Troubleshooting: Download SAML 2.0 SP Metadata
Scenario
After you have enabled your NetWeaver ABAP system to be an SAML 2.0 Service Provider you want to download its metadata and get an error message: 403 Forbidden.
Tx: SAML2
Call the SAML 2.0 configuration Web Dynpro app via transaction SAML2 and click on Metadata.
Select what to include in the metadata file (all is fine).
The download of the metadata file is triggered, and an error message is displayed
Service cannot be reached: 403 Forbidden
Cause
The download cannot start as some ICF services are not activated.
Solution
Activate the necessary Internet Communication Framework (ICF) services. To be to download the metadata from the service provider, you must manually activate the following two ICF services:
- /default_host/sap/public/bc/sec/saml2
- /default_host/sap/public/bc/sec/cdc_ext_service
Activate service /sap/public/bc/sec/saml2
Tx: SICF Service: /sap/public/bc/sec/saml2
Select the service and activate it.
Activate service /sap/public/bc/sec/cdc_ext_service
Tx: SICF Service: /sap/public/bc/sec/cdc_ext_service
Select the service and activate it.
Result
Now the download of the SAML 2.0 SP Metadata will work.
Links
- https://apps.support.sap.com/sap/support/knowledge/preview/en/2443156
- https://wiki.scn.sap.com/wiki/display/Security/Common+Problems+When+Configuring+SAML+2.0+for+AS+ABAP
Additional notes
I include a sample SAML 2.0 IdP Metadata file from NetWeaver ABAP.
<m:EntityDescriptor entityID="NPL001" validUntil="2038-01-01T00:00:01Z" cacheDuration="P18Y1M19DT1H30M" ID="S08002777-0476-1eea-81a3-21f6e7769f84" xmlns:m="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#S08002777-0476-1eea-81a3-21f6e7769f84"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>riuwEzJ1TDuoz0ksjfjeEgWq7W4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>FmH1iXsWkimeQOmBkAYWfmTY8rcyHkNJxxl5ghA9U27DRM7unTVavGZ2o9HRwG2CAHdKM/q5IjUZ/nw/47p0sDKgJlY8cwcraEE71EY/z2opZoJB7g==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><m:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMRF2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkkIhU4ft5lFeL9cGE+5y22haUvv/k=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vhcalnplci:44300/sap/saml2/sp/artifact/001" index="0" isDefault="true"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001" ResponseLocation="https://vhcalnplci:44300/sap/saml2/sp/slo/response/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="0" isDefault="true"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="1"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="2"/></m:SPSSODescriptor><m:RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQKy22haUvv/k=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><fed:ClaimTypesRequested><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"/></fed:ClaimTypesRequested><fed:ApplicationServiceEndpoint><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://vhcalnplci:8000/</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:ApplicationServiceEndpoint><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://vhcalnplci:44300/</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:TargetScopes><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://vhcalnplci:8000/</wsa:Address></wsa:EndpointReference><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://vhcalnplci:44300/</wsa:Address></wsa:EndpointReference></fed:TargetScopes></m:RoleDescriptor><m:RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><fed:ClaimTypesOffered><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"/></fed:ClaimTypesOffered><fed:TokenTypesOffered><fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/></fed:TokenTypesOffered></m:RoleDescriptor></m:EntityDescriptor>
0 Comments