SAP Knowledge Base Article - Preview

3214620 - SAML SSO is failing with email address and generic error messages


  • The failures and error messages may vary depending on which settings have been added, BI versions, authentication method, and which settings are required
  • Failure to include the correct settings resulted in the following errors in the web/app tracing from KBA 1613472

LogonComponentRenderer getExternalSession  :   ISingleSignOn List is :  [com.businessobjects.bip.core.web.internal.logon.sso.TrustedAuthSession@4f473df1]
logon(): trusted user=SAMLUSER@EXAMPLE.COM,cms=cmsname:6400
logon(): user=SAMLUSER@EXAMPLE.COM,aps=cmsname:6400,auth=secEnterprise,isCMSSpecific=false,with logon info.
userLogon(): user=SAMLUSER@EXAMPLE.COM,aps=cmsname:6400,auth=secEnterprise,cluster=cmsname:6400,socketsURI=
LogonService(): aps=cmsname:6400
doUserLogon(): aps=cmsnameFQDN:6400
invoke(): irrecoverable exception (0/5)
doUserLogon(): failed to logon, logonCred=user:SAMLUSER@EXAMPLE.COM,method:password,auth=secEnterprise,aps=cmsnameFQDN:6400
com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)

  • Other errors observed that are not verified to be related but possible from the springSAML logs in KBA 2634421

BaseSignatureTrustEngine:102 - Attempting to establish trust of KeyInfo-derived credential
ExplicitKeyTrustEvaluator:95 - Failed to validate untrusted credential against trusted key
ExplicitKeyTrustEvaluator:95 - Failed to validate untrusted credential against trusted key
BaseSignatureTrustEngine:107 - Failed to establish trust of KeyInfo-derived credential
BaseSignatureTrustEngine:115 - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
BaseSignatureTrustEngine:144 - Signature validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature



  • SAP BusinessObjects Business Intelligence Platform 4.3 Sp2 
  • This solution is valid for other versions as well


KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.