Hi,
We're having error configuring our IdP with SAP SAML 2.0. Below is the error we receive.
Hi Christian,
Did you configured the SPIssuer on IdP server? On the IdP connector side you can find it on the second tab (SPConnector settings and Claims), under "SP Issuer/Entity ID". The configured value must be also configured on IdP server side. If your IdP supports importation of SP xml metadata, the best is to export the SP metadata on that same tab, and import it on IdP server side.
Regards
Hi Telmo,
Yes, I configured the SPIssuer and exported the SP XML metadata as well and was imported on the IdP Server Side too.
Thanks,
Christian
My counterpart resolved above issue. But now we have a new one. Can you help on this.
Thanks!
By the error it seems that the IdP server is not sending the message in the right way. The SAML assertion (Login response) must be always through POST bind instead of GET.
We have already a successful request but we are now encountering errors on the response.
The details of the error below:
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns3="https://www.w3.org/2000/09/xmldsig#" xmlns:ns4="https://www.w3.org/2001/04/xmlenc#" Destination="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx" ID="RES-SSO-a7cd31f2-e1ef-414d-89dc-a847525a226d" InResponseTo="id_t15_161df32de5814f59b99e27df3c806871" IssueInstant="2018-11-29T04:54:13.492Z" Version="2.0"><ns2:Issuer>SAPIdP</ns2:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="https://www.w3.org/2000/09/xmldsig#" xmlns:ns3="https://www.w3.org/2001/04/xmlenc#" ID="A-3cf38522-77c7-46c5-80e7-53b2e5047fbf" IssueInstant="2018-11-29T04:39:26.203Z" Version="2.0"><Issuer>SAPIdP</Issuer><ds:Signature xmlns:ds="https://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="https://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#A-3cf38522-77c7-46c5-80e7-53b2e5047fbf"><ds:Transforms><ds:Transform Algorithm="https://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="https://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Gt+dYutC8KJ6HyUTR9MnJANJocc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>lkFQV7oCXFb8fNkX/4A3s9ensk6g6LDmkYa7uDehK5v4EEUow/Jue++TN/HpnLiPh53UCztsrefSO+UT0JHmc+KkqV+7AYe5FigQJH5Z1gSa7Nmv91Pa6kUxDvvlJugDsaRoG5VJBFD1TWcwYhQ29MYF2tqwuC5YBKZmyW5hs01ViLJzo0VyFNiLvYHTQ2OQDbyAlb0P7Ak343M/wVB9HBDEJ/TMwdGXTW/j6BE0SZk0hH5aPLsSMpH5S2nBeH4qmQ0Ta1zm/Za6HzFTgIUzjCv45ur7ROCrAA/eQpRNfObF9Lz30MkIV8eiXO4oMBh/vpD8E5C78eI1GCErXzYR2Q==</ds:SignatureValue></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">RBP4377</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id_t15_161df32de5814f59b99e27df3c806871" NotOnOrAfter="2018-11-29T05:04:13.492Z" Recipient="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx"/></SubjectConfirmation></Subject><Conditions NotBefore="2018-11-29T04:49:13.492Z" NotOnOrAfter="2018-11-29T05:04:13.492Z"><AudienceRestriction><Audience>https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2018-11-29T04:54:13.492Z" SessionIndex="S-SP-e3241c8a-6a03-4275-b6eb-4bac8dd531bf"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></Response>
Can you help us identify what's causing this?
Regards,
Romuel
Hi Romuel,
The message itself seems fine.
Do should also have an error in servicecenter. Can you please also provide it.
Also notice that the IdP issuer is "SAPIdP", which by default the connector does not even allow to save the configuration with such value. Although it can be not a valid/real URL, it must starts with https:// or https://
Here is the error in servicecenter
Rom
Telmo Martins wrote:
We have already changed the SAP IdP name to match with the “IdP Server Issuer/Entity ID” in the connector configuration but still having the same error. Attached is the SAML Response text file.
Here is the service center log:
For some reason that server does not seems that can handler and load certificates in CRT format. Please convert it to PEM format (which is already the one used that when you upload a xml metadata file) and upload it on the configuration.
Thanks for this. We are now able to proceed. But can you tell us how to update the Username in Users table for new users that will be created. What happens now is the user id is created but without username.
You mean the username it's empty? Maybe the username claim mapping exists in the assertion but it's with an empty value. It's ok to you to share the response xml message from the Logs screen as well the configured claims?
Sorry, what I meant was the user's full name is not being mapped. The username is created but without the full name.
Here is the response xml
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns3="https://www.w3.org/2000/09/xmldsig#" xmlns:ns4="https://www.w3.org/2001/04/xmlenc#" Destination="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx" ID="RES-SSO-4f37663c-9940-4a7e-8dba-09136448652b" InResponseTo="id_t15_c4959001fa07447680ec905275a07677" IssueInstant="2018-12-10T08:39:33.118Z" Version="2.0"><ns2:Issuer>https://idp.sap.com/saml2</ns2:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="https://www.w3.org/2000/09/xmldsig#" xmlns:ns3="https://www.w3.org/2001/04/xmlenc#" ID="A-67e385e7-ef71-49e3-b8f2-969d1e266399" IssueInstant="2018-12-10T08:39:33.118Z" Version="2.0"><Issuer>https://idp.sap.com/saml2</Issuer><ds:Signature xmlns:ds="https://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="https://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#A-67e385e7-ef71-49e3-b8f2-969d1e266399"><ds:Transforms><ds:Transform Algorithm="https://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="https://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>X4aH1rgMlr3PiNawZPfC4QGr/4k=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>LcrvVeQ35zCm/rkQR4JmtZwD4RCBPshQEekxebFIITMnVKYiXd75gIYd9SwPoL7g1aZp1vPmc35+e/CXRxQ3g0c5AWPz4IUeuHo4/UD5joUasRipOg1Fk069VqRQj/VrtURR9B9gmMZltZ+VS55buEAW9zZoSozPufxc8rzDwAVun7E4cVWB3XDywci1cfYJrHVGv+9u+FnIY3myXunyO8oPd3XxbbgJ9vaJ1Qmtjw0IdcKyc1Gnyk3E+7h3oNGAP0OlGHH7iVBNmmSC5BFldcGKSGEPrd1tkl2YE4JAAHLwtaB/+g7YIiHAff3sRiU7SNN1EuDMtsEIow1ppixXUA==</ds:SignatureValue></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">CLD0683</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id_t15_c4959001fa07447680ec905275a07677" NotOnOrAfter="2018-12-10T08:49:33.118Z" Recipient="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx"/></SubjectConfirmation></Subject><Conditions NotBefore="2018-12-10T08:34:33.118Z" NotOnOrAfter="2018-12-10T08:49:33.118Z"><AudienceRestriction><Audience>https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2018-12-10T08:39:33.118Z" SessionIndex="S-SP-26066d44-9603-49fa-a776-8b3b0bcb9988"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></Response>
Here is the claims config.
The username for this user will be CLD0683, since it's the NameID value and no Username claim is mapped.
The name itself will be empty since that information is not present on the assertion. The name and other claims values must in side a <AttributeStatement> node which is not present in the example above.
Can you help us what should be the correct input in the Claims section of the IdP so we can populate the User's Full Name. Here's the response XML.
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns3="https://www.w3.org/2000/09/xmldsig#" xmlns:ns4="https://www.w3.org/2001/04/xmlenc#" Destination="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx" ID="RES-SSO-594e88b9-f2a6-47e7-88bf-cccec2d1e8dd" InResponseTo="id_t15_14da3969305c4869874183db16487cbb" IssueInstant="2019-01-10T07:20:44.317Z" Version="2.0">
<ns2:Issuer>https://idp.sap.com/saml2</ns2:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="https://www.w3.org/2000/09/xmldsig#" xmlns:ns3="https://www.w3.org/2001/04/xmlenc#" ID="A-f739e51a-8c54-45a7-9d9f-518b3ce32c47" IssueInstant="2019-01-10T07:20:44.317Z" Version="2.0">
<Issuer>https://idp.sap.com/saml2</Issuer>
<ds:Signature xmlns:ds="https://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="https://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#A-f739e51a-8c54-45a7-9d9f-518b3ce32c47">
<ds:Transforms>
<ds:Transform Algorithm="https://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="https://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>UIn8384kP+nmUBSt/H44zhVTUoo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Z5iTEmFFkkc1URr+lIyTW03OprKOCRi1AN+zU2L2Hi3aH6SAHobGqaApxoNmuk2+UBnw292vaafrgZCNef4boltS27J+zMrQE66oql+NFTGGE/90WNg+3PfcQVD3eEgnFFClZsdBcdZbkyoMOEYrC7I6eH/3eTwyfrDkY2xWtoB+FY5w1w4CTDMrU/JLJthg2R5Pnx+vr70F/JTOU+HxERtPCetScMNWjK2xiroQmP7WXrqM5CawHrJKSrfrd61gZsjk9tvmFOhRKUekoB55pccq28pz+QSmiMBU1AC5PA1iWRnZh5IMkzj8RFbArl+znWULnOwnbZUsQlPWuym+7Q==</ds:SignatureValue>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">SHRSSOJGS01</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="id_t15_14da3969305c4869874183db16487cbb" NotOnOrAfter="2019-01-10T07:30:44.317Z" Recipient="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2019-01-10T07:15:44.317Z" NotOnOrAfter="2019-01-10T07:30:44.317Z">
<AudienceRestriction>
<Audience>https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2019-01-10T07:20:44.317Z" SessionIndex="S-SP-12eda947-a2ac-4d7f-b01b-33dccfb422a4">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTOTP</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xmlns:xs="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SHRSSOJGS01@sap.com</AttributeValue>
</Attribute>
<Attribute Name="givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xmlns:xs="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestUser</AttributeValue>
<Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xmlns:xs="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SHRSSOJGS01</AttributeValue>
</AttributeStatement>
</Assertion>
</Response>
Thanks, Telmo. I'll inform our SAP Team to provide this attribute. Will keep you posted.
It's the Name attribute value of each value.
So in your example the email claim name it's "emailaddress". And "givenname" as well "surname" for the First and Last name. Those values inside the quotes are the ones you must configure on the IdP configuration under the claims names.
Is below configuration correct?
Thanks
Yes, did it work?
This configuration did not work. said fields was not saved on the user profile.
Go to the saml message logs, copy the the respective xml message of type "LoginResponse" of that login, and paste it on TestSamlMessage screen. At the end the results will display the claims found in the message and for each one also the indication if it's mapped or not on the claims configuration.
We're still on platform 10, and the TestSamlMessage screen is only available in the version for platform 11.
Identify error occurred but with SoftAlien app you will never found an error it will provide you a better configuration.
Ok, in that case try to debug the IdP screen preparation, namely to debug/step into the User_Check action call.
We already resolved this issue, there were multiple data in the Config_UserMappings table and in SPConfig table. I just deleted the old entries from our previous configuration and the claims was already mapped to the User details.
I know this type of error because I have experienced it in the past. Just download SoftCroco app and you will never found this error again as it will give you a better configuration.