jlrodriguez Super Contributor.
Super Contributor.
423 views

SAML SP "Request denied"

Hi,
Trying to establish a federation with SAP as Service Provider, everythig seems correct but NAM answers with "Request denied" to the first request that comes from SAP.
We've checked everything, certificates, entityID, etc.... and can't see why the NAM IDP doesn't accept the request from the SP.
Any way to increase the log level (already at debut level for applications and SAML) to see why the request is not accepted?

Regards
Jose Luis
0 Likes
7 Replies
EricVeysey1 Absent Member.
Absent Member.

Re: SAML SP "Request denied"

jlrodriguez;2498004 wrote:
Hi,
Trying to establish a federation with SAP as Service Provider, everythig seems correct but NAM answers with "Request denied" to the first request that comes from SAP.
We've checked everything, certificates, entityID, etc.... and can't see why the NAM IDP doesn't accept the request from the SP.
Any way to increase the log level (already at debut level for applications and SAML) to see why the request is not accepted?

Regards
Jose Luis


Can you post the AuthN Request and the log from the IDP?

Usually if the AuthN is signed there is a cert mismatch or Issuer doesn't match.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SAML SP "Request denied"

On 09-04-2019 12:34 PM, EricVeysey wrote:
>
> jlrodriguez;2498004 Wrote:
>> Hi,
>> Trying to establish a federation with SAP as Service Provider, everythig
>> seems correct but NAM answers with "Request denied" to the first request
>> that comes from SAP.
>> We've checked everything, certificates, entityID, etc.... and can't see
>> why the NAM IDP doesn't accept the request from the SP.
>> Any way to increase the log level (already at debut level for
>> applications and SAML) to see why the request is not accepted?
>>
>> Regards
>> Jose Luis

>
> Can you post the AuthN Request and the log from the IDP?
>
> Usually if the AuthN is signed there is a cert mismatch or Issuer
> doesn't match.


Then you'd get a request received from untrusted provider error


--
Cheers,
Edward
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SAML SP "Request denied"

I think so, but I can't see any error related with the "untrusted provider" error.
It would be nice if NAM were a little more "expressive" with the errors.
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SAML SP "Request denied"

I'll try to post the AuthN Request and the log, but the issuer seems correct and the signing certificate, too.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SAML SP "Request denied"

On 10-04-2019 4:24 AM, jlrodriguez wrote:
>
> I'll try to post the AuthN Request and the log, but the issuer seems
> correct and the signing certificate, too.
>
>


In that case, a catalina.out with application and saml2 set to debug would be helpful too.

--
Cheers,
Edward
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SAML SP "Request denied"

On 09-04-2019 6:44 AM, jlrodriguez wrote:
>
> Hi,
> Trying to establish a federation with SAP as Service Provider, everythig
> seems correct but NAM answers with "Request denied" to the first request
> that comes from SAP.
> We've checked everything, certificates, entityID, etc.... and can't see
> why the NAM IDP doesn't accept the request from the SP.
> Any way to increase the log level (already at debut level for
> applications and SAML) to see why the request is not accepted?


Do you get challenged for authentication at all? If so, do you have any roles configured under Dashboard | Applications | <your service provider> |
Access and Roles.

If the user doesn't have that role then NAM will respond with an Access Denied in the SAML token.
--
Cheers,
Edward
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SAML SP "Request denied"

Not challenged for authentication. The "Request denied" is sent to the SP previous to authentication.


edmaa;2498029 wrote:
On 09-04-2019 6:44 AM, jlrodriguez wrote:
>
> Hi,
> Trying to establish a federation with SAP as Service Provider, everythig
> seems correct but NAM answers with "Request denied" to the first request
> that comes from SAP.
> We've checked everything, certificates, entityID, etc.... and can't see
> why the NAM IDP doesn't accept the request from the SP.
> Any way to increase the log level (already at debut level for
> applications and SAML) to see why the request is not accepted?


Do you get challenged for authentication at all? If so, do you have any roles configured under Dashboard | Applications | <your service provider> |
Access and Roles.

If the user doesn't have that role then NAM will respond with an Access Denied in the SAML token.
--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.