Hello Everyone, I just set up a local IDP by following the documentation here:
https://help.hana.ondemand.com/help/frameset.htm?754818ea63874ea38843ab0ed1928765.html
I am using a local production HANA instance as the Service Provider (SP) where I have a simple Hello World app for that I enabled SAML authentication.
I have configured the trust between the SP and IDP as well as between the IDP and SP.
When accessing the app, I am successfully redirected to the IDP and enter my credentials. While creating the SSO response the IDP encounters the following exception:
com.sap.security.saml2.cfg.exceptions.SAML2ConfigurationException: SSO response message could not be created, because there are not any ACS endpoints configured for SP: mymachine:8007/ with binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
at com.sap.security.saml2.idp.api.IdPUtils.getACSEndpoint(IdPUtils.java:76)
at com.sap.security.saml2.idp.api.IdPUtils.getACSLocation(IdPUtils.java:96)
at com.sap.security.saml2.idp.api.SSOService.getResponseLocation(SSOService.java:767)
at com.sap.security.saml2.idp.api.SSOService.generateAuthenticationResponse(SSOService.java:199)
at com.sap.security.saml2.idp.api.SSOService.createAuthnResponse(SSOService.java:77)
at com.sap.security.saml2.idp.api.SAML2IdPAPI.createSSOResponse(SAML2IdPAPI.java:116)
at com.sap.core.jpaas.security.saml2.localidp.SSOService.processSSORequest(SSOService.java:166)
at com.sap.core.jpaas.security.saml2.localidp.SSOService.doGet(SSOService.java:65)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at com.sap.core.jpaas.security.auth.service.lib.AbstractAuthenticator.invoke(AbstractAuthenticator.java:161)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at com.sap.core.tenant.valve.TenantValidationValve.invokeNextValve(TenantValidationValve.java:255)
at com.sap.core.tenant.valve.TenantValidationValve.invoke(TenantValidationValve.java:101)
at com.sap.js.statistics.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:24)
at com.sap.core.js.monitoring.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:25)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
The IDP however contains the correct XML metadata from my SP (as described in the tutorial), which describes the ACS endpoint that it is strangely not able to find.
The XML metadata in the IDP for my SP looks like this (certificate info removed):
<ns2:EntityDescriptor
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="mymachine:8007/">
<ns2:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns2:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> ... </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ns2:KeyDescriptor>
<ns2:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="mymachine:8007/sap/hana/xs/saml/logout.xscfunc"/>
<ns2:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</ns2:NameIDFormat>
<ns2:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</ns2:NameIDFormat>
<ns2:AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="mymachine:8007/sap/hana/xs/saml/login.xscfunc"/>
</ns2:SPSSODescriptor>
<ns2:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns2:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> ... </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ns2:KeyDescriptor>
<ns2:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="mymachine:8007/sap/hana/xs/saml/logout.xscfunc"/>
<ns2:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="mymachine:8007/sap/hana/xs/saml/logout.xscfunc"/>
<ns2:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</ns2:NameIDFormat>
<ns2:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</ns2:NameIDFormat>
<ns2:SingleSignOnService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="mymachine:8007/sap/hana/xs/saml/login.xscfunc"/>
<ns2:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="mymachine:8007/sap/hana/xs/saml/login.xscfunc"/>
</ns2:IDPSSODescriptor>
<ns2:Organization>
<ns2:OrganizationName xml:lang="en">SAP Labs, LLC</ns2:OrganizationName>
<ns2:OrganizationDisplayName xml:lang="en">SAP Labs, LLC</ns2:OrganizationDisplayName>
<ns2:OrganizationURL xml:lang="en">http://www.sap.com</ns2:OrganizationURL>
</ns2:Organization>
</ns2:EntityDescriptor>
So everything is in there, I don't know what I'm missing. Any ideas?
Let me know if you need more information!
Best,
Daniel