SAP Knowledge Base Article - Preview

2346372 - SAML 2.0: ABAP SP signature algorithm mismatch with Microsoft ADFS

Symptom

  • While performing a SAML 2.0 authentication between an ABAP Service Provider and a Microsoft ADFS (Identity Provider), it fails.

  • In ABAP SAML Traces the following information can be verified:

    • The 'Incoming Response' from the Identity Provider has 'Status Code' value 'urn:oasis:names:tc:SAML:2.0:status:Responder'

    • The 'DigestMethod Algorithm' attribute of the 'Incoming Response' is 'http://www.w3.org/2001/04/xmlenc#sha256'

      In order to collect the SAML 2.0 traces, access the Security Diagnostic Tool in the AS ABAP system by calling the URL below:
      http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX>
      Press the start button, reproduce the scenario and press the stop button.
      More information regarding the Security Diagnostic Tool for ABAP can be found in KBA 2960670.

  • In Microsoft ADFS side the following error can be seen:

    • Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)

*Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.


Read more...

Environment

  • Microsoft Active Directory Federation Services
  • SAP Netweaver AS ABAP 7.02
  • SAP Netweaver AS ABAP 7.30
  • SAP Netweaver AS ABAP 7.31
  • SAP Netweaver AS ABAP 7.40
  • SAP Netweaver AS ABAP 7.50

Product

SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5 ; SAP enhancement package 1 for SAP NetWeaver 7.3 ; SAP enhancement package 2 for SAP NetWeaver 7.0

Keywords

SAML 2.0, SAML2, ADFS, Responder, status code, digest algorithm, SHA-1, SHA-256, SHA-2, microsoft, SAML, authentication, fails, identity provider, service provider, sp, idp , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , BC-SEC-SSF , Secure Store and Forward , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.