SAP Knowledge Base Article - Public

3101530 - Internal Error During SAML2 Processing

Symptom

You are unable to login via Single Sign On (SSO). The following messages are displayed:

  • The validation of message 'Response' failed. 
  • Error in ST program SAML2_ASSERTION when importing XML data.
  • Diagnosis Signer/Recipient certificate is expired or not yet valid.

Environment

  • SAP Cloud for Customer
  • SAP Business ByDesign

Cause

System fails to verify the signature of the received XML message with the primary certificate configured. Your signature certificate has expired.

Resolution

Please contact your IDP Team to renew the certificate.Configuration at the IDP side should be checked thoroughly. It is necessary to import the certificate that was used to sign the XML message (SAML Response) from the Identity Provider. The procedure is described in Trusting an Identity Provider.

Contact your IDP vendor for support in acquiring the correct certificate that signs its assertions.

Replacement signing certificates (and also encryption certificates) can be manually imported via transaction SAML2 -> Trusted Providers -> Choose the Identity Provider -> Signature and Encryption tab -> Edit mode ->choose Browse option to upload the valid certificate.

If the certificate is imported, make sure that 'Certificate Block Management' is not active for SAML profile.

It can be checked in transaction STRUST -> menu Environment -> Manage Certificate Blocking.

See Also

Keywords

Certificate expired, SSO, Single Sign On, SAML2_ASSERTION , KBA , LOD-CRM-SEC , Security Topics , SRD-CC-SEC , Security , How To

Product

SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions