Troubleshooting – Recipient in SubjectConfirmationData is invalid

Published by Tobias Hofmann on

1 min read

Scenario

A user authenticated against the SAML 2.0 IdP. The OAuth client is sending the SAML 2.0 Response containing the user assertions to the NetWeaver ABAP system. An error of type invalid grant is returned.

Error message:

{
    "error": "invalid_grant",
    "error_description": "Provided authorization grant is invalid. Exception was Attribute 'Recipient' of element 'SubjectConfirmationData' is invalid. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545"
}

Root cause

The OAuth client is sending the SAML Response to the OAuth token service for validation. The SAML Response is configured for a different SAML endpoint in the ABAP system. Therefore the request is denied.

Solution

Configure Keycloak to send the SAML Response to the NW ABBAP OAuth token service. Open the Keycloak administrator console and go to the SAML configuration for the NetWeaver client. Expand the section for Fine Grain SAML Endpoint Configuration.

Here the endpoint is configured to the standard value for SAML in NW ABAP: /sap/saml2/sp/acs/<client>.

https://vhcalnplci:44300/sap/saml2/sp/acs/001

This must be changed to the OAuth token endpoint:

https://vhcalnplci:44300/sap/bc/sec/oauth2/token

Additionally, you can configure the list of valid redirect URIs. By default, these are set to the standard SAML values of NW ABAP as a service provider.

https://vhcalnplci:44300/sap/saml2/sp/acs/001

In a test/POC environment, these can be set to match all URIs.

Set it to /*

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

1 Comment

Danilo Yorinori · September 1, 2022 at 14:09

I had this issue in my scenario but in my case the problem was the multiple clients. I had to configure the oauth token endpoint with ?sap-client= to work properly. There is a validation of recipient thats check this kind of thing.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.