Symptom
You are unable to login via Single Sign On (SSO). The following messages are displayed:
- The validation of message 'Response' failed.
- Error in ST program SAML2_ASSERTION when importing XML data.
- Diagnosis Signer/Recipient certificate is expired or not yet valid.
Environment
- SAP Cloud for Customer
Cause
System fails to verify the signature of the received XML message with the primary certificate configured. Your signature certificate has expired.
Resolution
Please contact your IDP Team to renew the certificate.Configuration at the IDP side should be checked thoroughly. It is necessary to import the certificate that was used to sign the XML message (SAML Response) from the Identity Provider. The procedure is described in Trusting an Identity Provider.
Contact your IDP vendor for support in acquiring the correct certificate that signs its assertions.
Replacement signing certificates (and also encryption certificates) can be manually imported via transaction SAML2 -> Trusted Providers -> Choose the Identity Provider -> Signature and Encryption tab -> Edit mode ->choose Browse option to upload the valid certificate.
If the certificate is imported, make sure that 'Certificate Block Management' is not active for SAML profile.
It can be checked in transaction STRUST -> menu Environment -> Manage Certificate Blocking.
See Also
Keywords
Certificate expired, SSO, Single Sign On, SAML2_ASSERTION , KBA , idp team , internal error during saml2 processing , sso error , LOD-CRM-SEC , Security Topics , How To