2758293 - IAS proxy scenario: Logon fails due to error "Certificate used to validate the signature cannot be null"

Symptom

When you use Identity Authentication acts as a proxy to delegate the authentication to a corporate identity provider, logon fails and in Troubleshooting Logs, the following entries can be seen:

"POST /saml2/idp/acs/<TenantID>.accounts.ondemand.com HTTP/1.1" 200

severity=INFO, location=umtrace, crtAccount=<TenantID>, authenticatedSubject="anonymous", state=failed, action=authenticate, objectType=user, authenticationMethod=saml2Assertion, category=audit.configuration, correlationId

#ERROR#com.sap.security.saml2.idp.endpoints.sso.ACSEndpoint##<TenantID>#anonymous#http-bio-127.0.0.1-8080-exec-5#na#N/A#N/A#N/A#Authentication error.SAML2Response signature verification failed. Caused by: Certificate used to validate the signature cannot be null

However, SAML response is successful:

<...>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
<...>
<dsig:X509Certificate><...></dsig:X509Certificate><...><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
<...>

Environment

Identity Authentication

Product

SAP Cloud Identity Services all versions

Keywords

500 Internal Server error, Internal server error, HTTP 500, IAS Tenant , KBA , BC-IAM-IDS , Identity Authentication Service , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.