SAP Knowledge Base Article - Preview

2464455 - SAML2.0: How to extract IdP signing certificate from SAML 2.0 trace

Symptom

When SAML 2.0 is used on NetWeaver ABAP and on the IdP side the signing certificate has changed. Therefore, the signature verification of the Response fails with errors like:

  • The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.
  • Details: SSFW_KRN_VERIFY failed with: Signature verification failed (for signer) or Envelope failed (for recipient)
  • Signature validation with the configured primary certificate failed.

The errors are found in trace collected with the Security Diagnostic Tool.



            

         

           
              Read more...
           
        

      



Environment



   

    

  • SAP enhancement package 2 for SAP NetWeaver 7.0
    • 

  • SAP NetWeaver 7.3
    • 

  • SAP enhancement package 1 for SAP NetWeaver 7.3
    • 

  • SAP NetWeaver 7.4
    • 

  • SAP NetWeaver 7.5 and higher
    • 








Product



  SAP NetWeaver 7.1 ; SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5 ; SAP enhancement package 1 for SAP NetWeaver 7.3 ; SAP enhancement package 2 for SAP NetWeaver 7.0





Keywords



   
 
SAML 2.0, SAML 2.0, renew certificate, verify signature, trusted provider, primary signing certificate, secondary signing certificate, SSFW_KRN_VERIFY, The validation of message 'Response' failed, X.509 certificate, , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , How To 




          
About this page

          This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login
required).
          
Search for additional results

          
Visit SAP Support Portal's SAP Notes and KBA Search.