SAP Knowledge Base Article - Preview

2673983 - SAML Fails with a "status:Responder" Error

Symptom

You have configured SAML between your AS JAVA as your Service Provider and your Identity Provider but this is failing. You have reproduced this issue running a Security Troubleshooting Wizard Trace and you can see the failed logon procedure throwing the below error:

LOGIN.FAILED
User: N/A
IP Address: xxx.xxx.xxx.xx
Authentication Stack: xxxxx
Authentication Stack Properties:
        policy_domain = xxxxx
        realm_name = xxxxx

Login Module                                                                                    Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
2. com.sap.security.saml2.sp.SAML2LoginModule                                  OPTIONAL    ok          exception             true       Rejected signed Response 
                                                                                                                                    Reason: Error SAML2Response received.
                                                                                                                                      ID: xxxxxxxxxx
                                                                                                                                      Issuer: "IDP URL....."
                                                                                                                                      Destination: "SP URL....."
                                                                                                                                      In Response To: xxxxx
                                                                                                                                      Issue Instant: "Time and Date"
                                                                                                                                      Top Level Status Code: urn:oasis:names:tc:SAML:2.0:status:Responder
                                                                                                                                      Second Level Status Code:
                                                                                                                                      Status Message:
                                                                                                                                      Consent: urn:oasis:names:tc:SAML:2.0:consent:unspecified
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true      
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true      
No logon policy was applied


Read more...

Environment

  • Release Independent
  • SAP NetWeaver

Product

SAP NetWeaver all versions

Keywords

SAML2 Responder, status:Responder, Reason: Error SAML2Response received, Rejected signed Response, SAML2 SSO, Fail, Troubleshooting Wizard Trace. , KBA , BC-JAS-SEC-LGN , Logon, SSO , BC-JAS-SEC-SML , JAVA SAML 1.1 and 2.0 , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.