Error in SAML2/POST while Login

[Peter Schober]

* Ram, Budh <budh.ram at sap.com> [2016-05-09 12:56]:
> I am getting below error while browsing this URL
> http://usphlvm2556.dmzphl.sap.corp:1080/Shibboleth.sso/Login. URL
> changes to
> (http://usphlvm2556.dmzphl.sap.corp:1080/Shibboleth.sso/SAML2/POST )

That ("URL changes") means you've initiated SSO at the SP and are
returned to the SP with a response from the IDP.

> SAML response reported an IdP error.
> Error from identity provider:
> Status: urn:oasis:names:tc:SAML:2.0:status:Requester
> Sub-Status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied
> Message: The digital signature of the received SAML2 message is invalid.

What about that Message is unclear?
The IDP cannot verify your SP's cryptographic signature on the SAML2.0
authentication request you generated (and sent to the IDP) when you
accessed the SP's Login handler. How to fix that:
Shibboleth Wiki -> SHIB2 space -> Troubleshoot -> SP: Signature Issues.

> 2016-05-09 05:43:42 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: unable to connect socket for URL 'https://accounts400.sap.com/saml2/metadata/accounts.sap.com'

I can connect to that URL without problems so if your SP cannot that's
something you need to debug locally. Maybe you need to use a proxy
server to make outgoing connections from that machine? Maybe verify
with curl on the command line first. If so see
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider
and
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTransportOption
for documentation.

> 2016-05-09 05:43:42 INFO OpenSAML.MetadataProvider.XML : using local backup of remote resource
> 2016-05-09 05:43:42 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (C:/opt/shibboleth-sp/var/cache/shibboleth/metadata.xml)

JFYI, the metadata at
https://accounts400.sap.com/saml2/metadata/accounts.sap.com
has no expiration date (validUntil) so the software will fall back to
the local copy indefinitively.
-peter