2346372 - SAML 2.0: ABAP SP signature algorithm mismatch with Microsoft ADFS

• While performing a SAML 2.0 authentication between an ABAP Service Provider and a Microsoft ADFS (Identity Provider), it fails.

• In ABAP SAML Traces the following information can be verified:

• The 'Incoming Response' from the Identity Provider has 'Status Code' value 'urn:oasis:names:tc:SAML:2.0:status:Responder'

• The 'DigestMethod Algorithm' attribute of the 'Incoming Response' is 'http://www.w3.org/2001/04/xmlenc#sha256'

  In order to collect the SAML 2.0 traces, access the Security Diagnostic Tool in the AS ABAP system by calling the URL below: http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> Press the start button, reproduce the scenario and press the stop button. More information regarding the Security Diagnostic Tool for ABAP can be found in KBA 2960670.

• In Microsoft ADFS side the following error can be seen:

• Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)

• Microsoft Active Directory Federation Services
• SAP Netweaver AS ABAP 7.02
• SAP Netweaver AS ABAP 7.30
• SAP Netweaver AS ABAP 7.31
• SAP Netweaver AS ABAP 7.40
• SAP Netweaver AS ABAP 7.50

SAML 2.0, SAML2, ADFS, Responder, status code, digest algorithm, SHA-1, SHA-256, SHA-2, microsoft, SAML, authentication, fails, identity provider, service provider, sp, idp , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , BC-SEC-SSF , Secure Store and Forward , Problem