3081298 - "HTTP ERROR 500 javax.servlet.ServletException: org.opensaml.ws.message.encoder.MessageEncodingException: Unable to sign URL query string" when creating Live Data Connection to Universe using SAML SSO Authentication in SAP Analytics Cloud (SAC)

• Live Data Connection to Universe using Password Authentication is succesfully established
• However, Live Data Connection to Universe using SAML Authentication fails with the following error:
• GetServerInfo URL (https://<HOST>:<PORT>/sap/boc/ina/GetServerInfo ) also fails when SAML Authentication is configured

HTTP ERROR 500 javax.servlet.ServletException: org.opensaml.ws.message.encoder.MessageEncodingException: Unable to sign URL query string

URI: /sap/boc/ina/cors/auth.html
STATUS: 500
MESSAGE: javax.servlet.ServletException: org.opensaml.ws.message.encoder.MessageEncodingException: Unable to sign URL query string
SERVLET: LDC SAML Auth.html
CAUSED BY: javax.servlet.ServletException: org.opensaml.ws.message.encoder.MessageEncodingException: Unable to sign URL query string
CAUSED BY: org.opensaml.ws.message.encoder.MessageEncodingException: Unable to sign URL query string
CAUSED BY: org.opensaml.xml.security.SecurityException: Error during signature generation
CAUSED BY: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size

Caused by:

javax.servlet.ServletException: org.opensaml.ws.message.encoder.MessageEncodingException: Unable to sign URL query string
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:163)
at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:203)
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:177)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:133)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at com.sap.csina.cloud.servlet.InA_LogFilter.doFilter(InA_LogFilter.java:66)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
at java.lang.Thread.run(Thread.java:836)
Caused by: org.opensaml.ws.message.encoder.MessageEncodingException: Unable to sign URL query string
at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.generateSignature(HTTPRedirectDeflateEncoder.java:254)
at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.buildRedirectURL(HTTPRedirectDeflateEncoder.java:193)
at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.doEncode(HTTPRedirectDeflateEncoder.java:104)
at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52)
at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:224)
at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:192)
at org.springframework.security.saml.websso.AbstractProfileBase.sendMessage(AbstractProfileBase.java:148)
at org.springframework.security.saml.websso.WebSSOProfileImpl.sendAuthenticationRequest(WebSSOProfileImpl.java:107)
at org.springframework.security.saml.SAMLEntryPoint.initializeSSO(SAMLEntryPoint.java:225)
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:152)
... 70 more
Caused by: org.opensaml.xml.security.SecurityException: Error during signature generation
at org.opensaml.xml.security.SigningUtil.sign(SigningUtil.java:127)
at org.opensaml.xml.security.SigningUtil.sign(SigningUtil.java:94)
at org.opensaml.xml.security.SigningUtil.signWithURI(SigningUtil.java:65)
at org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder.generateSignature(HTTPRedirectDeflateEncoder.java:248)
... 79 more

• SAP Analytics Cloud 2021
• LDC (Live Data Connection) to SAP Universe and WEBI Document version 3.x
• SAP BI Platform 4.2 / 4.3

1. Configure Live Data Connection to Universe using SAML Authentication as per Product Guide
2. Ensure SAML related configuration (including saml.signaturealgorithm ) is correctly maintained in ldc.properties file
3. LDC Connection fails.

This occurs when there is an issue with the java keystore.  Default key size in java keytool application has been increased from 1024 bits to 2048 bits, which is incompatible with the DSA algorithm in the SAML Authentication.

• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening an incident for SAP Analytics Cloud?
• 2511489 - Troubleshooting performance issues in SAP Analytics Cloud
• Search for SAP Analytics Cloud content using Google or Bing:
• https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• Note: Add relevant text or warning/error messages to the text search field to filter results.
• SAP Analytics Cloud > Learning > Data Connections
• SAP Analytics Cloud > Learning > Guided Playlists
• SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
• Need More Help? Contact Support or visit the solution finder today!

Your feedback is important to help us improve our knowledge base.

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped , KBA , LOD-ANA-LDC-UNV , SAC Live Data Connection Universe , LOD-ANA-LDC , SAC Live Data Connection , Problem