3101530 - Internal Error During SAML2 Processing

You are unable to login via Single Sign On (SSO). The following messages are displayed:

• The validation of message 'Response' failed. 
• Error in ST program SAML2_ASSERTION when importing XML data.
• Diagnosis Signer/Recipient certificate is expired or not yet valid.

• SAP Cloud for Customer

System fails to verify the signature of the received XML message with the primary certificate configured. Your signature certificate has expired.

Please contact your IDP Team to renew the certificate.Configuration at the IDP side should be checked thoroughly. It is necessary to import the certificate that was used to sign the XML message (SAML Response) from the Identity Provider. The procedure is described in Trusting an Identity Provider.

Contact your IDP vendor for support in acquiring the correct certificate that signs its assertions.

Replacement signing certificates (and also encryption certificates) can be manually imported via transaction SAML2 -> Trusted Providers -> Choose the Identity Provider -> Signature and Encryption tab -> Edit mode ->choose Browse option to upload the valid certificate.

If the certificate is imported, make sure that 'Certificate Block Management' is not active for SAML profile.

It can be checked in transaction STRUST -> menu Environment -> Manage Certificate Blocking.

• Trusting an Identity Provider
• Security Diagnostic tool
• Configure Your Solution for Single Sign-On
• KBA 2464455 - SAML2.0: How to extract IdP signing certificate from SAML 2.0 trace
• KBA 2437217 - SAML2.0: Signature validation with the configured primary certificate failed

Certificate expired, SSO, Single Sign On, SAML2_ASSERTION , KBA , internal error during saml2 processing , idp team , sso error , LOD-CRM-SEC , Security Topics , How To

SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions