In this blog, we’ll explore how to inspect OIDC (OpenID Connect) protocol assertions and leverage them for effective troubleshooting.
Prerequisite
Before diving into the troubleshooting steps, note that I have already configured Single Sign-On (SSO) between SAP Identity Authentication Service (IAS) and an S/4HANA system using the OIDC protocol.
Step 1: Activate Security Trace
Launch transaction SECTRACE.Enable the trace for the SICF path:
/sap/public/bc/sec/oidc/redirect.
Step 2: Trigger the SSO Flow
Access the S/4HANA Fiori Launchpad using SSO to initiate the authentication flow.
Step 3: Retrieve the Security Trace
Go back to transaction SECTRACE, stop the trace, and click Show.In the user field, enter <ALL> and confirm
Click the down arrow to expand the trace details.
Copy the complete OIDC response for further analysis.
Step 4: Analyze the OIDC Token
Run transaction SOIDC_ANALYZER.Paste the copied OIDC token into the input field.
Click Extract Token from Trace Snippet, then select Analyze and Pretty-print Token Content.
This will display the OIDC assertions in a readable format.
Step 5: Modify and Test OIDC Configuration
Use the highlighted section in the analyzer tool to adjust existing OIDC settings and re-check the responses as needed during troubleshooting.
This approach helps in identifying issues in the OIDC authentication flow and validating token content for debugging and support purposes.
References:
3111813 – OpenID Connect (OIDC): Troubleshooting Note – SAP for Me
In this blog, we’ll explore how to inspect OIDC (OpenID Connect) protocol assertions and leverage them for effective troubleshooting.PrerequisiteBefore diving into the troubleshooting steps, note that I have already configured Single Sign-On (SSO) between SAP Identity Authentication Service (IAS) and an S/4HANA system using the OIDC protocol.Step 1: Activate Security TraceLaunch transaction SECTRACE.Enable the trace for the SICF path:/sap/public/bc/sec/oidc/redirect. Step 2: Trigger the SSO FlowAccess the S/4HANA Fiori Launchpad using SSO to initiate the authentication flow. Step 3: Retrieve the Security TraceGo back to transaction SECTRACE, stop the trace, and click Show.In the user field, enter <ALL> and confirmClick the down arrow to expand the trace details.Copy the complete OIDC response for further analysis.Step 4: Analyze the OIDC TokenRun transaction SOIDC_ANALYZER.Paste the copied OIDC token into the input field.Click Extract Token from Trace Snippet, then select Analyze and Pretty-print Token Content.This will display the OIDC assertions in a readable format.Step 5: Modify and Test OIDC ConfigurationUse the highlighted section in the analyzer tool to adjust existing OIDC settings and re-check the responses as needed during troubleshooting.This approach helps in identifying issues in the OIDC authentication flow and validating token content for debugging and support purposes.References:3111813 – OpenID Connect (OIDC): Troubleshooting Note – SAP for Me Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
