Troubleshooting – Access token not issued due to missing signing of Message Assertion

Published by Tobias Hofmann on

1 min read

Scenario

You send a SAML Bearer Assertion to the OAuth token service of SAP Gateway. The Return type is 400 Bad Request.

Error message

{
    "error": "invalid_grant",
    "error_description": "Provided authorization grant is invalid. Exception was Message Assertion is not signed. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545"
}

Root cause

The error message contains a description of the root cause for the HTTP 400: “Exception was Message Assertion is not signed.” To get more details, an OAuth trace can be performed. Additional information is described in SAP Note 1688545.

Tx: SA38
Program: SEC_TRACE_ANALYZER

Click run with variant and select SAP&OAUTH2

Click on Activate and reproduce the issue. To see the result, click on Show.

Alternative to run the report:

Tx: SE38
Program: SEC_TRACE_ANALYZER
ICF Service: /sap/bc/sec/oauth2/token
Logon Trace (got HTTP 401): Select
User: OIDCLIENT (the OAuth user of type system)

Solution

Activate signing of assertions in Keycloak. Open Keycloak administration console and go to the SAML client. Activate signing of Assertions.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

3 Comments

letissia · April 28, 2022 at 14:57

hello, thnx for your post,
I use OAUTH2 only (no saml2), I have the same probleme when I request oauth2 token, can you tel me plz the solution if we use only OAuth2?
thank you !

    Tobias Hofmann · April 28, 2022 at 15:46

    The SAP ABAP oauth token issue service (sap/bc/sec/oauth2/token) expects you to send a SAML signed request. How do you want to get the token without SAML2?

      Letissia · May 2, 2022 at 09:35

      When configuring SSO OAuth2 we can choose Grant Type :
      “Authorization Code” or “SAML 2.0 Bearer Assertion”
      so I have configured my SSO OAuth using Authorization code but I have an error when requesting token:
      error=oa2c_error
      44306/sap/bc/webdynpro/sap/OA2C_GRANT_APP?sap-client=200&error=oa2c_error&error_description=Client%20configuration%20error%20or%20network%20problems.%20See%20kernel%20traces.#
      Help please !

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.