Troubleshooting Issues when implementing SAML SSO in HANA XS Engine
When implementing SAML SSO in HANA XS engine, I was searching for standard SAP installation guide. It seemed to me that there is no official SAML installation guide that is currently available as I write this blog. However, I had access to this beautiful blog in SCN http://scn.sap.com/docs/DOC-50418 and the installation guide given at How to configure SAP Crypto libraries and SSL for HANA XS Engine.pdf that guides you through the SAML installation steps. During the implementation, we had various challenges that prompted me to write the blog on trouble shooting in this topic. Highlights of the few issues are given below:
Issue Enabling SSL in HANA XS Engine:
Caution to the readers, In an actual development landscape, you should NEVER use SSL Evaluation Certificate of SAP Service Market Place. This certificate is only to be used for demo purpose. You should always request the customer to provide with the necessary certificate for signature and import (example SAPSSL.cer).
If the certificate provided by the customer has root certificate and intermediate certificate associated to it, then those also need to be added into the PSE (example SAPSSL.pse)
Also when copying the signed certificate from Windows to Linux file system can be an issue due to different interpretations of carriage return and line feed. Best is to directly copy the content of the certificate in Linux system using VI editor. You may have to try this step few times before the certificate is actually created successfully.
Google Chrome Issue: This webpage has a redirect loop.
This issue is caused when the Service Provider (HANA) is redirecting the request to ADFS and where ADFS is unable to determine where to redirect the response back. Thus ending in a infinite redirect loop in the browser. The fix is to create the correct SP entry in ADFS. It redirects the response back to Service Provider(HANA). Be careful of the entries made as it should match exactly as the URL of the SP. Otherwise it will also lead to the next issue.
Unable to verify XML signature(StatusCode:, StatusMessage)
There are various reasons for getting this error message:
On ADFS Side:
- Missing Name ID ” format “Unspecified” parameter in Issuance Transformation Rule.
- SHA-1 is not configured as a hash in its properties(Default is 256)
- Relying Party identifier has multiple entry or incorrect entry that is not matching the entityID of the SP metadata. Make sure that every single character matches with the SP metadata.
On HANA Side:
- In the HANA XS admin, when creating the identity provider, if you get error at the Subject stating it is invalid due to special character(- hypen), it is due to a bug in the older XS engine release 7.X. This bug is fixed in the new release. If upgrade is no option then you can also create the IDP entry from SQL editor as follows:
CREATE SAML PROVIDER ADFS WITH
SUBJECT ‘<YOUR ADFS SIGINING CERT SUBJECT>’
ISSUER <YOUR ADFS SIGINING CERT SUBJECT>’;
insert into _SYS_XS.HTTP_DESTINATIONS values(‘sap.hana.xs.samlProviders’, ‘ADFS’, ‘desc’, ‘<YOUR ADFS HOST NAME>’, 443, ”, 0, ”, 0, 0, 1, -1, ”, ”);
insert into _SYS_XS.SAML_PROVIDER_CONFIG values(‘ADFS’, 0, 0, ‘sap.hana.xs.samlProviders’, ‘ADFS’, ‘/adfs/ls’);
insert into _SYS_XS.SAML_PROVIDER_CONFIG values(‘ADFS’, 0, 1, ‘sap.hana.xs.samlProviders’, ‘ADFS’, ‘/adfs/ls’);
insert into _SYS_XS.SAML_PROVIDER_CONFIG values(‘ADFS’, 1, 0, ‘sap.hana.xs.samlProviders’, ‘ADFS’, ‘/adfs/ls’);
insert into _SYS_XS.SAML_PROVIDER_CONFIG values(‘ADFS’, 1, 1, ‘sap.hana.xs.samlProviders’, ‘ADFS’, ‘/adfs/ls’);
- Another bug could be the mismatch of the IDP Subject with the certificate. In my case, I uploaded a certificate for SSO with Subject having SP=xxxxx whereas the subject line in XS admin IDP metadata had Subject with ST=xxxxx, Since this did not match too, we get this error.
SAML Logout Issue:
If you have implemented the SAML logout code as mentioned in the blog with logout.xscfunc and still unable to logoff, kindly do a http trace to find if the logout request is going to ADFS system or not. If the request is going to ADFS and still you are not getting logoff, probably the Endpoint is not properly configured in ADFS. Please check the Logout URL in the SAML Logout Endpoint. Also check the HANA XS Admin IDP setup for Single Logout Redirect and Post.
Error in Google Chrome: Assertion did not contain a valid MessageID.
As given in the blog, if you face this issue, then kindly create the SAML parameter, assertion_timeout and set the value to 30.