How you can troubleshoot errors in IAS related to SSO and S/4 HANA
In this blog, I’ll delve into how you can troubleshoot errors in SAP IAS related to SSO and S/4 HANA private cloud. As you may know, SAP IAS is a highly competitive product when it comes to integrating SAP SaaS and PaaS solutions with S/4 HANA. Its main focus is on integration, security, compliance, simplicity, and scalability, making it an ideal choice for businesses looking to streamline their operations and ensure data security.
However, even with a reliable product like SAP IAS, errors can still occur, causing frustration and inconvenience for customers. In this blog, I will explain how we can track an error in IAS and strive to resolve it, using a real example from an issue we recently faced. Specifically, I will explore an escalation call with a customer and SI to resolve an error the customer was receiving when trying to log in to their S/4 HANA external Fiori link.
The customer claimed the SSO was configured via IAS and was working before. Recently when their users clicked on the Fiori link (https://fiori-test.contoso.com), after using their email to authenticate (@test.example.com) the SSO is not working anymore.
I will show you how to troubleshoot this error, step by step, to help you understand the process and resolve similar issues that may arise in the future.
Let’s first explain the high-level architecture of our scenario.
As you see in diagram below, S/4 HANA supported by SAP ECS team in Azure ( hyperscaler) and IAS tenant is the SAP Identity Authentication Service was integrated with the customer multiple IdPs .IAS enables this customer to authenticate with their Azure or Google IdPs. The existing integration helps the customer to log on in their Fiori launchpad link (S/4 HANA) via SAML2 protocol without re-entering the user password in S/4 HANA level after the respective IdP authorized the user.
In other words, users used to click on Fiori link then only prompted to log on with their corporate email to Google or Azure and after authentication passed through, they would access to S/4 Fiori or any tiles in their S/4 Fiori dashboard seamlessly:
If you follow numbers in diagram above, you can see when the user from business group B that originated from Google (IdP), clicks on the Fiori link it would be directed to IAS and then redirected to Google IdP ,after the user authorized successfully it has access to SAP Fiori dashboard and can access to S/4 QA tile or any other tiles for SAP SaaS are visible in their dashboard similar to below:
Here is a simple Architecture Diagram for this solution:
Basically, all SAML2s for SaaS applications and S/4 HANA were configured in Applications section of this customer IAS tenant in below section:
Applications & Resources > Applications:
All IdPs for different departments with the respective domain configured in IAS Identity Providers section:
Identity Providers > Corporate Identity Providers:
There are three areas probably we need to check during our troubleshooting to find the main root cause of this issue:
Identity Provider: This is the IAS Identity Provider for Google test domain (@test.examle.com) in our scenario
Application: This is the application in IAS connecting to S/4 HANA (QA1 system) or the customer test system the Fiori link pointing to
S/4 HANA QA system: Check the SAML2 configuration in S/4 HANA (NetWeaver) QA system including a review of the certificate expiration date
The best way to tackle this issue is ,first to download the error logs from IAS and from S/4 system (if there is any) and then upload them to SAP Support Log Assistant self-service Tool to analyze:
Please for further detail about Support Log Assistant, check SAP Note 2990062 or below video:
The Support Log Assistant is a great tool that can help to find the best resolution for your errors and you can upload multiple error log files in to this tool. It is much better than searching on the internet or even asking ChatGPT!
To export error logs from IAS:
Log in to SAP IAS and go to Monitoring & Reporting > Troubleshooting Logs and click on “Download”
To export error logs from NetWeaver ABAP please follow links:
After I uploaded the logs to Support Log Assistant, I was guided to few Notes through this analysis and the main note specifically was relevant to our issue was Note 2698094.
Below you can see the result of Support Log Assistant after analyzed the logs:
As you see, there was a reference to SAP note (2698094) which was more relevant to one of main errors we were facing in IAS:
“Identity Provider could not process the authentication request received due to client error. The digital signature of the received SAML2 message is invalid. Caused by: Unable to validate signature Caused by: Signature length not correct”
Basically, to be in safe side after reviewing the Note, I requested to get a fresh Google test domain certificate from the Google team to redo certificate by importing it in existing IAS google test IdP. After that we should upload the certificate response from S/4 HANA to S/4 QA application in IAS.
In order to do so, we first had to get the existing IAS tenant SAML2 certificate (export) beside the new Google IdP certificate to be able to regenerate a new certificate response from S/4 HANA QA NetWeaver system.
The final step would be to upload the S/4 HANA QA certificate response that reflects both IAS and Google IdP to the QA application in IAS which causing issue for SSO.
By doing steps mentioned above we were able to renew the certificate for all layers involved in this solution to make sure SAMl2 can be established properly again.
Hers is steps I followed to resolve this issue:
Step 1-Renew Google Test (IdP) in IAS:
Log on to the customer IAS tenant and go to Identity Providers > Corporate Identity Providers:
Then navigate to “SAML 2.0 Configuration”, upload the metadata xml file we received from the google team for @test.exampple.com domain by clicking on “Browse” and point to .XML we received from the Google team:
We make sure “Forward All SSO Request to Corporate IdP” is on:
And in “Identity Federation” section use identity Authentication user store:
Step 2-Export IAS tenant certificate:
To export metadata from the IAS tenant. We can navigate to IAS Tenant Settings > SAML 2.0 Configuration:
Click on “Download Metadata File” to get that in XML format:
This export file can be shared with IdP providers like Azure and Google and also will be used to get the final certificate response from S/4 HANA QA system.
Step 3-Upload IAS and Google IdP certs in S/4 HANA QA system via SAML2 tcode:
Log on to QA1 system in S/4 HANA and run tcode SAML2 then navigate to “Trusted Provider” tab and upload two certificates from IAS and IdP:
Generate the response certificate from S/4 HANA:
In QA1 system in S/4 HANA run tcode SAML2 then go to “Local Provider” tab and export metadata:
Make sure , check mark all three options before click on “Download Metadata” then save the file as QA1.xml which will be used to upload in the QA1 in IAS applications section.
Step 4-Upload the S/4 HANA combined certificate to QA system in IAS Application:
Log on to IAS and go to “Applications” section and click on QA1-100:
Click on “SAML2.0 Configuration” then upload the XML meta data (QA1.xml) from QA1 system (Step 3) by clicking on “Browse”. The rest of detail will be populated after the upload is done and there is no need to fill them out:
Attention: always check “Conditional Authentication” section of your Application and click on “Add Rule” to have your identity provider (reflects the email domain for the user log on) if it is not already there:
Note: If any application tile in Fiori dashboard facing a similar issue, we just need to renew their certificate in IAS in a similar fashion too.
I hope after reading this blog you will be able to troubleshoot errors in SAP IAS and understand how you can enabled SAML2 for corporates IdP for SSO.
- When you facing errors in IAS you can upload error logs in Support Log Assistant to analyze first
- Depends on your error you may need to troubleshoot IdP, Applications or S/4 HANA system
- After reviewing the related note you most likely get an idea which layer you need to focus on
- To resolve the issue you need to have hands on in security aspect of IAS, SaaS, PaaS, and S/4
- Please consider this as a team effort and make sure have all the required teams involved
- Before doing your due diligent, do not create a ticket (incident) for SAP Support since it is required multiple teams to be involved and it may not be resolved in one easy call
You can always follow the SAP Business Technology Platform post and answer questions:
To follow the the SAP BTP Security, post and answer questions:
Note 2942816 – How to export and self-analyze Troubleshooting logs from Identity Authentication
Note 3058189 – The digital signature of the received SAML2 message is invalid. Caused by: Certificate is expired
Note 2698094 – Given url does not contain SAML2 authentication request for validation
Note 2645425 – The digital signature of the received SAML2 message is invalid
Exporting the SAML Identity Provider Metadata:
Configure SAML 2.0 Service Provider:
Tenant SAML 2.0 Configuration:
Share with others and Connect with us!
Please leave your comment if you have anything to add!
If you would like to ask questions, please use the community Q&A.
Give us a like and share on social media if you feel it was useful
You can follow me in People SAP :