SAP Knowledge Base Article - Preview

2865450 - 401 – Unauthorized when using SAML SSO functionality on backoffice with Azure AD as IDP

Symptom

Using the 'Login with Single Sign On' in the backoffice allows a user to login for the first time after authenticating through the Identity Provider (IDP) and for some time thereafter without the need to re-authenticate.

In the case where Azure Active Directory (Azure AD) is used, the user will be met with a 401 - Unauthorized error upon accessing the backoffice in the same way after 2 hours.


If Dynatrace is used as a monitoring tool, it should be possible to find the error from the PurePaths of the matching request:

Exception:
org.springframework.security.authentication.CredentialsExpiredException
Message:
Authentication statement is too old to be used with value 2000-01-01T00:00:00.000Z
Stacktrace:
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:538)
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:306)
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
...
..

If Dynatrace is not used, the same error can be found by enabling debug level logging on SAML related classes:

log4j2.logger.springsaml.name=org.springframework.security.saml
log4j2.logger.springsaml.level=DEBUG
log4j2.logger.springsaml.appenderRef.stdout.ref=STDOUT

log4j2.logger.opensaml.name=org.opensaml
log4j2.logger.opensaml.level=DEBUG
log4j2.logger.opensaml.appenderRef.stdout.ref=STDOUT

log4j2.logger.samlsinglesignon.name=de.hybris.platform.samlsinglesignon
log4j2.logger.samlsinglesignon.level=DEBUG
log4j2.logger.samlsinglesignon.appenderRef.stdout.ref=STDOUT

log4j2.logger.samlutil.name=org.springframework.security.saml.util.SAMLUtil
log4j2.logger.samlutil.level=DEBUG
log4j2.logger.samlutil.appenderRef.stdout.ref=STDOUT

log4j2.logger.SAMLProcessingFilter.name=org.springframework.security.saml.SAMLProcessingFilter
log4j2.logger.SAMLProcessingFilter.level=DEBUG
log4j2.logger.SAMLProcessingFilter.appenderRef.stdout.ref=STDOUT


Read more...

Environment

The issue requires the use of Spring SAML and was only observed when Azure AD was used as the IDP, although it could potentially happen with other IDPs.

Product

SAP Commerce 1811 ; SAP Commerce 1905 ; SAP Hybris Commerce 1808 ; SAP Hybris Commerce 6.0 ; SAP Hybris Commerce 6.1 ; SAP Hybris Commerce 6.2 ; SAP Hybris Commerce 6.3 ; SAP Hybris Commerce 6.4 ; SAP Hybris Commerce 6.5 ; SAP Hybris Commerce 6.6 ; SAP Hybris Commerce 6.7

Keywords

  • samlsinglesignon
  • /samlsinglesignon/saml
  • SAMLResponse
  • JSESSIONID
  • sign on
  • IssueInstant
  • Authentication Instant
, KBA , CEC-COM-ADM-BO , Backoffice , CEC-COM-CPS , SAP Commerce , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.