Symptom
-
While performing a SAML 2.0 authentication between an ABAP Service Provider and a Microsoft ADFS (Identity Provider), it fails.
-
In ABAP SAML Traces the following information can be verified:
-
The 'Incoming Response' from the Identity Provider has 'Status Code' value 'urn:oasis:names:tc:SAML:2.0:status:Responder'
-
The 'DigestMethod Algorithm' attribute of the 'Incoming Response' is 'http://www.w3.org/2001/04/xmlenc#sha256'
In order to collect the SAML 2.0 traces, access the Security Diagnostic Tool in the AS ABAP system by calling the URL below:
http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX>
Press the start button, reproduce the scenario and press the stop button.
More information regarding the Security Diagnostic Tool for ABAP can be found in KBA 2960670. -
In Microsoft ADFS side the following error can be seen:
-
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
Read more...
Environment
- Microsoft Active Directory Federation Services
- SAP Netweaver AS ABAP 7.02
- SAP Netweaver AS ABAP 7.30
- SAP Netweaver AS ABAP 7.31
- SAP Netweaver AS ABAP 7.40
- SAP Netweaver AS ABAP 7.50
Product
Keywords
SAML 2.0, SAML2, ADFS, Responder, status code, digest algorithm, SHA-1, SHA-256, SHA-2, microsoft, SAML, authentication, fails, identity provider, service provider, sp, idp , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , BC-SEC-SSF , Secure Store and Forward , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.