SAP Knowledge Base Article - Preview

3553529 - Failed to create SAML error response Configuration for trusted SP [null] does not exist

Symptom

  • SSO for SuccessFactors.
  • Identity Authentication acts as a proxy to delegate the authentication to OKTA as corporate identity provider
  • In SP-initiated scenario, after redirect to IAS from OKTA, the following error occurs:
    • Identity provider cannot process the response due to wrong configuration. Please contact your system administrator. 
  • The following errors in Troubleshooting log are visible:
    • "Failed to forward to error page. Cannot forward after response has been committed Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
      "Failed to send response. response parameter is null. Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
      "Failed to forward to error page. Cannot forward after response has been committed Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
      "Failed to create SAML error response Configuration for trusted SP [null] does not exist. Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
      "Failed to read error response. Invalid SAML response: null Correlation ID: "XXXXXX-XXX-XXXX-XXXXXXXXXX "

  • In IAS admin console, the "Assertion Consumer Service Endpoints" of "SAML 2.0 Configuration" in tenant settings is "https://<tenantid>.accounts.ondemand.com/saml2/idp/acs/<tenantid>.accounts.ondemand.com" and in OKTA, the "Single Sign On URL" is the same value

  • In the SAML trace the destination below is visible where the issuer is the SP:
    • Destination="https://<tenantid>.accounts.cloud.sap/saml2/idp/sso/<tenantid>.accounts.ondemand.com"
    • <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.successfactors.com/<mycopnaycode></saml2:Issuer>


Read more...

Environment

  • SAP Cloud Identity Services - Identity Authentication (IAS)
  • OKTA Identity Provider

Product

SAP Cloud Identity Services all versions ; SAP SuccessFactors Platform all versions

Keywords

IAS, OKTA, Common Super Domain, Identity Authentication, error, fail, Requestable SSO URLs , KBA , BC-IAM-IDS , Identity Authentication Service , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.