SAP Disclosure Management SAML Issue troubleshooting approach for SSO/SAML2.0 Configuration across EP+BPC+DM.
Points to consider during troubleshooting:
- Being DM a .NET based Application, any changes to .Net versions with regards to MS Windows monthly patching needs to be re-visited & impact assessment to be done beforehand unless otherwise it is SAP Supported. Impact with Elevation of Privilege with regards to .Net version for DM needs to be reviewed in MS Patching sheet before every monthly to see if there is any impact.
- Always ensure SAML Authentication is set to “Yes” in web.config file for access to DM via web.
- NTP Time Synchronization is up-to-date and successful across all the servers & SAP Systems (commands to verify as an administrator user – w32tm /resync , w32tm /query /source, w32tm /query /peers). For Linux HANA DB Servers check & update time using yast & date commands.
- All relevant certificates must be updated across all the servers & SAP systems (check in mmc snap-in OS level & sap system STRUST t-code).
- Try both Yes and No options in “Administration -> System Configuration -> Misc -> Enable “SOAP SSL Certificate” & test the scenarios in-case any SAML issue is getting reported.
- Bi-directional Ports (443,447,2605) access between web and DM app-tier is mandatory for any DM operations (nslookup & ping test required).
- DM Add-ins, DM Client, MS Office & Browser needs to be compliant with DM App Server version always and mandatory for any DM specific operations including checks in regedit if required.
- Always triple-check DM configurations should and must be maintained using Fully Qualified Domain Name , duly re-visit all the host entries in /etc/hosts file.
- In DM App Server , IIS Application Pools -> SAP Disclosure Management -> Process Model-> Application Pool Identity account needs to be checked and updated if there is any password change.
- Any issues to investigate config20.xml, web.config, bipprotokol.txt, cundus*, winevt logs & payload BW trace files are the first & foremost thing required for any further troubleshooting. This is in addition to the App Server, Trace & Debug Logs generated by default for DM.
- For any issues reported always re-test the scenarios first from Web Dispatcher and DM local/server-side to ensure it’s not a front-end issue.
Above Troubleshooting points can be considered while working on SAP Disclosure Management SAML Issues.