP Trust Community, C=DE

Quick responce really needed as pressure increased.

Thanks and Regards

Ahsan.

Hi,

We need your guidance.

We have successfully installed and configured NW SSO 1.0 by referring videos available in SCN.  Now we are planning to do a fresh configuration of NW SSO 2.0.

Is there any videos avaiable in SCN for 2.0 as similar to 1.0? if so pls share the link. We tried, but not able to find out.

What are all the pre requisites to install/configure 2.0 ? Basically we need to know the additional steps to take care in 2.0 when compared to 1.0.

Kindly help us on that.

Regards

Yogesh Kumar D

Hi guys

I am currently setting up the trust between our Netweaver Java system and ADFS 2.0 in our production environment. In our test setup everything works fine, but in production I get the following error:

SAML2Assertion received could not be decrypted.

[EXCEPTION]

com.sap.security.saml2.lib.common.SAML2Exception: Failed to decrypt the element: <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#">

<ns3:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">

<ns3:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

<ns2:KeyInfo>

<ns3:EncryptedKey>

<ns3:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

<ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

</ns3:EncryptionMethod>

<ns2:KeyInfo>

I have compared the configurations in test and in production and they are very similar. The only difference seems to be the certificates used on the ADFS side. On the Netweaver side they show up with a yellow triangle in the SAML2 key storage view.

Our installation of ADFS 2.0 is already connected to Office 365 and for that reason there were some specific requirement for the encryption algorithms used in the token encrypting certificate and the signing certificate. So I will probably not be able to change the certificates being used on the ADFS side.

Assuming that the problem is that my cryptolib on the Netweaver side does not support 256 bit encryption algorithms, is there a version of the cryptolib that does?

Best regards,

Anders

Dear Experts,

Have anyone try SSO from SAP BI to BW via relational connection universe?

Best Regards,

Methee P.

This is a follow-up to Re-authenticate or provide additional credentials to access sensitive data.

We are currently looking at implementing NWSSO. As far as I know, NWSSO can't be used as an external security product for Digital Signatures so that users could input their Windows credentials to sign documents. Is that correct? Assuming yes, is something planned? What is the standard solution from SAP in this regard? We are on ERP 6.0 EHP6 SPS04 running in a homogeneous Windows environment. In short the problem is that users shouldn't have to remember their username and password in the SAP backend system once SSO is enabled. If we choose to roll out the semi solution where users have to remember their username and password in the SAP backend system, there is nothing out of the box for them to change their password in the SAP backend system since SSO is enabled. The main client to access the SAP backend system will be NWBC for Desktop 4.0.

Hello,

We don't have license for SAP NW SSO, Can we still configure the SSO with AD using SNC/kerberos without NW SSO (read somewhere that this is now not supported by SAP and we have to only use NW SSO), Can you also provide  license cost for NW SSO ?

Please confirm.

Saurabh

Hi gurus,

I set up sso for my Netweaver 7.3 Portal system using spnego and kerberos with an ABAP UME.  sso is working fine, except when a user has a pending password change on the ABAP side in which case we see this message in the Authentication Trace.

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false      true      
        #1 trusteddn1 = CN=xxx [deleted]
        #2 trusteddn2 = CN=xxx [deleted]
        #3 trustediss1 = CN=xxx [deleted]
        #4 trustediss2 = CN=xxx [deleted]
        #5 trustedsys1 = PAD,010
        #6 trustedsys2 = PAD,000
        #7 ume.configuration.active = true
2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          true       true       true      
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          true       true       true      
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUIRED    ok                     true       true      
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUIRED    ok                     false      true      
Central Checks                                                                                                exception             Missing Password

Getting message to be displayed to the user for exception cause 22
The localized message to be dispalyed to the user is Password missing

Entering method
Handle javax.security.auth.callback.TextOutputCallback@xxxx
Set error message from TextOutputCallback: Password missing
Exiting method
Entering method
Handle com.sap.engine.interfaces.security.auth.AuthStateCallback:[PASSWORD_CHANGE_FAILED]
Original Page URL Cookie is currently stored as : http://ccmdra31:50100/irj/portal
Original Page URL Cookie will not be changed. It is equal to current URL.

We have sso already from the sapgui into the ABAP system (PAD) that is the UME datasource for this Java system.  Most users don't know what their password is in the PAD system because they use sso to login there so it is a problem that the Portal instance prompts them to enter their old and new password rather than letting them through.  Does anyone know a workaround to this?

Warm Regards,

Clifton

Hi,

We're currently in the process of enabling SSO using SPNego on our 7.02 SP07 Portal.

We are using the new SPNego wizard that commes with the SP06.

Let's say our portal has of the following address: DEVPORTAL.SYSTEMS.GROUP.CORP

The Portal has an UME pointing to an ABAP backend system.

As our users come from another Ms Active Directory (there is 1 AD for users, 1 other for systems), the service user we created is: j2ee_portal @USERS.GROUP.CORP

After activation of the Kerberos Realms USERS.GROUP.CORP and the set up of the LoginModuleStack in Visual Administrator, I can see the Negotiate Header using Firebug but the SSO won't work (401 Error - Not authorized), the logon plays is displayed instead.

The log shows the following:

doLogon failed 
[EXCEPTION]
 com.sap.security.core.logon.imp.UMELoginException     at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)     at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)     at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)     at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)     at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)       ...

Could you, please, advise?

Many thanks in advance.

Best regards,

Guillaume

Hi guys

I am currently setting up the trust between our Netweaver Java system and ADFS 2.0 in our production environment. In our test setup everything works fine, but in production I get the following error:

SAML2Assertion received could not be decrypted.

[EXCEPTION]

com.sap.security.saml2.lib.common.SAML2Exception: Failed to decrypt the element: <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#">

<ns3:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">

<ns3:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

<ns2:KeyInfo>

<ns3:EncryptedKey>

<ns3:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

<ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

</ns3:EncryptionMethod>

<ns2:KeyInfo>

I have compared the configurations in test and in production and they are very similar. The only difference seems to be the certificates used on the ADFS side. On the Netweaver side they show up with a yellow triangle in the SAML2 key storage view.

Our installation of ADFS 2.0 is already connected to Office 365 and for that reason there were some specific requirement for the encryption algorithms used in the token encrypting certificate and the signing certificate. So I will probably not be able to change the certificates being used on the ADFS side.

Assuming that the problem is that my cryptolib on the Netweaver side does not support 256 bit encryption algorithms, is there a version of the cryptolib that does?

Best regards,

Anders

Hi,

I am involved in a project where it is required to deploy SAP HCM and hosting self service portal for all colleagues in the organization. The requirement is the portal application will be deployed in forest abc.123.com but users are spread across 4 forests i.e. abc.123.com,   efg.456.ad,   hij.789.net and xyz.012.co. There is a two way trust established from abc.123.com to each of other 3 domains.

Is it possible to configure SSO using SPNego?

Thanks & Regards

Sreedhar Gadamsetty

Hi,

I have recently Installed SAP Netweaver 7.4 Java only server, after which i have followed the template specific configuration, in which the prime configuration was BI Java where in the main motive was to configure my portal as a landscape to retrieve reports from BI ABAP systems. So, a system and SSO for BI ABAP has been configured successfully. BEX analyzer was working smoothly. After this i have configured SPNEGO and performed the complete activities. The windows authentication scheme to login to portal without User ID and password was working perfectly fine. But ABAP SSO was not working, So i raised a ticket to SAP wherein they have suggested me to follow the below ticket entries:

Original Entry:

1. EvaluateTicketLoginModule SUFFICIENT

ume.configuration.active=true

2. SPNegoLoginModule SUFFICIENT

3. BasicPasswordLoginModule REQUISITE

4. CreateTicketLoginModule OPTIONAL

SAP requested changes:

1. EvaluateTicketLoginModule SUFFICIENT

ume.configuration.active=true

2. SPNegoLoginModule SUFFICIENT

3. CreateTicketLoginModule SUFFICIENT

4. BasicPasswordLoginModule REQUISITE

5. CreateTicketLoginModule OPTIONAL

After changing with SAP entries my SPNEGO is not working and everytime i login their is a prompt for user id and password. This is weird and am not getting any ideas since there is no change in the configuration. Kindly help!! then later i have changed these entries to the old one, recreated SPNEGO entry in the configuration wizard but still no luck. Attached is the latest error log!! Please help!!

Regards,

Mohammed Imran

Hello,

I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)

But we have 4 domains in a forrest..So, according to note 994791 that states:

• Domain Forest
  • Create and configure a J2EE service user in one of the domains part of  the forest # it doesn#t matter if this domain will be the root domain or any of the child domains
  • Configure UME to use multiple ADS data sources (for each domain in the forest)
  • In the #Kerberos Realm# step of the wizard you should provide  information only for the domain where you have created the service user for the J2EE Engine

..I have configured SPNEGO only for the realm that hosts the SPN.

Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.

Thank You,

Philippe

Hi ,

I would like to configure SSO for fiori apps based on windows authentication , what things are required to do so .

like any changes on users settings , fiori launchpage .

Also i want to map several windows user id to single sap user id , it this possible ?

Regards

Yashpal

Hello Masters,

Besides "Account Manager on SAP side" mentioned in OSS Note 1876552 could somebody be able to share some experiences/ideas what the general cost is about each NW SSO 2.0 solution? As different solution need different components, right? So I would understand how to license each solution? Is it number of user based or component based or other approaches to calculate?

S1: Single Sign-On with Kerberos

- Secure Login Client

- Secure Login Library

- SPNego for ABAP

- Plus, any additional cost if HTTPS used

etc...

S2: Single Sign-On with Certificates

- Secure Login Client

- Secure Login Server

- Secure Login Library

- SPNego for ABAP/JAVA

- Plus, any additional cost if HTTPS used

etc...

S3: Single Sign-On with SAML 2.0

...

S4: Password Manager

...

Kind Regards,

Jinlong