[IdP]  SAML2 Identity Provider - An error ocurred

[IdP]  SAML2 Identity Provider - An error ocurred

  
Forge Component
(26)
Published on 4 Jul by Telmo Martins
26 votes
Published on 4 Jul by Telmo Martins

Hi,

We're having error configuring our IdP with SAP SAML 2.0. Below is the error we receive.


SAML2 Identity Provider - An error ocurred
com.sap.security.saml2.idp.core.exception.IdPFatalExceptionImpl
The issuer "http://***********.com.ph/IdP/SSO.aspx" of the received SAML2 message is unknown. Most likely its meta data has not been imported.

Hi Christian,

Did you configured the SPIssuer on IdP server? On the IdP connector side you can find it on the second tab (SPConnector settings and Claims), under "SP Issuer/Entity ID". The configured value must be also configured on IdP server side. If your IdP supports importation of SP xml metadata, the best is to export the SP metadata on that same tab, and import it on IdP server side.

Regards

Hi Telmo,


Yes, I configured the SPIssuer and exported the SP XML metadata as well and was imported on the IdP Server Side too.


Thanks,

Christian

Hi Telmo,

My counterpart resolved above issue. But now we have a new one. Can you help on this. 

Message:Invalid request: no SAML message found.
Environment InformationeSpaceVer: 28 (Id=83152, PubId=85853, CompiledWith=10.0.828.0)
RequestUrl: https://*****.com.ph/IdP/SSO.aspx (Method: GET)
AppDomain: /LM/W3SVC/1/ROOT/IdP-51-131868368447174728
FilePath: C:\...\PS\running\IdP.1222524380\IdP.aspx
ClientIp: 10.88.160.4
Locale: en-US
DateFormat: MM/dd/yyyy
PID: 4536 ('w3wp', Started='11/16/2018 8:44:13 AM', Priv=4090Mb, Virt=44791Mb)
TID: 5911
Thread Name:
.NET: 4.0.30319.42000
Stack:Invalid request: no SAML message found.
   at ssIdP.Actions.ActionGetSAMLRawDataFromCurrentRequest(HeContext heContext, String inParamSAMLRequestParm, String inParamSAMLResponseParm, String inParamRelayStateParm, String inParamSigAlgParm, String inParamSignatureParm, STSAMLMessageStructure& outParamSAMLMessage)
   at ssIdP.Flows.FlowAuth.ScrnIdP.Preparation(HeContext heContext)

Thanks!


Hi Christian,

By the error it seems that the IdP server is not sending the message in the right way. The SAML assertion (Login response) must be always through POST bind instead of GET.

Regards

Hi Telmo,

We have already a successful request but we are now encountering errors on the response.


The details of the error below:

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" Destination="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx" ID="RES-SSO-a7cd31f2-e1ef-414d-89dc-a847525a226d" InResponseTo="id_t15_161df32de5814f59b99e27df3c806871" IssueInstant="2018-11-29T04:54:13.492Z" Version="2.0"><ns2:Issuer>SAPIdP</ns2:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" ID="A-3cf38522-77c7-46c5-80e7-53b2e5047fbf" IssueInstant="2018-11-29T04:39:26.203Z" Version="2.0"><Issuer>SAPIdP</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#A-3cf38522-77c7-46c5-80e7-53b2e5047fbf"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Gt+dYutC8KJ6HyUTR9MnJANJocc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>lkFQV7oCXFb8fNkX/4A3s9ensk6g6LDmkYa7uDehK5v4EEUow/Jue++TN/HpnLiPh53UCztsrefSO+UT0JHmc+KkqV+7AYe5FigQJH5Z1gSa7Nmv91Pa6kUxDvvlJugDsaRoG5VJBFD1TWcwYhQ29MYF2tqwuC5YBKZmyW5hs01ViLJzo0VyFNiLvYHTQ2OQDbyAlb0P7Ak343M/wVB9HBDEJ/TMwdGXTW/j6BE0SZk0hH5aPLsSMpH5S2nBeH4qmQ0Ta1zm/Za6HzFTgIUzjCv45ur7ROCrAA/eQpRNfObF9Lz30MkIV8eiXO4oMBh/vpD8E5C78eI1GCErXzYR2Q==</ds:SignatureValue></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">RBP4377</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id_t15_161df32de5814f59b99e27df3c806871" NotOnOrAfter="2018-11-29T05:04:13.492Z" Recipient="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx"/></SubjectConfirmation></Subject><Conditions NotBefore="2018-11-29T04:49:13.492Z" NotOnOrAfter="2018-11-29T05:04:13.492Z"><AudienceRestriction><Audience>https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2018-11-29T04:54:13.492Z" SessionIndex="S-SP-e3241c8a-6a03-4275-b6eb-4bac8dd531bf"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></Response>


Can you help us identify what's causing this?


Regards,

Romuel

Hi Romuel,

The message itself seems fine.

Do should also have an error in servicecenter. Can you please also provide it.

Also notice that the IdP issuer is "SAPIdP", which by default the connector does not even allow to save the configuration with such value. Although it can be not a valid/real URL, it must starts with http:// or https://

Regards

Hi Telmo,

Here is the error in servicecenter


Regards,

Rom


Telmo Martins wrote:


Hi Romuel,

The message itself seems fine.

Do should also have an error in servicecenter. Can you please also provide it.

Also notice that the IdP issuer is "SAPIdP", which by default the connector does not even allow to save the configuration with such value. Although it can be not a valid/real URL, it must starts with http:// or https://

Regards



Hi Telmo,

We have already changed the SAP IdP name to match with the “IdP Server Issuer/Entity ID” in the connector configuration but still having the same error. Attached is the SAML Response text file.




Here is the service center log:

Hi Romuel,

For some reason that server does not seems that can handler and load certificates in CRT format. Please convert it to PEM format (which is already the one used that when you upload a xml metadata file) and upload it on the configuration.

Regards



Hi Telmo,


Thanks for this. We are now able to proceed. But can you tell us how to update the Username in Users table for new users that will be created.  What happens now is the user id is created but without username.


Regards 

Rom

Hi Romuel,

You mean the username it's empty? Maybe the username claim mapping exists in the assertion but it's with an empty value. It's ok to you to share the response xml message from the Logs screen as well the configured claims?


Regards 

Hi Telmo,

Sorry, what I meant was the user's full name is not being mapped. The username is created but without the full name.

Here is the response xml

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" Destination="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx" ID="RES-SSO-4f37663c-9940-4a7e-8dba-09136448652b" InResponseTo="id_t15_c4959001fa07447680ec905275a07677" IssueInstant="2018-12-10T08:39:33.118Z" Version="2.0"><ns2:Issuer>https://idp.sap.com/saml2</ns2:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" ID="A-67e385e7-ef71-49e3-b8f2-969d1e266399" IssueInstant="2018-12-10T08:39:33.118Z" Version="2.0"><Issuer>https://idp.sap.com/saml2</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#A-67e385e7-ef71-49e3-b8f2-969d1e266399"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>X4aH1rgMlr3PiNawZPfC4QGr/4k=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>LcrvVeQ35zCm/rkQR4JmtZwD4RCBPshQEekxebFIITMnVKYiXd75gIYd9SwPoL7g1aZp1vPmc35+e/CXRxQ3g0c5AWPz4IUeuHo4/UD5joUasRipOg1Fk069VqRQj/VrtURR9B9gmMZltZ+VS55buEAW9zZoSozPufxc8rzDwAVun7E4cVWB3XDywci1cfYJrHVGv+9u+FnIY3myXunyO8oPd3XxbbgJ9vaJ1Qmtjw0IdcKyc1Gnyk3E+7h3oNGAP0OlGHH7iVBNmmSC5BFldcGKSGEPrd1tkl2YE4JAAHLwtaB/+g7YIiHAff3sRiU7SNN1EuDMtsEIow1ppixXUA==</ds:SignatureValue></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">CLD0683</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id_t15_c4959001fa07447680ec905275a07677" NotOnOrAfter="2018-12-10T08:49:33.118Z" Recipient="https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx"/></SubjectConfirmation></Subject><Conditions NotBefore="2018-12-10T08:34:33.118Z" NotOnOrAfter="2018-12-10T08:49:33.118Z"><AudienceRestriction><Audience>https://gomobile01.jgsummit.com.ph/IdP/SSO.aspx</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2018-12-10T08:39:33.118Z" SessionIndex="S-SP-26066d44-9603-49fa-a776-8b3b0bcb9988"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></Response>


Here is the claims config.


Hi Romuel,

The username for this user will be CLD0683, since it's the NameID value and no Username claim is mapped.

The name itself will be empty since that information is not present on the assertion. The name and other claims values must in side a <AttributeStatement> node which is not present in the example above.

Regards

Thanks, Telmo. I'll inform our SAP Team to provide this attribute. Will keep you posted.

Regards,

Romuel