Hi experts,

we have implemented SSO2 in our BW system and its working fine. The problem is on our BO (4.1, SP3). when i start a webi report, using the scheduling, we always receive the error message:

Database error: Unable to connect to SAP BW server Incomplete logon data.. (IES 10901)

I've read 1 million notes, but till now, no luck. I saw the light after reading this treath:

Re: Issues with SNC SSO after upgrade to 4.1 sp05 patch 1

but no luck. even after deploying gx64krb5.dll, in our BO server (CMC and SNC_LIB) we still have the same error.

I have this parameters on BW side:

profile:

spnego/krbspnego                            /usr/sap/XXX/SLL/libsapcrypto.so

spnego/krbspnego_lib                        /usr/sap/XXX/SLL/libsapcrypto.so

spnego/enable                               1

snc/force_login_screen                      0

snc/r3int_rfc_secure                        0

snc/r3int_rfc_qop                           8

snc/data_protection/use                     3

login/password_max_idle_productive          120

login/min_password_lowercase                1

login/min_password_uppercase                1

login/password_compliance_to_current_policy 1

snc/permit_insecure_start                   1

ssf/name                                    SAPSECULIB

snc/identity/as                             p:CN=SAP/KerberosXXX@XXXXXXXXXXXXXXXXXXXX

snc/enable                                  1

snc/data_protection/min                     2

SNC0 - its GREEN

strust and strustsso2 - certificates of (BO server) are in, with both clients (000 and 100)

BO user has the correct permissions and SNC is activated with SNC DATA (GREEN)

BO SIDE:

CMC:

   Entitlement Systems  : ok

role import: ok

SNC settings:

Enable Secure Network Communication [SNC]  - checked

Prevent insecure incoming RFC connections - checked

SNC library settings : C:\sapcrypto\gx64krb5.dll

SNC name of SAP system: p:CN=SAP/KerberosXXX@XXXXXXXXXXXXXXXXXXXX

SNC name of Enterprise system : p:CN=XX, OU =XXX, O=XXX, L=XXXXXXXXX, C=XX

OPTIONS:

SAP SSO Service : Keystore was uploaded

OS:

SNC_LIB environment variable to point to C:\sapcrypto\gx64krb5.dll

Please help

thx in advance

Nuno

Hello Gurus,

We are running Netweaver Portal 7.3 and have SPNego configured for users inside the network. I know that this solution does not work for users out side network. We can use SAML but the issue is that even the SAML IDP will will need one time authentication.

Is there a way, for example to use some sorta system to issue certs(Like SAP Passport) to users that can be used to authenticate users to SAML IDP and then we can redirect SAML IDP to NW portal accepting the SAML cert.

Basically, we don't want even the external customers to enter ID and Password.

Any thoughts/ideas will be appreciated.

Thanks,

Karan

SCN pals,

We have SPnego / SNC setup on both our NW7.31SP07 and NW7.40SP07 systems.

We used the basic steps outlined in the videos:

http://scn.sap.com/docs/DOC-40178

But one thing that I have noticed, is that once I have established a connection into SAPGUI via SNC or WEBGUI via SPNEGO, my ticket in "klist" looks like this:

C:\Users\nwells>klist

Current LogonId is 0:0x5b639

Cached Tickets: (2)

#0>     Client: MY-ID @ MY-DOMAIN.COM
        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a00000 -> forwardable forwarded renewable initial pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1>     Client: MY-ID @ MY-DOMAIN.COM

        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM

        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#2>     Client: MY-ID @ MY-DOMAIN.COM
        Server: SAP/SA-AGC-ABAP-SID@ MY-DOMAIN.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

#3>     Client: MY-ID @ MY-DOMAIN.COM

        Server: HTTP/my-hostname.my-domain.com@ MY-DOMAIN.COM

        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: RSADSI RC4-HMAC(NT)

Does anyone know why my SAP Kerberos tokens come over as RSADSI RC4-HMAC(NT) ?

When I created the keytab at the OS level, I got this as part of the output:

keytab: KeyTab content stored:

    Version  Time stamp                 KeyType   Kerberos name

          1  Thu May  7 15:42:25 2015   DES       SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES128    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES256    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   RC4       SA-AGC-ABAP-SID@MY-DOMAIN.COM

and in the SPNEGO transaction, I have these listed:

DES-CBC-CRC

DES-CBC-MD5

AES128_CTS_HMAC_SHA1_96

AES256_CTS_HMAC_SHA1_96

RC4-HMAC-MD5

RC4-HMAC-MD5-56

So I would think that I'm covered.

I read this note and applied it in my NW7.31 but it was N/A on 7.40.  I meet the kernel requirements too for both.

1832706 - SPNego ABAP: Fixes for Algorithms AES128, AES256, DES

If I get my AD administrator to click the button for my user SA-AGC-ABAP-SID@MY-DOMAIN.COM that says "This account support Kerberos AES 256 bit encryption" in the account options....NOTHING works!  SPnego just goes back to username/pass, and SNC pops up a message when you try  to login that says "GSS-API(min): A2210217:the verification of the Kerberos ticket failed

target="p:CN=SA-AGC-ABAP-SID"

I also read this note:

1677641 - Kerberos authentication problem (SNG/GSS error a2210217)

but we already have the latest NWSSO2.0 SP05 login library and note 1832706.  I'm certain my user/pass for AD is correct.

Anyway..I know I said a lot....ANY thoughts?

thanks,

NICK

Hi

I have set up a Fiori system based on 7.4 and it is working fine.

I attempted to use Single Sign using SAML based on ADFS as an identity provider which we are already using in our environment.

I have followed this guide by Chris Wealy on  Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

However when I am trying to login to the FIori launchpad, I am redirected to the Idp site where I enter my credentials and I am not able to login. Checking the diagnostic tool I am getting the following error

SAML20 SP (client 410 ): Exception raised:

SAML20 SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration

SAML20     at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)

SAML20     at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)

SAML20     at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)

SAML20     at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)

SAML20     at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)

However checking the possible solution to the above error I came across this

Problem: You are performing SAML 2.0 authentication and you get the following error:

CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1.

Reason: SSL server certificate of identity provider is not imported in “SSL Client Standard” PSE.

Solution: Import SSL server certificate of the identity provider in “SSL Client Standard” PSE.

I have imported the the SSL server certificate along with the root certificate of the the Identitiy provider which is ADFS and still I am getting the same error.

The ICM trace is showing this

Thr 140736331941632] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST

Thr 140736331941632]    session uses PSE file "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"

Thr 140736331941632] No LastError / ErrorStack available!

Thr 140736331941632]   SSL_get_state()==0x2120 "SSLv3 read server hello A"

Thr 140736331941632]   SSL NI-hdl 193: local=10.2.32.85:52039  peer=10.2.32.43:443

Thr 140736331941632] <<- ERROR: SapSSLSessionStart(sssl_hdl=7fff90003a60)==SSSLERR_SSL_CONNECT

Thr 140736331941632] *** ERROR => SSL handshake with adfs.sbm.com.sa:443 failed: SSSLERR_SSL_CONNECT (-57)

Thr 140736331941632] SAPCRYPTO:SSL_connect() failed

Thr 140736331941632]

Thr 140736331941632] SapSSLSessionStart()==SSSLERR_SSL_CONNECT

Thr 140736331941632] SSL_connnect() failed  (0/0x00) Huh??

Thr 140736331941632]   SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"

Thr 140736331941632]   SSL NI-hdl 193: local=10.2.32.85:52039  peer=10.2.32.43:443

Thr 140736331941632]   cli SSL session PSE "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"

Thr 140736331941632]   Target Hostname="adfs.sbm.com.sa"

Can anybody help out.

Do you need any other logs or configurations to check?

Hi All,

I am facing issue while importing CTS from QA to PROD in SSO Portal.

Whenever i transport the changes from QA to PROD in first attempt all changes does not move properly and even no error is shown.

When i transport CTS again all changes are properly visible means i am doing it for two times.

Which in ideal condition i shouldn't do it.

Please help me out to figure why is this occurring.I have faced this same issue twice in a row.

Since there is no error while importing CTS from QA to PROD thats why i am finding it difficult to analyse what can be root cause of this problem.

Thanks & Regards,

Vijay Shukla

Hi all,

Does anyone know how to add the SAP shortcut that enable the single-sign-on users from portal to allow the launch of ECC?

STRUSTSSO2 configuration is done correctly using SSO tickets, but what are the steps to place a shortcut (SAP Gui) into portal so users can launch SAP Gui and go directly into SAP as if they has just logged into SAP from local SAP gui.

Hi Everyone,

I am trying to set up SAP SSO btw SAP on Linux and MAD.. everything looks fine but  when I change the snc/enable parameter to 1 my sap system doesn't come up.. please assist me in the right direction with your knowledge...

please find the initial image ...please guide to provide info u want

thanks for ur time

Regards,

Amit Sharma

Hi experts,

SAP Version: Ecc6 Ehp4

SAP ABAP Version: SAP_ABA 7.1 /13

DB                        :SQL 2008

NWBC:3.5

AD in place which is connected to portal ( NW 7.3 ) which is implemented through SPnego

Can anybody suggust the best method for implementing  sso for NWBC and SAP GUI in this landscape ?.

Help/ suggestions will be highly appreciated and rewarded.

I know SAP releases the SSO products but is it possible to achieve SSO via x.509/SAML certificates for free? Or are the SSO products absolutely required for this?

Would really appreciate some insight, thanks!

Joe

Hello All

We are in process of setting up SSO with SAML and ADFS 3.0 and facing an issue with endpoint URL.

The portal is accessible over HTTP protocol in our landscape (http://abc-xyz.com) and If I put the setting Allow HTTP Access to YES the endpoint URL is (http://abc-xyz.com:80/saml2/sp/acs). But the ADFS team gets error while adding relying party. The URL must begin with  "https".

If I put Allow HTTP Access to NO the endpoint URL is (https://abc-xyz:50000/saml2/sp/acs) which is not accessible in landscape and is wrong. ADFS hits the URL (https://abc-xyz:50000/saml2/sp/acs) directly, so I cannot even redirect it to HTTP.

We cannot move our Portal completely to HTTPS as of now but want to implement ADFS. Any idea any other setting to check or if I missed anything?

Thanks

Atul Shrivastava

Hi Team,

I am configuring SSO in BPC through windows active directory.

While generating PSE it through error "Keytab: Can't create PSE"

Please find the screen shot and give some suggestion to resolve it.

Thanks

Himanshu

Dear expert,

We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.

As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.

Listen 1081

<VirtualHost *:1081>

SSLEngine on

SSLCertificateFile  "D:/Apache24/conf/server.cer"

SSLCertificateKeyFile  "D:/Apache24/conf/server.key"

SSLCertificateChainFile  "D:/Apache24/conf/server-ca.cer"

SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"

SSLVerifyClient optional

SSLVerifyDepth  10

SSLProxyEngine On

SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"

SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"

AllowEncodedSlashes On

ProxyPreserveHost on

RequestHeader unset Accept-Encoding

<Proxy *>

     AddDefaultCharset Off

     SSLRequireSSL

     Order deny,allow

     Allow from all

</Proxy>

RequestHeader set ClientProtocol https

RequestHeader set x-sap-webdisp-ap HTTPS=1081

RequestHeader set SSL_CLIENT_CERT  ""

RequestHeader set SSL_CLIENT_S_DN  ""

RequestHeader set SSL_CLIENT_I_DN  ""

RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"

RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"

ProxyPass / https://ldcinxd.wdf.sap.corp:1081/  nocanon Keepalive=on

proxyPassReverse /  https://ldcinxd.wdf.sap.corp:1081/

We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.

thanks,

Best regards,

Xian' an

Hey all,

We're testing the SAP Password Manager 2.0 SP3 (latest version out there).

It works OK....but now it seems we have a conflict/problem if the SAP Password Manager is running BEFORE our users start the SAP BCM CDT (now known as SAP Contact Center ) (that's the "softphone" software our reps use to connect to our IVR to answer calls / screen pops with SAP CRM).

So IF the SAP Password Manager is running first...and then the CSRs start the BCM CDT....SOMETIMES their BCM queues are grey'd out (not selectable).  Sometimes it works fine.

But the funny thing is that if I stop the SAP Password Manager, then start the BCM CDT, things work fine.  So it's easy to prove this is related to the SAP Password Manager, since we never had this problem before I started demo'ing the NW SSO software.

I can toggle back and forth (for the most part) to prove it is something to do with the SAP Password Manager.

Anyway, I did notice that SAP hasn't released any updates to the SAP Password Manager for about a year now, and there just are not that many notes at all regarding this software.

I'm sure this will turn into a SAP message but I was wondering if there are any folks out there that have run into this.

The most interesting thing to me is that we're not even using the NW SSO2.0 suite for SSO to BCM CDT.  it uses X.509 between our MS AD certs in the browser, and a config setting in the CDT.

Am also concerned that SAP hasn't released any updates to the SAP Password Manager in a while, so I wonder if this is even a product they plan on keeping up.  I will say that it does work fairly well for NON-SAP stuff, like external URLs and other applications.  it's helped fill in the blank for stuff I can't do via SNC / SPNEGO / X.509.

NICK

Hi,

I am receiving the Windows Security popup and asking to select a certificate while testing SSO on SAP WebGui. SSO is working fine but is there a way to make a default selection for the certificate so that user won't have to worry about selecting the right certificate?

Nitin

Hello

I am attempting to set up our new SAP gateway server, which will be hosting our Fiori apps to authenticate to a SAML 2.0 Identity provider.

I have been following the instructions in the following document http://scn.sap.com/docs/DOC-42915

and everything appears to be set up as in described.

I am however experiencing an error when I attempt to signon using the new configuration and the error is occuring when the system is attempting to validate the SAML artifact with the identity provider and I am getting the following error :-

The error message is

SAML20 CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.

Caused by: CX_SAML20_ASSERTION: Attribute 'Subject' of element 'SPNameQualifier' is invalid. Long text: Attribute 'Subject' of element 'SPNameQualifier' is invalid.

Can anybody help me to understand what this message means, the content of the SPNameQualifier field is "https//servername.domain/shibboleth"

Does this look correct to somebody who may have got this working or do we have the wrong value in this field.

You help would be most appreciated as I have not been able to find anything on sdn that has been able to help so far.

Many Thanks

Bill Martin

Hi,

We are in process of testing SSO for SAP Local GUI using X.509 certificate. SSO as such is working fine but having issue with the Secure Login Client - Login popup screen. Even if I don't enter my AD user id/password  it still completes the authentication. Any idea why it's doing that?

We are using the latest version of Secure Logic Client SLC05_1

Nitin

We have NW 7.02 SP12 and have enabled SAML2 to allow us to provide SSO to ABAP WebDynpros by way of MS ADFS.

After configuring SAML in line with all the relevant docs/notes/troubleshooting info, we are able to go to the ADFS URL (https://<IDP HOST>/adfs/ls/IdpInitiatedSignon.aspx), and pick our SAP Service Provider that we setup in SAML and provided the metadata file back to the ADFS.

We are challenged for our Windows/AD credentials and then after providing them are passed into the SAP ABAP web dynpro that we setup for SAML authentication, and also as the default endpoint in this test.  The logs show successful logon.

When we try to access that same SAP Web Dynpro by direct URL (https://<sap host>/sap/bc/xyz), we get redirected to the ADFS host for the Windows credentials, and then get taken back to the SAP ABAP Web logon screen with the errors

"Logon Failed at Identity Provider (http://<ADFS host>/adfs/services/trust)"

"SAML Response Status: [urn:oasis:names:tc:SAML2.0:status:Responder]"

"Message from the identity provider: [urn:oasis:names:tc:SAML2.0:status:Responder]"

The SAML Diagnostics trace in SAP reveals no error.  The SM21 log reveals no error.  So, this doesn't look so much like a SAML error but an ABAP AS error processing the assertion that's being sent back by the ADFS and then SAP is somehow not trusting the assertion in this method.

In the successful test of the IdP URL initiated call, the SAML Diag trace shows that the user ID (in below example, userID: JSMITH) is successfully being kicked over to SAP and then authenticated. 

In the (un successful) SAP URL initiated test, the SAML Diag trace doesn't indicate any of this (but also no errors)

Thoughts?

IDP Iniitated SAML

Client Server Work Process Time Severity User Message Callstack

100 USH-B-SC-SE2 2 02:01:31:851 Debug SAPSYS

HTTP request headers:

~request_line:  POST /sap/saml2/sp/acs/100 HTTP/1.1

~request_method:  POST

~request_uri:  /sap/saml2/sp/acs/100

~path:  /sap/saml2/sp/acs/100

~path_translated:  /sap/saml2/sp/acs/100

~server_protocol:  HTTP/1.1

host:  <SP Host>:8003

~server_name:  <SP Host>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

referer:  https://<IDP HOST>/adfs/ls/auth/integrated/?SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9Ol638%2bWr%2fBet86ZNz55%2b9tHv%2f%2bl5vnN%2f7%2f7%2b9v3pp%2fvb%2b%2fsPDraz3YcH23vne%2fcfZNneg%2ftZ9lH6k3ndFNXys4%2f2xjsfpWdNs87Plk2bLVv6aGd3f3tnb3vv%2fpudvUc7u4%2f27o0f3n%2fwUx%2blT6mXYpm1%2fOa8bVfNo7t3p810%2b7yZ5ZfjaVWuF5Mio18Wd7PZeXO3bO5%2blJ5UyyYH4HW9fFRlTdE8WmaLvHnUTh%2b9Pv7i%2bSPC4dFUGj1aL5tVPi3Oi3z2UfpuUS6bRzzSzW%2bv6qqtqPuPjh7zWGp5dfNLWdPkNcby0RHGcsNQqO1lMc2bu229btrHd6Wfo8c0ulkBKM179vn4eD0r8uU0f0VUrYspPnUfHr0%2b3SPQy3xKfdkP3a%2fBS3cdEvRHnzOO%2fh8%3d&Signature=UdDjDRi1cugjPfoVH%2bUVys0fwbbyPdhhMLrhZlxN0Sou4ELClET5F1pZDFGvhQX0ZK8m1zwFh7ZlhDnrxc9auPUBp2tfURHfSZSgBvB%2bFs7N110RDP7ImC2Y%2bIKvURdIapJ9561L6iZ6EvQHll%2bBvV3ur4Q7ZjkCrNrnDCnGv4ResdJkkrnsFrXIfJRl0ElFb2hJoWVXvM%2bN%2bJiFd%2fMmKE8l2yuOSsrlVAzDNxkNmrcLFmZrrjUZkUNBJ3Qc%2bZ%2bX3VJrbd0I3rG1YPfLpN4HgKjA5zO4dKOh28CttByQq25RzefuDvVkN1%2bbws7TfDMMxsw%2bw4jell9yQ6ewd9rpog%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256

connection:  keep-alive

content-type:  application/x-www-form-urlencoded

content-length:  7921

~server_name_expanded:  <SP Host>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

~script_name:  /sap/saml2

~path_info:  /sp/acs/100

~script_name_expanded:  /sap/public/bc/sec/saml2

~path_info_expanded:  /sp/acs/100

~path_translated_expanded:  /sap/public/bc/sec/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:148 Info SAPSYS

SAML20 SP (client 100 ): Raw SAML response:

PHNhbWxwOlJlc3BvbnNlIElEPSJfOTZhM2NmZjYtM2JjYy00YWFkLThmMTktZmQwMWMyMzliY2NmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yNVQwMjowMTozMC4xMDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly91c2gtYi1zYy1zZTIuY29sdW1iaWEuY3NjOjgwMDMvc2FwL3NhbWwyL3NwL2Fjcy8xMDAiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vY3NjLWZzZGV2LmNvbHVtYmlhLmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPjwvc2FtbHA6U3RhdHVzPjxFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjx4ZW5jOkVuY3J5cHRlZERhdGEgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMjU2LWNiYyIgLz48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGU6RW5jcnlwdGVkS2V5IHhtbG5zOmU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PGU6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIj48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8+PC9lOkVuY3J5cHRpb25NZXRob2Q+PEtleUluZm8+PGRzOlg1MDlEYXRhIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOUlzc3VlclNlcmlhbD48ZHM6WDUwOUlzc3Vlck5hbWU+Q049U0UyX1NTRkFfUzJTVlBFLCBPVT1JMDAyMDU5NzM4NywgT1U9U0FQIFdlYiBBUywgTz1TQVAgVHJ1c3QgQ29tbXVuaXR5LCBDPURFPC9kczpYNTA5SXNzdWVyTmFtZT48ZHM6WDUwOVNlcmlhbE51bWJlcj45MDI5MTk4NDk2NzM1ODMyPC9kczpYNTA5U2VyaWFsTnVtYmVyPjwvZHM6WDUwOUlzc3VlclNlcmlhbD48L2RzOlg1MDlEYXRhPjwvS2V5SW5mbz48ZTpDaXBoZXJEYXRhPjxlOkNpcGhlclZhbHVlPlV6VVZLRndtejFLY2RLY29VcVpnbEY4R1ZnWk9CbEJ6bWljL1VQVzROUDMweFRNcmh2czZ4eUFRckwrZElyQytDYlJUVjZOc0ZaOExjb1gydEJkZW9hc1dySC82Ymo5TWxxMlFoTHQvdXJSeUV4MFJWUlhtMFA4SnpyUGRpTFgxTVhsaHFOZ3MzQUxpd081RXI1TkNKcDh5aWovQVpsblpuZjExUUFOdDhjRT08L2U6Q2lwaGVyVmFsdWU+PC9lOkNpcGhlckRhdGE+PC9lOkVuY3J5cHRlZEtleT48L0tleUluZm8+PHhlbmM6Q2lwaGVyRGF0YT48eGVuYzpDaXBoZXJWYWx1ZT4wZ2J0cjZJamp6RUZtRi9EMk1jb3Q3OXJ4ZHRHNEl2Q0o0YWtRa0xHNnViSW5VcmFIUG5ta3FDdjJWSmpOODhFWmo5TWloUFBXUStnWHQyY2pkVWVGUzliam1CS0J4RXFLemxnbFN0Sk5GT1dsU0orb2kvL1ovT1U3Snl6UmFOcEVVU1lNQVRLRUhyaTFDK0dMeUpra21uQzdpUnFrbjBqMEM0QjNpWEtjdER0RlAxbnQ3Rm9oS1dPa2dDNlNRZFJiNnY5ZHQyVjEyWUQ2N0thcnJBdFpCWEQ4WVFwODBPLzhmUHAzZjdHdTBQZWNWU3pLTnFaaFdFb1lsZnhsdWZORldONk9SMFJVcDdHSVNHMlgvZWJVY3ZTUU1yZ2ZuOWxhRE5XdTNyMFM3VGw1YmQxbDBtVkc4bTBndmhsSHFxT0FoZnBMdmNHeWp0LytwVmtWb3crK2drc3lNMThSYUN2NjJDTDdyd1J0MWlWZU5Ub2FJNUJJS2FUTXBveFZXSTRZejRlWFlsbkFZcWxzMnl5aDlFVWpLb25jODJwdFpDQjFlaERCSWZpenhIQXJKdmNGM1RtYXlmTVBJUENkeEo3clBhRnJWNjNHb3Blc1Axdm5NWEZXZjhoTEd2VkZjdnVsZFhEbWsxTklpL25xZy9NeWVPeDlaMUdNRndDTWFDU1VnbU5XSGV4Z1llaGFPTEM0V3E2bFU3WmhxaVo4MnJHSmJwYm13cEUrdHB2OGpobmdOWEYra2JrN2ZidlhSdHhuUExmZG1jNmZtZWJJYUJKVDNJM0JzQ0QwTHZpU2FVbUNOSFdzeUc3eFZqTkxTdU9jSnk1Z0NZbTI1L2krRDhPRVQ1dHF5UU9lN0JRclNNVkNCQ1NoeS9naW1BSlBlVUcyejU0bUViYTk2RVFIZk1Ybi94Z0JoNjluaDNUYVJsa0Fzd1lJck9EZUh3ZnNpMnlPYTgzL3hhZzVFMnBPMlBlSkd0cDVLRmhGZ0F4YWdXMUtSc3JWTTNVSklhVjlrZEZyMVM4SFFla2xJQU80SkVnZXp0Z0tRWGZDTGMyMU5yMXFUTVNqRlo4UGFoeEk1NTd0UDRiMjJOK09FaFVTK29pNFlJMTNXVkg4bVBiZGdZclE3Skxjc3doY2hjZy9XWXZTS3VLK0JyL3Q3V0VUQzNQVDVrSXdNekZJVUhhUEVDRThZZmJQWGlER3IxUXEvRG4zdFBVVi9yN3hLcHJWVTM5R0hqY2JDcStRekVMTFNCZndzME85Vk5tWUtMUnVadi8xbExBaXNCcjJxTlVyYkt6SXVrUUJMSDZIZU9kaCtHa2txYWo3R2lEei9YeG9PVFZJY21LQVk4V0NSTkFPclpRa3BTMy83WTA2NkpNNWtZRlV6Y1l4aldGem1vdnVBeUpBaGxNWldySlg2dkFmaDgvRmZabXdzZEd1aEtUQ1FqUFltTExvb3o1RjJFc1dBcWFzL3h1ZXE4OVkxaTloaUZnZHhESFFBa20xR0hlc004NDdoOFoxSDA5SGFDODRvVEwxbzkxbWZWMFBYdmo0aHBaM0t2MFdsRytEUFZmMTdYNjlZemhPd3dLNzJYeVhtTTNVM05oeXlrZTBiQWNJUy8yUEhFL3E0NVNuUFpkQXpxQU0waVpvMnRHSjJtcURzVDFzeFFURHFXanJ3KytpMXhHSDU3NktrTzYxbTdnTWIwTEk5Sk5JU2ZvemZWYXZEckwvbTF1OVcrVjV1UG1IcU44YWJQVnk3QzhoUHowRUtrZmZBRDEzY1JkS0V6NS84UWYrOWl0RmhRenZ0UE5aVDRiV1JWVHNkY09BQkRVQVNGRmhXY2V4QUJaeEpEU2puR1IxcUFUMUVsWTJod3dzT3FKSkdacTBGSjk2OVl0d1g3UmM2TFNFUXhuL1JZc2VCOStqQXJFQURYbmN3SjQxSUV6eUIyYnlvOFdOTmsrbWFRTXR2anptZUJQTmJSQlFpallBOTFQaWUrR2RSaWZYZkdyd1ZwbkR0TExTOGlGakFtcGxRUUsyK0dEUm93bmpkYkpFRGk1THM2K29oQVFvNUpGbGhwKzJ0bXZ2bDRKeE1kdFRkMTJYbmx5eW1LUjB3TTlSMEloMTllTUdLSXJ4NXlkUk9oTWFwL0lqZ1EvOGhNSmZwZkp4RVYwME00dFgwU2sxNDFwbTJjK1ErN0dhc2tEU0VMcXh0RmVod20wQ0pkSWdOTTluSUZBVVByaHpaSUhiUnNJclE2d3F3b3BOZ1hvRDBCazVlaUh6Qkd6ZkU4YlRIajBoNGxBUmtrcG5hNkpnU1VPdmVkNVNxbWtYR2pmcStTSjFjSW1CMEkwVThyeVVFV3F4TnE2V1IvWnFrb1UxaXlrL0d2TmIwYU9nOFQ4ZkhwR3NsYUp0cUFkVXgxWnZrSS9HcmwxSEtUVUlnSWJzOWF6TThtSC9mclhYS3J6Y2RNQVJ3TVYyL21ZNlFCdHFSanNGdTFsZEZrTS9Xb09WL2dlQ1dBUjhuZU5uZ0NMaXNPTkhKODZFbHNCZXUvcHpwYkdlNGZPc3pqVHVmYkpVOU92amVXd0RvcHhmTHdnbEZyZlVLNE1sbHkzeEMrSllaS0o5WGU3aWFDbzFRTHFDeXJKaW5IUWFLaWZueS9zQzBFV1MwSUpGQmpYS2NQNTlLTW13Nk8yd3FJZW93VGYySUthdEJuRXArTWFndXlYeXY4UStsYm9mdEc4M0pOMXZRcEVMMXlqbDVtSU45U2RJQTJaUEJ0eCtOREFUSGg4aWEweVFWTGhrdVQ2OEJXY3J3eWd4cndFeWJrY3k0VGpzbEM2bzVreWcvQ3pyMHZ6UWt0MDNoRkpRUEN0RXU0UjV1d2pCQVB3QnBOY20wOXlTU0VYejZJOGhHckxHZzlKS0pDY0Vzb1BpdUNvZG9LcFdPbjVncDV0ZVhYc0dEdlJwVUlzemxvZ09HNjgwL3MzR24vR0JYaitnT2t3S28zRytVLzRONUhUVnVLV1lZSWp2aSt2T3RUdk5GcVg5ZTM1NGlVMDVKcy9TUllCTEtXd0tIQS9vQzdLOGtKcGJIdFBQaTBOaFBmS084MWl2aUE5NENJZlM5b3JvMHJSS1lzcjUzQjNEeTRsaXd1azFtM3BzZERaeWZOVTMxaHdTWUErdm9KYUpHc255TDNPK0lQU1YwdWh4WllrUnNwbDR6Q3dtWU1DWUZMRitKb0JvY05qMzlLSHhHSHdtMTVWendaVlI5cjY5R0JyR2JheUwxWnVjQVRNWWRJQkNlbkdLdVpSb2pxZVdvdVllSWozVUx6N3h6OGVrZXo2RmZPZGpGTGtpazNKSkJPOTNWTkcvZUVmcWszVkpMdEpzaWY4MDVsalBlWEk5ZU1kR1hhRC9KL0Vqc1pGYUxlN0pIRkRjN0duTG9iTEFTazFFT0k4c24wYzN0Ui84SmNSRjRXK0kzNWVadit0cTA4RkpQZklXdTB6azE5Q3VMdTBCNm90dW5aYWtjb0ZrMG9iUUtHTzR4NGFWY29DVG1Ob3ZQUC9LaGZhNklVclRjRlBJbTRhMmtia1JWakZQMGFQQklRRzlXUis1YzU2U0pmdlFCVXFUbzZkaFQ5dDVNNjU1QWNsNTNYYzJvZ1BiVkNEbEFVQUJWYmxIcG1WR2VTRDRQL1hFMWFUT0RpZjJKUVZRSkh3M1dzWlU4d0hPSWJBcVlZTi9iNUtzV1VVY0tLMnVpKzlaQ3FpTXNTek1PUFZ4Q1pPMmRzdFR1YUVhZTVjMnVGdDNBSHNWcWQzQmNGV2JMbWVjWmlxWU8xWGhsTEIzVkJyczFvWmx0cTM2VzR0a05RS29Oc1JGbnI0VmhScXNoWGdLZTkyQVhKRS9HSUxQNUU3bHFUTkpsYUVXdnROMTdqOFRXTXdGM21TdUF3U1NqWWVNeXM4OHUybTYwbHorSVBuSE5CUUM2K1ZNblRWM2k1Y3lGSDhRVlRFVGNDR1BXZmE0ZmI5TWdMNkc1NXkwMVY1SERiM0h2am1GVDBuYlNDL2pjTW9ZMlROTHkxbVVMZTdueFZpL0pmdWhLMkVFZGJiZzFENWNlY1VUVUkrZ05wZ0FvRHVhWjR6WlFYOGMyanV4cVVaUzREWUoyVlhCMmRiakJVYXlkZVlMTWw3dFVpM2gvUFBXYjJ6S2VsQUlUdlVpdlZMSW5xdHNQblBwYlZYL05aVVJSZWxDaG8zdUZzS3MreE1WTmErTUNLWVViOEVaZXNwb0hwYzRFMUJsU0d1dmZNUEs5azZ2dzhUTXlQRzRtc2Z0aU1CS2FQcnVHMzBGaVQvZkQ3azlnVW1YQUUyb0hCQVpNdDd5b2p1ZWhLSDZzcjRUN0VzaFY2QmQ3L1pKWXRudmNaeWdWTFMvMkFpZmlCVmNnQjNqTmZ6bXBIYXdmNVVxdlF0a0xXdVN3Qy9EdUtndnBsTkJhcXRlS1B2cEtnYTJ4QW1PUFpzN3N1U1Q5azhYbzlYbVVTWFRFbVlqam9tSTY5OXpNSi9BT3Q2dW9tZVN3REZ3YWRtUWlva3IzYlhOMCtrNmx2M21nNVNnZE5KL1dBZlUrVmliMEtNZGpGZVJnWU1ZODVJTnBrUDlYeG10MTc1RjREdjBBcFA3VW1tKzZUd2tFUXBwOWV2bkJocmcxdnZCdE5FNlc5dEMvMGtoWkd6MW9MaWV2VldlcUY4RWdncG5NTzNJN0l1RkRkK3ZKdGJ0M0FqaDVVRU1nK05BdWg3eVphaFlzcXlvSURocHRjb3JmWVloTE1qaUVqTityVjNSRlB2NDM2TkpzYnpPRmRtbExucnZWRUxKRlYxc3hmTXI2bmp5UndkTi9ZNHFvMHpiRTRXUU1PTEFRRU1wZUtkOWJjZmpKQ2FydDUrcUkzaWRMbTlJakJUamxOWm5aTE5FVW5sU1R5MzlGS1FLRks3NGlDN1hVWVZIWDIwOERkeFF3aitzeld2WUcwd2xYdE5YT3J1bW83WEJvODNuOUJ1RlZscm43ZGdodVgyMG4va0g2cSs0THc3R3JLaEQrdSszb05SWW1hM3ZHeDZBSkFjNFc3bTc0NU9TcGxvNlhsOCtFbGd6aGZFT3NWOHVoaWZzSElZSU9ldm01cFNpbmdSdUpBN2tkcG1MWmpQNW1IdTFoUEZoWDB2U0xQanZkUXdPV0M4ZGF4M04zODVVSVlFRkFtc0dCS3l5a1dtWXVnUk1mT20vdlN1VmY0SCtwZ3RXaVNHSldJMCtVTDZEVkcvK1lpT01GVFRnREkyeTVVUndFa2IvMzgzNUdxZ3NSNjJmWWlXVzlZOVE3SW1GR3A5cmQyeDdLTkprSUZ5UU1TcXVWbjlxZCt2TWtIQU9XTk9vajFxYjJUN2hrc1Z2VDVZODhhK3ZML1IrWjFJUmtZd0hGbU12d2VydzVkRGo1QWg1T0RZVWM0NEZFOTYzcWQ4MlJQbFJOeUh2L2xoZ3ZDclo3ajdjSCtRNnlWcDQ1RkNSd3l2TWpoVXRQb3JxRjRDOS84RW5VOWVRUVY2QTZCWWNrTTFxNnBxa2QwbjwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48L0VuY3J5cHRlZEFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:205 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is POST

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:349 Info SAPSYS

SAML20 SP (client 100 ): Calling transformation:SAML2_RESPONSE was successful.

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:391 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:393 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP Host>:8003/sap/zapp?sap-client=100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:396 Info SAPSYS

SAML20 SP (client 100 ): Incoming Response

SAML20 Binding:          POST

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Success

SAML20 <samlp:Response ID="_96a3cff6-3bcc-4aad-8f19-fd01c239bccf"

SAML20                 Version="2.0"

SAML20                 IssueInstant="2014-02-25T02:01:30.101Z"

SAML20                 Destination="https://<SP Host>:8003/sap/saml2/sp/acs/100"

SAML20                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

SAML20                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <samlp:Status>

SAML20     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

SAML20   </samlp:Status>

SAML20   <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20     <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"

SAML20                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

SAML20       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />

SAML20       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20         <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

SAML20           <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

SAML20

SAML20             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

SAML20           </e:EncryptionMethod>

SAML20           <KeyInfo>

SAML20             <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20               <ds:X509IssuerSerial>

SAML20                 <ds:X509IssuerName>CN=SE2_SSFA_S2SVPE, OU=I0020597387,

SAML20                 OU=SAP Web AS, O=SAP Trust Community,

SAML20                 C=DE</ds:X509IssuerName>

SAML20                 <ds:X509SerialNumber>

SAML20                 9029198496735832</ds:X509SerialNumber>

SAML20               </ds:X509IssuerSerial>

SAML20             </ds:X509Data>

SAML20           </KeyInfo>

SAML20           <e:CipherData>

SAML20             <e:CipherValue>

SAML20             UzUVKFwmz1KcdKcoUqZglF8GVgZOBlBzmic/UPW4NP30xTMrhvs6xyAQrL+dIrC+CbRTV6NsFZ8LcoX2tBdeoasWrH/6bj9Mlq2QhLt/urRyEx0RVRXm0P8JzrPdiLX1MXlhqNgs3ALiwO5Er5NCJp8yij/AZlnZnf11QANt8cE=</e:CipherValue>

SAML20           </e:CipherData>

SAML20         </e:EncryptedKey>

SAML20       </KeyInfo>

SAML20       <xenc:CipherData>

SAML20         <xenc:CipherValue>

SAML20         0gbtr6IjjzEFmF/D2Mcot79rxdtG4IvCJ4akQkLG6ubInUraHPnmkqCv2VJjN88EZj9MihPPWQ+gXt2cjdUeFS9bjmBKBxEqKzlglStJNFOWlSJ+oi//Z/OU7JyzRaNpEUSYMATKEHri1C+GLyJkkmnC7iRqkn0j0C4B3iXKctDtFP1nt7FohKWOkgC6SQdRb6v9dt2V12YD67KarrAtZBXD8YQp80O/8fPp3f7Gu0PecVSzKNqZhWEoYlfxlufNFWN6OR0RUp7GISG2X/ebUcvSQMrgfn9laDNWu3r0S7Tl5bd1l0mVG8m0gvhlHqqOAhfpLvcGyjt/+pVkVow++gksyM18RaCv62CL7rwRt1iVeNToaI5BIKaTMpoxVWI4Yz4eXYlnAYqls2yyh9EUjKonc82ptZCB1ehDBIfizxHArJvcF3TmayfMPIPCdxJ7rPaFrV63GopesP1vnMXFWf8hLGvVFcvuldXDmk1NIi/nqg/MyeOx9Z1GMFwCMaCSUgmNWHexgYehaOLC4Wq6lU7ZhqiZ82rGJbpbmwpE+tpv8jhngNXF+kbk7fbvXRtxnPLfdmc6fmebIaBJT3I3BsCD0LviSaUmCNHWsyG7xVjNLSuOcJy5gCYm25/i+D8OET5tqyQOe7BQrSMVCBCShy/gimAJPeUG2z54mEba96EQHfMXn/xgBh69nh3TaRlkAswYIrODeHwfsi2yOa83/xag5E2pO2PeJGtp5KFhFgAxagW1KRsrVM3UJIaV9kdFr1S8HQeklIAO4JEgeztgKQXfCLc21Nr1qTMSjFZ8PahxI557tP4b22N+OEhUS+oi4YI13WVH8mPbdgYrQ7JLcswhchcg/WYvSKuK+Br/t7WETC3PT5kIwMzFIUHaPECE8YfbPXiDGr1Qq/Dn3tPUV/r7xKprVU39GHjcbCq+QzELLSBfws0O9VNmYKLRuZv/1lLAisBr2qNUrbKzIukQBLH6HeOdh+Gkkqaj7GiDz/XxoOTVIcmKAY8WCRNAOrZQkpS3/7Y066JM5kYFUzcYxjWFzmovuAyJAhlMZWrJX6vAfh8/FfZmwsdGuhKTCQjPYmLLooz5F2EsWAqas/xueq89Y1i9hiFgdxDHQAkm1GHesM847h8Z1H09HaC84oTL1o91mfV0PXvj4hpZ3Kv0WlG+DPVf17X69YzhOwwK72XyXmM3U3Nhyyke0bAcIS/2PHE/q45SnPZdAzqAM0iZo2tGJ2mqDsT1sxQTDqWjrw++i1xGH576KkO61m7gMb0LI9JNISfozfVavDrL/m1u9W+V5uPmHqN8abPVy7C8hPz0EKkffAD13cRdKEz5/8Qf+9itFhQzvtPNZT4bWRVTsdcOABDUASFFhWcexABZxJDSjnGR1qAT1ElY2hwwsOqJJGZq0FJ969YtwX7Rc6LSEQxn/RYseB9+jArEADXncwJ41IEzyB2byo8WNNk+maQMtvjzmeBPNbRBQijYA91Pie+GdRifXfGrwVpnDtLLS8iFjAmplQQK2+GDRownjdbJEDi5Ls6+ohAQo5JFlhp+2tmvvl4JxMdtTd12XnlyymKR0wM9R0Ih19eMGKIrx5ydROhMap/IjgQ/8hMJfpfJxEV00M4tX0Sk141pm2c+Q+7GaskDSELqxtFehwm0CJdIgNM9nIFAUPrhzZIHbRsIrQ6wqwopNgXoD0Bk5eiHzBGzfE8bTHj0h4lARkkpna6JgSUOved5SqmkXGjfq+SJ1cImB0I0U8ryUEWqxNq6WR/ZqkoU1iyk/GvNb0aOg8T8fHpGslaJtqAdUx1ZvkI/Grl1HKTUIgIbs9azM8mH/frXXKrzcdMARwMV2/mY6QBtqRjsFu1ldFkM/WoOV/geCWAR8neNngCLisONHJ86ElsBeu/pzpbGe4fOszjTufbJU9OvjeWwDopxfLwglFrfUK4Mlly3xC+JYZKJ9Xe7iaCo1QLqCyrJinHQaKifny/sC0EWS0IJFBjXKcP59KMmw6O2wqIeowTf2IKatBnEp+MaguyXyv8Q+lboftG83JN1vQpEL1yjl5mIN9SdIA2ZPBtx+NDATHh8ia0yQVLhkuT68BWcrwygxrwEybkcy4TjslC6o5kyg/Czr0vzQkt03hFJQPCtEu4R5uwjBAPwBpNcm09ySSEXz6I8hGrLGg9JKJCcEsoPiuCodoKpWOn5gp5teXXsGDvRpUIszlogOG680/s3Gn/GBXj+gOkwKo3G+U/4N5HTVuKWYYIjvi+vOtTvNFqX9e354iU05Js/SRYBLKWwKHA/oC7K8kJpbHtPPi0NhPfKO81iviA94CIfS9oro0rRKYsr53B3Dy4liwuk1m3psdDZyfNU31hwSYA+voJaJGsnyL3O+IPSV0uhxZYkRspl4zCwmYMCYFLF+JoBocNj39KHxGHwm15VzwZVR9r69GBrGbayL1ZucATMYdIBCenGKuZRojqeWouYeIj3ULz7xz8ekez6FfOdjFLkik3JJBO93VNG/eEfqk3VJLtJsif805ljPeXI9eMdGXaD/J/EjsZFaLe7JHFDc7GnLobLASk1EOI8sn0c3tR/8JcRF4W+I35eZv+tq08FJPfIWu0zk19CuLu0B6otunZakcoFk0obQKGO4x4aVcoCTmNovPP/Khfa6IUrTcFPIm4a2kbkRVjFP0aPBIQG9WR+5c56SJfvQBUqTo6dhT9t5M655Acl53Xc2ogPbVCDlAUABVblHpmVGeSD4P/XE1aTODif2JQVQJHw3WsZU8wHOIbAqYYN/b5KsWUUcKK2ui+9ZCqiMsSzMOPVxCZO2dstTuaEae5c2uFt3AHsVqd3BcFWbLmecZiqYO1XhlLB3VBrs1oZltq36W4tkNQKoNsRFnr4VhRqshXgKe92AXJE/GILP5E7lqTNJlaEWvtN17j8TWMwF3mSuAwSSjYeMys88u2m60lz+IPnHNBQC6+VMnTV3i5cyFH8QVTETcCGPWfa4fb9MgL6G55y01V5HDb3HvjmFT0nbSC/jcMoY2TNLy1mULe7nxVi/JfuhK2EEdbbg1D5cecUTUI+gNpgAoDuaZ4zZQX8c2juxqUZS4DYJ2VXB2dbjBUaydeYLMl7tUi3h/PPWb2zKelAITvUivVLInqtsPnPpbVX/NZURRelCho3uFsKs+xMVNa+MCKYUb8EZespoHpc4E1BlSGuvfMPK9k6vw8TMyPG4msftiMBKaPruG30FiT/fD7k9gUmXAE2oHBAZMt7yojuehKH6sr4T7EshV6Bd7/ZJYtnvcZygVLS/2AifiBVcgB3jNfzmpHawf5UqvQtkLWuSwC/DuKgvplNBaqteKPvpKga2xAmOPZs7suST9k8Xo9XmUSXTEmYjjomI699zMJ/AOt6uomeSwDFwadmQiokr3bXN0+k6lv3mg5SgdNJ/WAfU+Vib0KMdjFeRgYMY85INpkP9Xxmt175F4Dv0ApP7Umm+6TwkEQpp9evnBhrg1vvBtNE6W9tC/0khZGz1oLievVWeqF8EggpnMO3I7IuFDd+vJtbt3Ajh5UEMg+NAuh7yZahYsqyoIDhptcorfYYhLMjiEjN+rV3RFPv436NJsbzOFdmlLnrvVELJFV1sxfMr6njyRwdN/Y4qo0zbE4WQMOLAQEMpeKd9bcfjJCart5+qI3idLm9IjBTjlNZnZLNEUnlSTy39FKQKFK74iC7XUYVHX208DdxQwj+szWvYG0wlXtNXOrumo7XBo83n9BuFVlrn7dghuX20n/kH6q+4Lw7GrKhD+u+3oNRYma3vGx6AJAc4W7m745OSplo6Xl8+ElgzhfEOsV8uhifsHIYIOevm5pSingRuJA7kdpmLZjP5mHu1hPFhX0vSLPjvdQwOWC8dax3N385UIYEFAmsGBKyykWmYugRMfOm/vSuVf4H+pgtWiSGJWI0+UL6DVG/+YiOMFTTgDI2y5URwEkb/3835GqgsR62fYiWW9Y9Q7ImFGp9rd2x7KNJkIFyQMSquVn9qd+vMkHAOWNOoj1qb2T7hksVvT5Y88a+vL/R+Z1IRkYwHFmMvwerw5dDj5Ah5ODYUc44FE963qd82RPlRNyHv/lhgvCrZ7j7cH+Q6yVp45FCRwyvMjhUtPorqF4C9/8EnU9eQQV6A6BYckM1q6pqkd0n</xenc:CipherValue>

SAML20       </xenc:CipherData>

SAML20     </xenc:EncryptedData>

SAML20   </EncryptedAssertion>

SAML20 </samlp:Response>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:401 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP Host>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP Host>:8003/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:413 Debug SAPSYS

SAML20 SP (client 100 ): m_is_resp_signed - , m_is_signed -

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:434 Info SAPSYS

SAML20 SP (client 100 ):  Decrypted data:

SAML20 <Assertion ID="_b95be371-7724-4c3e-ba09-261f10347d64"

SAML20            IssueInstant="2014-02-25T02:01:30.100Z"

SAML20            Version="2.0"

SAML20            xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   <Issuer>http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20     <ds:SignedInfo>

SAML20       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

SAML20       <ds:Reference URI="#_b95be371-7724-4c3e-ba09-261f10347d64">

SAML20         <ds:Transforms>

SAML20           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

SAML20           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20         </ds:Transforms>

SAML20         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

SAML20         <ds:DigestValue>

SAML20         25MbGBIBAceJ7ucOi5mh+tNg3geg/Zs4LVsykD+RNEU=</ds:DigestValue>

SAML20       </ds:Reference>

SAML20     </ds:SignedInfo>

SAML20     <ds:SignatureValue>

SAML20     jN4dPvk8DLyD3aZVIkK1XQfLifBh0Ng1YaIEWrhxi1+85kZYaYtBD/AiGhfDNLQRN/9HC8RFJJBgVEYYtwOoSOkAOkMXt4m281Qi0kPV2fm5BppgOdoY/gEZtoXnlbnAffbQXbowB46NmYUvxUBX2kRs6u+HT88zi4XFgI9eGe9UM+M8XVWzwRRpRNTTnGe7z4s/EQ6Z5fWbFHHIIr9o90CkkREc9Lwgqw7lPAN9hjOBU9NmrOHwfzRqyY174GABuwAVUAR7CADY5C0N1puo66Z6v7dp0JI4JW3jrrHnt35v2D9DZa+aYf7287C7OKBkr5EMo258KGmKZfGRaMkPeg==</ds:SignatureValue>

SAML20     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20       <ds:X509Data>

SAML20         <ds:X509Certificate>

SAML20         MIIC6DCCAdCgAwIBAgIQVMIeZ6PUobZJrFlrJlSscDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBjc2MtZnNkZXYuY29sdW1iaWEuY29tMB4XDTEzMDYyOTIyMjA0OVoXDTE0MDYyOTIyMjA0OVowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gY3NjLWZzZGV2LmNvbHVtYmlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1RqUtpqyhuSxsRTp3qlRpAQsrdgnuqZwgvIBucMTG8yKDUa3Ppi/FvbG8l8cpSHSuiFyAKwj1ZIbNPcnOoOsDIGXOs9pCzyGISVLR56IEd7EjizuBYH/EjtnCIp5nehUq6rvHWeZc0eAOvd+rOAMDTf+T0akT7UAmBPLig+Yfavay3HZyHV+gILmi/3v5VINYKjS/yLR3CFwt3l0MAhcqMw1FVAIfdxbSMw1S7wGQb88PyT4r1Uk3+Fix6BdKkdNNbrMEem3ZpkpCz6Wo+lP+QL9Wx3Dc/ADovsQa46Rx/pPdvc2q3tNrCuyAIuFNzY+Q610hey/xMQxNtRvXntGcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0zX4Otk/Qq2CxlEc3CKAGWlccGNJEMkBRYvkpITkRKgxWU6jgEhAKnDn4Cg4Wved1hDejnzJi8QwzUvhvU3s3aFrV6nd5hMvcVpYhGKwJUoX5wu1bydeUwbxeMZoWYowVAP+MzWPqh3i/0vP6sUIu5UuWI9Km66Wc2kCR0dSKHRNc62GHLYoJKIxrKG4qsTTwcI4A6340Z3PPaSoFAtl6K9zu5OYk4Tlsr3ljO/qn73UbYfudwxSGWv8Upbmk6Xbe3H03zb6OGD3QXvU2WpH7iLfe8IxadcH37GmQ6krf0bXPpYWh5COGyE00fx+IBPQ9sKeYKXjrli2IWbvoV1xg==</ds:X509Certificate>

SAML20       </ds:X509Data>

SAML20     </KeyInfo>

SAML20   </ds:Signature>

SAML20   <Subject>

SAML20     <NameID>JSMITH</NameID>

SAML20     <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20       <SubjectConfirmationData NotOnOrAfter="2014-02-25T02:06:30.101Z"

SAML20                                Recipient="https://<SP Host>:8003/sap/saml2/sp/acs/100" />

SAML20     </SubjectConfirmation>

SAML20   </Subject>

SAML20   <Conditions NotBefore="2014-02-25T02:01:30.098Z"

SAML20               NotOnOrAfter="2014-02-25T03:01:30.098Z">

SAML20     <AudienceRestriction>

SAML20       <Audience>SE2Connect</Audience>

SAML20     </AudienceRestriction>

SAML20   </Conditions>

SAML20   <AuthnStatement AuthnInstant="2014-02-25T02:01:30.033Z"

SAML20                   SessionIndex="_b95be371-7724-4c3e-ba09-261f10347d64">

SAML20     <AuthnContext>

SAML20       <AuthnContextClassRef>

SAML20       urn:federation:authentication:windows</AuthnContextClassRef>

SAML20     </AuthnContext>

SAML20   </AuthnStatement>

SAML20 </Assertion>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:441 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP Host>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP Host>:8003/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:446 Info SAPSYS

SAML20 SP (client 100 ): Started authentication for access to path:

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:450 Info SAPSYS

SAML20 SP (client 100 ): NameID jsmith (Format ) mapped to user ID jsmith

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:461 Info jsmith

SAML20 SP (client 100 ): CALL 'SAML login': SY-SUBRC = 0, PWDCHG = 0, CONTEXT_REF = B980AFFF9DC011E3B12F005056850025

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:466 Info jsmith

SAML20 SP (client 100 ): SAML session created (security context ref: B980AFFF9DC011E3B12F005056850025, reason: SSO)

Show/hide callstack

100 USH-B-SC-SE2 2 02:01:32:479 Debug jsmith

SAML20 SP (client 100 ): Current request method is POST, request method as read by OUC cookie is 

Show/hide callstack

SAP URL initiated SAML

Client Server Work Process Time Severity User Message Callstack

100 USH-B-SC-SE2 2 02:04:33:780 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is GET

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:783 Debug SAPSYS

HTTP request headers:

~request_line:  GET /sap/zapp/ContractList HTTP/1.1

~request_method:  GET

~request_uri:  /sap/zapp/ContractList

~path:  /sap/zapp/ContractList

~path_translated:  /sap/zapp/ContractList

~server_protocol:  HTTP/1.1

host:  <SP HOST>:8003

~server_name:  <SP HOST>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

connection:  keep-alive

~server_name_expanded:  <SP HOST>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:785 Info SAPSYS

SAML20 SP (client 100 ): IdP 'http://<IDP HOST>/adfs/services/trust' selected (source: Default Configuration)

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:788 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:789 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP HOST>:8003/sap/zapp/ContractList

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:792 Debug SAPSYS

SAML20 SP (client 100 ): Got comparison method from IDP:0

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:795 Debug SAPSYS

SAML20 SP (client 100 ): Relay state: ID=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf, value=GET#0y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%3D%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:808 Info SAPSYS

SAML20 SP (client 100 ): Outgoing AuthnRequest

SAML20 Binding:          REDIR

SAML20 Signed:           True

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Destination:      https://<IDP HOST>/adfs/ls/

SAML20 <samlp:AuthnRequest ID="S00505685-0025-1ee3-a7b8-25619ae3f12f"

SAML20                     Version="2.0"

SAML20                     IssueInstant="2014-02-25T02:04:33Z"

SAML20                     Destination="https://<IDP HOST>/adfs/ls/"

SAML20                     ForceAuthn="false"

SAML20                     IsPassive="false"

SAML20                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   SE2Connect</saml:Issuer>

SAML20   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

SAML20 </samlp:AuthnRequest>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:33:810 Debug SAPSYS

SAML20 SP (client 100 ): URL to redirect https://<IDP HOST>/adfs/ls/?SAMLRequest=fZFRS8MwFIX%2FSsl7lzRd57ysheEUCirDiQ%2B%2BZekNC7RJ7U2H%2FnvTDmQ%2B6Fs43HO%2Bc8iGVNf2sB3Dyb3gx4gUknpXsoMQhShW6yIVQhZphpin6ua4TmWxym4V5iaThiVvOJD1rmRyIVhSE41YOwrKhSiJbJkKGR2vQoJYQp6%2Fs2QXCdapMLtOIfQEnGvSqaEGzwvt27E7WhUfHVeNId4SZ8mDHzTOJUtmVEs4wfaKyJ7xR%2FnsWkcwDyrZODjwiiyBUx0SBA2H7dMjxKLQDz74SGLVZrqGufdw5f%2FfHrE4TANYdbiXd9451GHDr6IuuT08R2%2B92%2FvW6q9pQ6fC39HZIpsV26RmPoXRUY%2FaGosN49WF8Puvqm8%3D&RelayState=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=pWKCA5zyQfiXesrmCwBC2UMz6ytSGrJvDeuKcswLeO42%2BbCHMJNKOFJ38DbIrc0WVvPfG8ildQ8wEolU0%2FKE9aNTNF2XyIEjbdnt76sxyafwWq6FbrIQ%2B6YqCuiGNGNVmGz8iTTTGSbqJ0IHYlf3YK0jSBZcSGZAnFREt8Te4Lg%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:133 Debug SAPSYS

HTTP request headers:

~request_line:  POST /sap/saml2/sp/acs/100 HTTP/1.1

~request_method:  POST

~request_uri:  /sap/saml2/sp/acs/100

~path:  /sap/saml2/sp/acs/100

~path_translated:  /sap/saml2/sp/acs/100

~server_protocol:  HTTP/1.1

host:  <SP HOST>:8003

~server_name:  <SP HOST>

~server_port:  8003

user-agent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

accept:  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

accept-language:  en-US,en;q=0.5

accept-encoding:  gzip, deflate

referer:  https://<IDP HOST>/adfs/ls/auth/integrated/?SAMLRequest=fZFRS8MwFIX%2FSsl7lzRd57ysheEUCirDiQ%2B%2BZekNC7RJ7U2H%2FnvTDmQ%2B6Fs43HO%2Bc8iGVNf2sB3Dyb3gx4gUknpXsoMQhShW6yIVQhZphpin6ua4TmWxym4V5iaThiVvOJD1rmRyIVhSE41YOwrKhSiJbJkKGR2vQoJYQp6%2Fs2QXCdapMLtOIfQEnGvSqaEGzwvt27E7WhUfHVeNId4SZ8mDHzTOJUtmVEs4wfaKyJ7xR%2FnsWkcwDyrZODjwiiyBUx0SBA2H7dMjxKLQDz74SGLVZrqGufdw5f%2FfHrE4TANYdbiXd9451GHDr6IuuT08R2%2B92%2FvW6q9pQ6fC39HZIpsV26RmPoXRUY%2FaGosN49WF8Puvqm8%3D&RelayState=oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=pWKCA5zyQfiXesrmCwBC2UMz6ytSGrJvDeuKcswLeO42%2BbCHMJNKOFJ38DbIrc0WVvPfG8ildQ8wEolU0%2FKE9aNTNF2XyIEjbdnt76sxyafwWq6FbrIQ%2B6YqCuiGNGNVmGz8iTTTGSbqJ0IHYlf3YK0jSBZcSGZAnFREt8Te4Lg%3D

cookie:  oucqqvqvwyvoqqsvoreetoaxbyosvwrzaetfrsf=GET%230y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%253D%253D

connection:  keep-alive

content-type:  application/x-www-form-urlencoded

content-length:  3766

~server_name_expanded:  <SP HOST>

~server_port_expanded:  8003

~remote_addr:  10.45.74.109

~uri_scheme_expanded:  HTTPS

~script_name:  /sap/saml2

~path_info:  /sp/acs/100

~script_name_expanded:  /sap/public/bc/sec/saml2

~path_info_expanded:  /sp/acs/100

~path_translated_expanded:  /sap/public/bc/sec/saml2/sp/acs/100

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:409 Info SAPSYS

SAML20 SP (client 100 ): Raw SAML response:

PHNhbWxwOlJlc3BvbnNlIElEPSJfOTExNDBhOGMtOTNlZC00MDNlLTk4YTctOWQ3NjI2MDYwMWIzIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yNVQwMjowNDozOS40MTdaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly91c2gtYi1zYy1zZTIuY29sdW1iaWEuY3NjOjgwMDMvc2FwL3NhbWwyL3NwL2Fjcy8xMDAiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89IlMwMDUwNTY4NS0wMDI1LTFlZTMtYTdiOC0yNTYxOWFlM2YxMmYiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9jc2MtZnNkZXYuY29sdW1iaWEuY29tL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI185MTE0MGE4Yy05M2VkLTQwM2UtOThhNy05ZDc2MjYwNjAxYjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5nZzlTeUxGUmhlR2srelZBZlF4NHo0S0I0Q0xLS2RqbmEzNHNRUitzdGJRPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5lMFRXZXNnUnFieFYvcDNMSFFRQ1NIVTBlU2tKelVwVUxRRi9IcVF5c09FczROODlHNm5ncEFqYlhZaldvdC9vem9ZenM1aEQ1WGpwL2pCZk8yakpiNzdPODFUalZpakg0QmRlT3pyRUhFT3hlRTBod21wdGQwK2FjVmdMYlVJQ0trbDF2SkFZSDMrOUkxcmJZUzd0R1JtcUQydE9YQ01kUURIVzQxYWl3WjZsVGY4eDBNNTZyd0tIRGwvY0tjdHkrNlNiWWdhV0lWeVZzKys5b3B1eW8zc2tQSkF6akQvSVR0ZVRmWmxHbW52TXJVZ3QxdjR0blpKWFdJazJhUHpPbGx1bUREcTAzcHVwYWJBbFkyUUlNYlhlVmhGTmo4YlUvQmNFU0Z1WmhDbCtKTDI1eE1hMGFxYnJiOTBwU2k1aXczR0NsQmk3dHdMcFozZDBYeW5hYWc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM2RENDQWRDZ0F3SUJBZ0lRVk1JZVo2UFVvYlpKckZsckpsU3NjREFOQmdrcWhraUc5dzBCQVFzRkFEQXdNUzR3TEFZRFZRUURFeVZCUkVaVElGTnBaMjVwYm1jZ0xTQmpjMk10Wm5Oa1pYWXVZMjlzZFcxaWFXRXVZMjl0TUI0WERURXpNRFl5T1RJeU1qQTBPVm9YRFRFME1EWXlPVEl5TWpBME9Wb3dNREV1TUN3R0ExVUVBeE1sUVVSR1V5QlRhV2R1YVc1bklDMGdZM05qTFdaelpHVjJMbU52YkhWdFltbGhMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSzFScVV0cHF5aHVTeHNSVHAzcWxScEFRc3JkZ251cVp3Z3ZJQnVjTVRHOHlLRFVhM1BwaS9GdmJHOGw4Y3BTSFN1aUZ5QUt3ajFaSWJOUGNuT29Pc0RJR1hPczlwQ3p5R0lTVkxSNTZJRWQ3RWppenVCWUgvRWp0bkNJcDVuZWhVcTZydkhXZVpjMGVBT3ZkK3JPQU1EVGYrVDBha1Q3VUFtQlBMaWcrWWZhdmF5M0haeUhWK2dJTG1pLzN2NVZJTllLalMveUxSM0NGd3QzbDBNQWhjcU13MUZWQUlmZHhiU013MVM3d0dRYjg4UHlUNHIxVWszK0ZpeDZCZEtrZE5OYnJNRWVtM1pwa3BDejZXbytsUCtRTDlXeDNEYy9BRG92c1FhNDZSeC9wUGR2YzJxM3ROckN1eUFJdUZOelkrUTYxMGhleS94TVF4TnRSdlhudEdjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZDB6WDRPdGsvUXEyQ3hsRWMzQ0tBR1dsY2NHTkpFTWtCUll2a3BJVGtSS2d4V1U2amdFaEFLbkRuNENnNFd2ZWQxaERlam56Smk4UXd6VXZodlUzczNhRnJWNm5kNWhNdmNWcFloR0t3SlVvWDV3dTFieWRlVXdieGVNWm9XWW93VkFQK016V1BxaDNpLzB2UDZzVUl1NVV1V0k5S202NldjMmtDUjBkU0tIUk5jNjJHSExZb0pLSXhyS0c0cXNUVHdjSTRBNjM0MFozUFBhU29GQXRsNks5enU1T1lrNFRsc3IzbGpPL3FuNzNVYllmdWR3eFNHV3Y4VXBibWs2WGJlM0gwM3piNk9HRDNRWHZVMldwSDdpTGZlOEl4YWRjSDM3R21RNmtyZjBiWFBwWVdoNUNPR3lFMDBmeCtJQlBROXNLZVlLWGpybGkySVdidm9WMXhnPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvS2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlJlc3BvbmRlciIgLz48L3NhbWxwOlN0YXR1cz48L3NhbWxwOlJlc3BvbnNlPg==

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:411 Debug SAPSYS

SAML20 SP (client 100 ): Original request method is POST

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:417 Info SAPSYS

SAML20 SP (client 100 ): Calling transformation:SAML2_RESPONSE was successful.

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:423 Debug SAPSYS

SAML20 SP (client 100 ): Relay state cookie to parse: GET#0y9OLNB3zs8pzU3KTHTOz8tLTS4B8vNKihKTS3wyi0sUAA%3D%3D

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:425 Info SAPSYS

SAML20 SP (client 100 ): SSL is active

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:426 Info SAPSYS

SAML20 SP (client 100 ): get_application_uri ef_url: https://<SP HOST>:8003/sap/zapp/ContractList

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:428 Info SAPSYS

SAML20 SP (client 100 ): Incoming Response

SAML20 Binding:          POST

SAML20 IdP Name:         http://<IDP HOST>/adfs/services/trust

SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Responder

SAML20 <samlp:Response ID="_91140a8c-93ed-403e-98a7-9d76260601b3"

SAML20                 Version="2.0"

SAML20                 IssueInstant="2014-02-25T02:04:39.417Z"

SAML20                 Destination="https://<SP HOST>:8003/sap/saml2/sp/acs/100"

SAML20                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

SAML20                 InResponseTo="S00505685-0025-1ee3-a7b8-25619ae3f12f"

SAML20                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

SAML20   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

SAML20   http://<IDP HOST>/adfs/services/trust</Issuer>

SAML20   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

SAML20     <ds:SignedInfo>

SAML20       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

SAML20       <ds:Reference URI="#_91140a8c-93ed-403e-98a7-9d76260601b3">

SAML20         <ds:Transforms>

SAML20           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

SAML20           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

SAML20         </ds:Transforms>

SAML20         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

SAML20         <ds:DigestValue>

SAML20         gg9SyLFRheGk+zVAfQx4z4KB4CLKKdjna34sQR+stbQ=</ds:DigestValue>

SAML20       </ds:Reference>

SAML20     </ds:SignedInfo>

SAML20     <ds:SignatureValue>

SAML20     e0TWesgRqbxV/p3LHQQCSHU0eSkJzUpULQF/HqQysOEs4N89G6ngpAjbXYjWot/ozoYzs5hD5Xjp/jBfO2jJb77O81TjVijH4BdeOzrEHEOxeE0hwmptd0+acVgLbUICKkl1vJAYH3+9I1rbYS7tGRmqD2tOXCMdQDHW41aiwZ6lTf8x0M56rwKHDl/cKcty+6SbYgaWIVyVs++9opuyo3skPJAzjD/ITteTfZlGmnvMrUgt1v4tnZJXWIk2aPzOllumDDq03pupabAlY2QIMbXeVhFNj8bU/BcESFuZhCl+JL25xMa0aqbrb90pSi5iw3GClBi7twLpZ3d0Xynaag==</ds:SignatureValue>

SAML20     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

SAML20       <ds:X509Data>

SAML20         <ds:X509Certificate>

SAML20         MIIC6DCCAdCgAwIBAgIQVMIeZ6PUobZJrFlrJlSscDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBjc2MtZnNkZXYuY29sdW1iaWEuY29tMB4XDTEzMDYyOTIyMjA0OVoXDTE0MDYyOTIyMjA0OVowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gY3NjLWZzZGV2LmNvbHVtYmlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1RqUtpqyhuSxsRTp3qlRpAQsrdgnuqZwgvIBucMTG8yKDUa3Ppi/FvbG8l8cpSHSuiFyAKwj1ZIbNPcnOoOsDIGXOs9pCzyGISVLR56IEd7EjizuBYH/EjtnCIp5nehUq6rvHWeZc0eAOvd+rOAMDTf+T0akT7UAmBPLig+Yfavay3HZyHV+gILmi/3v5VINYKjS/yLR3CFwt3l0MAhcqMw1FVAIfdxbSMw1S7wGQb88PyT4r1Uk3+Fix6BdKkdNNbrMEem3ZpkpCz6Wo+lP+QL9Wx3Dc/ADovsQa46Rx/pPdvc2q3tNrCuyAIuFNzY+Q610hey/xMQxNtRvXntGcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0zX4Otk/Qq2CxlEc3CKAGWlccGNJEMkBRYvkpITkRKgxWU6jgEhAKnDn4Cg4Wved1hDejnzJi8QwzUvhvU3s3aFrV6nd5hMvcVpYhGKwJUoX5wu1bydeUwbxeMZoWYowVAP+MzWPqh3i/0vP6sUIu5UuWI9Km66Wc2kCR0dSKHRNc62GHLYoJKIxrKG4qsTTwcI4A6340Z3PPaSoFAtl6K9zu5OYk4Tlsr3ljO/qn73UbYfudwxSGWv8Upbmk6Xbe3H03zb6OGD3QXvU2WpH7iLfe8IxadcH37GmQ6krf0bXPpYWh5COGyE00fx+IBPQ9sKeYKXjrli2IWbvoV1xg==</ds:X509Certificate>

SAML20       </ds:X509Data>

SAML20     </KeyInfo>

SAML20   </ds:Signature>

SAML20   <samlp:Status>

SAML20     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />

SAML20   </samlp:Status>

SAML20 </samlp:Response>

SAML20

Show/hide callstack

100 USH-B-SC-SE2 2 02:04:41:430 Info SAPSYS

SAML20 SP (client 100 ): Default ACS endpoint: https://<SP HOST>:8003/sap/saml2/sp/acs/100 , old default ACS endpoint: https://<SP HOST>:8003/saml2/sp/acs/100

Show/hide callstack

Hi All,

We are configuring SPNego Authentication to SAP NW 7.4 portla and Windows AD.

SAP NW 7.4 is on SP08 in AIX 7.1 and Windows AD on Windows 2012 server. As described in help.sap.com documentation we have done below steps.

1. Created service user in Windows AD with no expire and no password change.

2. Created REALM as explained.

3. Created and configured SPNegoLoginModule in NWA.

But still we are not able to login to NW 7.4 with kerberos authentication. We found below errors and warnings in security troubleshooting wizard in NWA.

Error:

Invalid ticket endtime: 20150309155820Z

11:42:14:338 Error Guest HTTP Worker [@907185622],5,D... ....core.server.jaas.SPNegoLoginModule

Could not validate SPNEGO token.

Warnig:

Can't map exception.

[EXCEPTION] com.sap.engine.services.security.exceptions.BaseLoginException: Cannot authenticate the user.

Kindly Suggest,

Regards,

Sree

Dear experts,

I'm newly to SSO.

Currently , I'd like to build up a SSO with scenario from  Fiori(ABAP base) to BI 4.1 server.

I have some question about this scenario,

1.Is this scenario available now ?

2.What's the authentication options?

3.Is there any document/guide about the process?

Please five some hints ,thanks a lot.

Hank

..

Hi All,

we have configured an SSO setup(on Dev Portal) for our dev/qa enviorments and would like to setup another SSO(on PRD portal) for all the production instances, and have the below queries 

1. When we import the registry entries for SSO enrollment will it overwrite the existing URL or can we have multiple URL enrollments 1 for dev/QA and 1 for PRD .

2. Would we also have to import multiple root CA into the users browsers .

regards

Jonu Joy