You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Common Name: cfapps.<region>.hana.ondemand.com/b3736226-***
Subject Alternative Names:
Organization: SAP
Organization Unit: CP Destination Configuration
Locality:
State:
Country:
Valid From: June 13, 202*
Valid To: June 13, 202*
Issuer: cfapps.<region>.hana.ondemand.com/b3736226-***, SAP
Key Size: 4096 bit
Serial Number: **********
The culprit here is that CN (Common Name) of this default trust cannot be used as the assertionIssuer value of the generated SAML Assertion.
However, the destination service has it all. In lieu, you need to create your own key pair, create a keystore and upload it the BTP subacount's destinations.
Then one needs to put the issuer's URL both as the value of the destination service assertionIssuer property and as the issuer URL in the CPQ'a OAuth2 client application definition.
ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID.
However, with a dose of patience, after a few retries you will get the correct payload from the destination service.
As aforementioned the destination service generated SAML Assertion will be rejected by SAP CPQ token issuance endpoint whenever the SAML Assertion ID starts with a number, as depicted below:
faas-srv:function /srv/harmony Failed to build headers. ErrorWithCause: Failed to build headers.
at buildHeaders (/usr/src/app/function/node_modules/@sap-cloud-sdk/http-client/dist/http-client.js:296:15)
Caused by:
Original error messages:
SAML assertion ID attribute must not start with number. Error Code: 600014.
The retry middleware should be used with caution, because it is often mitigating a problem that should be solved properly. Also, if something fails consistently, it does not help to press the same button multiple times. You should consider some rules for adding retries:
The error should be the exception, not the default.
The error should happen randomly so a second call has a high likelihood of returning something.
The source of the error is out of your domain to fix.
You will need to sign the request with a certificate, specifically with the certificate private key. You will use the public key to confirm and validate the private key signature.
Select a value in User Identifier Attribute Source:
NameId - contained in the subject of the assertion request. This should either be the username of the SAP CPQ user or its federation ID (both are available in user administration).
AdditionalAttributes - in the User Identifier Attribute Name field, enter the exact value of one Attribute Name under AttributeStatement in the generated assertion request.
Choose one of the supported algorithms in Certificate Hash Algorithm.
Copy the public key from the assertion request.
Encode the requst in the Base64 format using an online converter.
Open a platform used for building and testing APIs (for example, Postman) and populate the following:
Choose POST as the method.
Add /api/token to the request URL.
As authorization, choose basic authorization.
Copy the client ID and enter it in Postman as the username.
Copy the client secret and enter it in Postman as the password.
In the Body, choose the content type x-www-form-urlencoded.