How to fix SAP error WSS028?

Self-Explanatory Message Since SAP believes that this specific error message is 'self-explanatory,' no more information has been given.The majority of messages in the SAP system have a message text, however this is frequently insufficient to comprehend or resolve the problem. To make things easier, more detailed information is frequently added to describe the issue, how to fix it, and the necessary steps or configuration modifications. Unfortunately, there isn't any extra information in this error notice. What else can you do? First, use our AnswerBot below to get a possible cause and solution (requires a premium subscription). Also, review the in-depth Common Questions & Answers listed below; you could discover a solution there or be able to connect with others who have faced similar challenges. You can also try searching the SAP support portal (support.sap.com) but you need a special user ID to access it. It is possible that an SAP support note exists that provides additional details about the mistake or even steps for fixing it.

How To Fix WSS028 - Unexpected SAML subject confirmation type &1

Instant Help Get instant SAP help. Sign up for our Free Essentials Plan.

SAP Error Message - Details

Message type: E = Error
Message class: WSS - Web Services Security
Message number: 028
Message text: Unexpected SAML subject confirmation type &1
Show details Hide details
Self-Explanatory Message
Since SAP believes that this specific error message is 'self-explanatory,' no more information has been given.The majority of messages in the SAP system have a message text, however this is frequently insufficient to comprehend or resolve the problem.
To make things easier, more detailed information is frequently added to describe the issue, how to fix it, and the necessary steps or configuration modifications.
Unfortunately, there isn't any extra information in this error notice.

What else can you do?
First, use our AnswerBot below to get a possible cause and solution (requires a premium subscription).
Also, review the in-depth Common Questions & Answers listed below; you could discover a solution there or be able to connect with others who have faced similar challenges.

You can also try searching the SAP support portal (support.sap.com) but you need a special user ID to access it. It is possible that an SAP support note exists that provides additional details about the mistake or even steps for fixing it.

Smart SAP Assistant

What is the cause and solution for SAP error message WSS028 - Unexpected SAML subject confirmation type &1 ?

SAP Error Message:
WSS028 Unexpected SAML subject confirmation type &1

Cause

This error occurs during SAML (Security Assertion Markup Language) processing in SAP when the system encounters a SAML assertion with a SubjectConfirmation element that has a type not expected or supported by the SAP system.

In SAML assertions, the <SubjectConfirmation> element specifies how the subject of the assertion is confirmed. Common types include:

urn:oasis:names:tc:SAML:2.0:cm:bearer
urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
urn:oasis:names:tc:SAML:2.0:cm:sender-vouches

SAP expects a certain confirmation method (usually bearer) depending on the configuration. If the assertion contains a different or unexpected confirmation method, SAP raises this error.

Typical Scenarios

The Identity Provider (IdP) sends a SAML assertion with a SubjectConfirmation type that SAP does not support or is not configured to accept.
Misconfiguration in the SAML trust setup between SAP and the IdP.
Custom or non-standard SAML assertions from the IdP.

Solution

Check the SAML Assertion:
- Use SAML tracing tools (e.g., browser SAML tracer plugins, SAP logs) to capture the SAML assertion.
- Inspect the <SubjectConfirmation> element and note the Method attribute value.
Verify SAP Configuration:
- Ensure SAP is configured to accept the SubjectConfirmation method sent by the IdP.
- Typically, SAP supports bearer confirmation method for SAML 2.0 Web SSO.
- If the IdP sends a different method (e.g., holder-of-key), SAP may not support it out-of-the-box.
Adjust IdP Configuration:
- Configure the IdP to send the expected SubjectConfirmation type (usually bearer).
- This is often done in the IdP’s SAML settings or assertion configuration.
SAP Notes and Patches:
- Check SAP Notes for any updates or patches related to SAML processing.
- Sometimes newer SAP kernel or component versions add support for additional confirmation methods.
Custom Development (if needed):
- If your scenario requires a different confirmation method, custom development or enhancement might be necessary.
- Consult SAP support or your SAP security consultant.

Related Information

SAP Component: Typically related to SAP NetWeaver AS Java or ABAP SAML 2.0 support.
Transaction / Tools:
- Use transaction SAML2 in SAP NetWeaver AS ABAP to manage SAML 2.0 configurations.
- Use SAP logs (e.g., developer traces, system logs) to get more details.
SAP Notes:
- Search for notes related to SAML 2.0 and SubjectConfirmation.
- Example note keywords: "WSS028", "SAML SubjectConfirmation", "SAML 2.0 bearer".

Summary

Aspect	Details
Error	WSS028 Unexpected SAML subject confirmation type &1
Cause	SAP received a SAML assertion with an unsupported or unexpected SubjectConfirmation type
Solution	Align IdP to send supported confirmation type (usually `bearer`); check SAP config
Tools	SAML tracing tools, SAP transaction `SAML2`, system logs
Further Help	SAP Notes, SAP Support, IdP vendor documentation

If you provide the exact SubjectConfirmation type value (&1), I can help you identify whether it is supported or suggest specific configuration steps.

Instant Help Get instant SAP help. Sign up for our Free Essentials Plan.

Related SAP Error Messages

Click the links below to see the following related messages:

WSS027 The system received encrypted data, which could not be decrypted.
What causes this issue? The system received encrypted data in the security header, which failed to be decrypted.System Response Web service processi...
WSS026 XML Signature digest error for reference &1
Self-Explanatory Message Since SAP believes that this specific error message is 'self-explanatory,' no more information has been given.The majority of...
WSS029 Message replay detected
What causes this issue? A message protected by an XML Signature was resent.System Response The system issues an error message and will not allow you...
WSS030 No unique mapping for SAML authentication found (Issuer &3)
What causes this issue? No unique mapping for SAML authentication found (Issuer &V3&)System Response Authentication failedHow to fix this er...

Click on this link to search all SAP messages.

The AI Support Assistant is great. It provides comprehensive assistance even on the most difficult issues. I highly recommend this service.

John Jordan
SAP Consultant & Author