In this blog, we’ll explore how to inspect OIDC (OpenID Connect) protocol assertions and leverage them for effective troubleshooting.
Prerequisite
Before diving into the troubleshooting steps, note that I have already configured Single Sign-On (SSO) between SAP Identity Authentication Service (IAS) and an S/4HANA system using the OIDC protocol.
Step 1: Activate Security Trace
Launch transaction SECTRACE.
Enable the trace for the SICF path: /sap/public/bc/sec/oidc/redirect.
Step 2: Trigger the SSO Flow
Access the S/4HANA Fiori Launchpad using SSO to initiate the authentication flow.
Step 3: Retrieve the Security Trace
Go back to transaction SECTRACE, stop the trace, and click Show.
In the user field, enter <ALL> and confirm
Click the down arrow to expand the trace details.
Copy the complete OIDC response for further analysis.
Step 4: Analyze the OIDC Token
Run transaction SOIDC_ANALYZER.
Paste the copied OIDC token into the input field.
Click Extract Token from Trace Snippet, then select Analyze and Pretty-print Token Content.
This will display the OIDC assertions in a readable format.
Step 5: Modify and Test OIDC Configuration
Use the highlighted section in the analyzer tool to adjust existing OIDC settings and re-check the responses as needed during troubleshooting.
This approach helps in identifying issues in the OIDC authentication flow and validating token content for debugging and support purposes.
In this blog, we’ll explore how to inspect OIDC (OpenID Connect) protocol assertions and leverage them for effective troubleshooting.PrerequisiteBefore diving into the troubleshooting steps, note that I have already configured Single Sign-On (SSO) between SAP Identity Authentication Service (IAS) and an S/4HANA system using the OIDC protocol.Step 1: Activate Security TraceLaunch transaction SECTRACE.Enable the trace for the SICF path:/sap/public/bc/sec/oidc/redirect. Step 2: Trigger the SSO FlowAccess the S/4HANA Fiori Launchpad using SSO to initiate the authentication flow. Step 3: Retrieve the Security TraceGo back to transaction SECTRACE, stop the trace, and click Show.In the user field, enter <ALL> and confirmClick the down arrow to expand the trace details.Copy the complete OIDC response for further analysis.Step 4: Analyze the OIDC TokenRun transaction SOIDC_ANALYZER.Paste the copied OIDC token into the input field.Click Extract Token from Trace Snippet, then select Analyze and Pretty-print Token Content.This will display the OIDC assertions in a readable format.Step 5: Modify and Test OIDC ConfigurationUse the highlighted section in the analyzer tool to adjust existing OIDC settings and re-check the responses as needed during troubleshooting.This approach helps in identifying issues in the OIDC authentication flow and validating token content for debugging and support purposes.References:3111813 – OpenID Connect (OIDC): Troubleshooting Note – SAP for Me Read More Technology Blog Posts by SAP articles
