This document is intended to help you configure a SAML 2.0 service provider (SP) in the administration console for Identity Authentication.
You have the service provider metadata. See the service provider documentation for more information or contact the administrator of the service provider.
For more information how to download the metadata for SAP BTP when it acts as a service provider (SP), see Application Identity Provider. The content in this section is only relevant for SAP BTP Neo environment. The content in this section isn’t relevant for China (Shanghai) region.
If your scenario includes the enabling of the Trust All Corporate Identity Providers option in the administration console, the service provider metadata must contain the assertion consumer (ACS) endpoint that can process unsolicited SAML responses.
With SAP BTP, the endpoint is the URL of the application's protected page. This endpoint must be either set as a default ACS endpoint of the service provider in Identity Authentication, or chosen by its index when performing IdP-initiated SSO. For more information, see Configure IdP-Initiated SSO.
<ns3:AssertionConsumerService index="1" isDefault="false" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<application URL>/protected.jsp" />
The trust is configured by uploading the service provider metadata, or by entering the information manually.
You can enter manually the name of the service provider, its endpoints, and its signing certificate.
You can add up to two signing certificates. Both signing certificates are accepted according to the certificate validity.
You can choose the identity provider certificate to be used for signing for each application. For more information about the identity provider certificates, see Tenant SAML 2.0 Configuration.
The idea behind the ability to choose the idp certificate is that when you want to change the default idp certificate all applications will have downtime since the applications have trust with the current default application on the application side. So when adding new idp certificate you can change the applications one by one to trust the new certificate.
To configure a SAML 2.0 trusted service provider in the administration console for Identity Authentication, proceed as follows:
-
Access the tenant's administration console for Identity Authentication by using the console's URL.
The URL has the following pattern:
https://<tenant ID>.accounts.ondemand.com/admin
Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID. For more information about your tenants, see Viewing Assigned Tenants and Administrators.
If you have a configured custom domain, the URL has the following pattern:
<your custom domain>/admin
. -
Under Applications and Resources, choose the Applications tile.
-
Choose the application that you want to edit.
Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
If you don’t have a created application in your list, you can create one. For more information, see Create a New Application.
-
Choose the Trust tab.
-
Under SINGLE SIGN-ON, choose SAML 2.0 Configuration.
-
Upload the service provider metadata XML file, use the metadata URL, or manually enter the communication settings negotiated between Identity Authentication and the service provider.
If your scenario includes the enabling of the Trust All Corporate Identity Providers option, the assertion consumer (ACS) endpoint with the URL of the application's protected page, and the index must be included in the service provider metadata.
Use a file with an extension
.xml
.If you use SAP BTP as a service provider, see Integrating the Service with SAP Business Technology Platform, Neo Environment for more information how to download its metadata. The content in this section is only relevant for SAP BTP Neo environment. The content in this section is relevant for China (Shanghai) region.
When the identity provider metadata is uploaded, or the metadata URL is used, the fields are populated with the parsed data from the XML file. The minimum configuration is to complete the Name field.
Field
Description
Choose:
- Metadata File
- Metadata URL
- The metadata XML file of the service provider.
- The URL with service provider metadata.
Name
The entity ID of the service provider.
Assertion Consumer Service Endpoint
The SP's endpoint URL that receives the response with the SAML assertion from Identity Authentication.
You can see the index number of the endpoint of the assertion consumer service of the service provider as the target of the SAML response.
Single Logout Endpoint
The SP's endpoint URL that receives the logout response or request (for a multiple SPs scenario) from Identity Authentication for the termination of all current sessions.
This field has the following attributes:
-
Binding - specifies the SAML binding supported by the logout endpoint.
- HTTP-POST
- HTTP-REDIRECT
- SOAP - The SOAP Endpoint is called only when the user password is changed.
-
URL - specifies the location of the logout endpoint.
-
Response URL - (optional) specifies a different location to which logout response messages should be sent.
Signing Certificate
A base64-encoded certificate used by the service provider to sign digitally SAML protocol messages sent to Identity Authentication.
Use the Add button to add a second signing certificate.
If you have two certificates, you can choose a default one, to mark your primary certificate.
The Metadata File, Name, Assertion Consumer Service Endpoint, and Single Logout Endpoint fields are not editable for the system applications.
-
Choose the digest algorithm for signing outgoing messages from the dropdown list in the Algorithm section. You have the following options:
- SHA-1
- SHA-256 - the default option (for applications created after Jun 28, 2021)
- SHA-512
-
Configure the signing options for the application. You have the following possibilities:
Option
Default Configuration
Sign assertions
On
Sign authentication responses
Off
Sign single logout messages
On
Require signed authentication requests
Off
Require signed single logout messages
On
-
Configure the encryption of the SAML 2.0 response
-
Under Encryption Certificate add a certificate, if there is no encryption certificates added or you want to add a new certificate.
-
Choose the elements to encrypt from the drop-down:
- None - the default option
- Whole Assertion
- Subject Name ID
- Subject Name ID and Attributes
- Attributes
The method for encryption is
aes-128-cbc
.
-
-
(If you added second signing certificate in tenant settings) Under Identity Provider Certificate, choose the certificate to be used.
When the default identity provider certificate is changed with a new one, and the old one is not used anymore, we recommend you to delete the old certificate.
-
Save your selection.
Once the application has been changed, the system displays the message Application <name of application> updated.
Configure trust on the service provider side.
-
Download the SAML 2.0 metadata of Identity Authentication.
For more information about how to download the SAML 2.0 metadata describing Identity Authentication as identity provider see Tenant SAML 2.0 Configuration.
-
Configure the service provider to trust Identity Authentication.
See the service provider documentation for more information about how to configure the trust.
If you use SAP BTP as a service provider, see Integrating the Service with SAP Business Technology Platform, Neo Environment.
The content in this section is only relevant for SAP BTP Neo environment.
The content in this section is not relevant for China (Shanghai) region.
Related Information
Configure OpenID Connect Application
Troubleshooting for Administrators
Integrating the Service with SAP Business Technology Platform, Neo Environment