Troubleshooting: Download SAML 2.0 SP Metadata

Published by Tobias Hofmann on

6 min read

Scenario

After you have enabled your NetWeaver ABAP system to be an SAML 2.0 Service Provider you want to download its metadata and get an error message: 403 Forbidden.

Tx: SAML2

Call the SAML 2.0 configuration Web Dynpro app via transaction SAML2 and click on Metadata.

Select what to include in the metadata file (all is fine).

The download of the metadata file is triggered, and an error message is displayed

Service cannot be reached: 403 Forbidden

Cause

The download cannot start as some ICF services are not activated.

Solution

Activate the necessary Internet Communication Framework (ICF) services. To be to download the metadata from the service provider, you must manually activate the following two ICF services:

  • /default_host/sap/public/bc/sec/saml2
  • /default_host/sap/public/bc/sec/cdc_ext_service

Activate service /sap/public/bc/sec/saml2

Tx: SICF
Service: /sap/public/bc/sec/saml2

Select the service and activate it.

Activate service /sap/public/bc/sec/cdc_ext_service

Tx: SICF
Service: /sap/public/bc/sec/cdc_ext_service

Select the service and activate it.

Result

Now the download of the SAML 2.0 SP Metadata will work.

Links

Additional notes

I include a sample SAML 2.0 IdP Metadata file from NetWeaver ABAP.

<m:EntityDescriptor entityID="NPL001" validUntil="2038-01-01T00:00:01Z" cacheDuration="P18Y1M19DT1H30M" ID="S08002777-0476-1eea-81a3-21f6e7769f84" xmlns:m="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#S08002777-0476-1eea-81a3-21f6e7769f84"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>riuwEzJ1TDuoz0ksjfjeEgWq7W4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>FmH1iXsWkimeQOmBkAYWfmTY8rcyHkNJxxl5ghA9U27DRM7unTVavGZ2o9HRwG2CAHdKM/q5IjUZ/nw/47p0sDKgJlY8cwcraEE71EY/z2opZoJB7g==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><m:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMRF2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkkIhU4ft5lFeL9cGE+5y22haUvv/k=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vhcalnplci:44300/sap/saml2/sp/artifact/001" index="0" isDefault="true"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001" ResponseLocation="https://vhcalnplci:44300/sap/saml2/sp/slo/response/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="0" isDefault="true"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="1"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="2"/></m:SPSSODescriptor><m:RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQKy22haUvv/k=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><fed:ClaimTypesRequested><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"/></fed:ClaimTypesRequested><fed:ApplicationServiceEndpoint><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://vhcalnplci:8000/</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:ApplicationServiceEndpoint><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://vhcalnplci:44300/</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:TargetScopes><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://vhcalnplci:8000/</wsa:Address></wsa:EndpointReference><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://vhcalnplci:44300/</wsa:Address></wsa:EndpointReference></fed:TargetScopes></m:RoleDescriptor><m:RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><fed:ClaimTypesOffered><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"/></fed:ClaimTypesOffered><fed:TokenTypesOffered><fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/></fed:TokenTypesOffered></m:RoleDescriptor></m:EntityDescriptor>
Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.