Skip to content

Latest commit

 

History

History
220 lines (122 loc) · 12.2 KB

tenant-saml-2-0-configuration-e81a19b.md

File metadata and controls

220 lines (122 loc) · 12.2 KB

Tenant SAML 2.0 Configuration

You as a tenant administrator can view and download the tenant SAML 2.0 metadata. You can also change the name format and update your certificate used by the identity provider to digitally sign the messages for the applications.

Prerequisites

You are assigned the Manage Tenant Configuration role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.

Context

Note:

The signing certificate is one and the same for SAML 2.0 and OpenId Connect. Note that a change in one of the configurations will also affect the other one.

Remember:

The signature and digest methods in the XML of the metadata file depend on the signing certificate, which is configured for the identity provider. If the certificate is issued with the SHA256withRSA algorithm, then the signature method is rsa-sha256, and the digest method is sha256. In all other cases, for example, if the certificate is issued with the SHA256withECDSA algorithm, the signature method is rsa-sha1, and the digest method is sha1.

By default, the signing certificates of the new tenants are issued with the SHA256withRSA.

Remember:

It takes 2 minutes for the configuration changes to take place.

To view and download the tenant SAML 2.0 metadata, or to change the name format, or the default certificate, proceed as follows:

Procedure

  1. Sign in to the administration console for SAP Cloud Identity Services.

  2. Under Applications and Resources, choose the Tenant Settings tile.

    At the top of the page, you can view the administrative and license relevant information of the tenant.

  3. Under Single Sign-On, choose the SAML 2.0 Configuration list item.

    The SAML 2.0 Configuration page that opens displays the name of the identity provider, its endpoints, and its signing certificate.

  4. Optional: To download the identity provider's metadata, press the Download Metadata File button.

  5. Optional: To change the name of the identity provider, choose the Name field, select the name from the dropdown list, and save your changes.

    The drop-down list offers the following options:

    Issuer

    Notes

    Default Issuer format

    https://<tenant ID>.accounts.ondemand.com

    Legacy Issuer format

    <tenant ID>.accounts.ondemand.com

    Common domain

    https://<tenant ID>.accounts.cloud.sap

    Custom Domain (if configured)

    <custom domain host>

    Tenants in China region

    https:// <tenant ID>.accounts.sapcloud.cn

    Note:

    Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation email with a URL in it. This URL contains the tenant ID.

    Remember:

    Change the name of the identity provider on the service provider side every time you change the name format of the identity provider in the administration console. If you have set trusts with more than one service provider, change the name in every service provider. For more information about how to edit the name, see the documentation of the respective service providers.

    If the change of the name is successful, the system displays the message Tenant <name of tenant> updated.

  6. Optional: Update your signing certificate. You can choose from the following options:

    • To regenerate the existing certificate with new validity, reusing the same private key, choose Add > Regenerate > Next Step > choose validity from the drop down > Next Step > Finish > Save.

    • To create a new certificate with a new private key and the same Subject DN, choose Add > Create new > Next Step > choose key size and validity from the drop downs > Next Step > Finish > Save.

    • To create a new certificate, using your own trusted CA, choose Add > Download CSR > Next Step > add Subject DN and choose key size and validity from the drop downs > Next Step > Download CSR.

      When you get your certificate, copy and paste it as text in the View Certificate Details dialog.

Next Steps

To change the default certificate for the tenant, choose the new one from the list, and save your configuration.

Caution:

When you change the default certificate for the tenant, you must also update the trust with the service provider. For more information see Configure OpenID Connect Application or Configure OpenID Connect Application.

Related Information

Tenant OpenID Connect Configurations

Change Tenant Texts Via Administration Console

Configure Master Data Texts Via Administration Console

Configure Links Section on Sign-In Screen

Add Instructions Section on Sign-In Screen

Configure X.509 Client Certificates for User Authentication

Configure Tenant Images

Configure Allowed Logon Identifiers

Configure User Identifier Attributes

Configure Trust this browser Option

Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices

Enable Users to Recover Password with Security Questions

Enable Users to Recover Password with PIN Code

Configure Initial Password and Email Link Validity

Configure Session Timeout

Configure Trusted Domains

Use Custom Domain in Identity Authentication

Change a Tenant's Display Name

Configure Default Risk-Based Authentication for All Applications in the Tenant

Configure Sinch Service in Administration Console

Configure RADIUS Server Settings (Beta)

Configure Mail Server for Application Processes

Configure IdP-Initiated SSO

Send Security Alert Emails

Send System Notifications via Emails

Configure Customer-Controlled Encryption Keys in Administration Console (Restricted Availability)

Configure Default Language for End User Screens

Configure P-User Next Index

Reuse SAP Cloud Identity Services Tenants for Different Customer IDs

Configuring Tenant Settings