Hi
I have set up a Fiori system based on 7.4 and it is working fine.
I attempted to use Single Sign using SAML based on ADFS as an identity provider which we are already using in our environment.
I have followed this guide by Chris Wealy on Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet
However when I am trying to login to the FIori launchpad, I am redirected to the Idp site where I enter my credentials and I am not able to login. Checking the diagnostic tool I am getting the following error
SAML20 SP (client 410 ): Exception raised:
SAML20 SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration
SAML20 at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)
SAML20 at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)
SAML20 at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)
SAML20 at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
SAML20 at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)
However checking the possible solution to the above error I came across this
Problem: You are performing SAML 2.0 authentication and you get the following error:
CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1.
Reason: SSL server certificate of identity provider is not imported in “SSL Client Standard” PSE.
Solution: Import SSL server certificate of the identity provider in “SSL Client Standard” PSE.
I have imported the the SSL server certificate along with the root certificate of the the Identitiy provider which is ADFS and still I am getting the same error.
The ICM trace is showing this
Thr 140736331941632] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST
Thr 140736331941632] session uses PSE file "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"
Thr 140736331941632] No LastError / ErrorStack available!
Thr 140736331941632] SSL_get_state()==0x2120 "SSLv3 read server hello A"
Thr 140736331941632] SSL NI-hdl 193: local=10.2.32.85:52039 peer=10.2.32.43:443
Thr 140736331941632] <<- ERROR: SapSSLSessionStart(sssl_hdl=7fff90003a60)==SSSLERR_SSL_CONNECT
Thr 140736331941632] *** ERROR => SSL handshake with adfs.sbm.com.sa:443 failed: SSSLERR_SSL_CONNECT (-57)
Thr 140736331941632] SAPCRYPTO:SSL_connect() failed
Thr 140736331941632]
Thr 140736331941632] SapSSLSessionStart()==SSSLERR_SSL_CONNECT
Thr 140736331941632] SSL_connnect() failed (0/0x00) Huh??
Thr 140736331941632] SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"
Thr 140736331941632] SSL NI-hdl 193: local=10.2.32.85:52039 peer=10.2.32.43:443
Thr 140736331941632] cli SSL session PSE "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"
Thr 140736331941632] Target Hostname="adfs.sbm.com.sa"
Can anybody help out.
Do you need any other logs or configurations to check?