Use Custom Domain in Identity Authentication

Identity Authentication allows you to use a custom domain that is different from the default ones (<tenant ID>.accounts.ondemand.com or <tenant ID>.accounts.cloud.sap) - for example www.mytenant.com.

Prerequisites

You are assigned the Manage Tenant Configuration role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
You must have a custom domain.

Note:

Internationalized domain names (IDNs) are not supported.

You must have configured the CNAME DNS record on your domain to point to the host name used to access Identity Authentication. The host name can be one of the following, depending on where client's tenant is located:

Host Names

Tenant Location	Infrastructure	Host Name
Australia	SAP	`ap.accounts.ondemand.com.cloud.sap.akadns.net`
Brazil	AWS	`br.accounts.ondemand.com.cloud.sap.akadns.net`
Canada	Azure	`azr-na-ca.accounts.ondemand.com.cloud.sap.akadns.net`
China	SAP	`accounts.sapcloud.cn.cloud.sap.akadns.net`
EU	SAP	`accounts.ondemand.com.cloud.sap.akadns.net`
Frankfurt	AWS	`aws-eu-de.accounts.ondemand.com.cloud.sap.akadns.net`
India	AWS	`aws-ap-in.accounts.ondemand.com.cloud.sap.akadns.net`
Japan	SAP	`jp.accounts.ondemand.com.cloud.sap.akadns.net`
Saudi Arabia	SAP	`sa.accounts.ondemand.com.cloud.sap.akadns.net`
Singapore	AWS	`aws-ap-se-1.accounts.ondemand.com.cloud.sap.akadns.net`
South Korea	AWS	`aws-ap-kr.accounts.ondemand.com.cloud.sap.akadns.net`
Switzerland	Azure	`azr-eu-ch.accounts.ondemand.com.cloud.sap.akadns.net`
UAE	Azure	`azr-ap-ae.accounts.ondemand.com.cloud.sap.akadns.net`
US East	SAP	`us-east.accounts.ondemand.com.cloud.sap.akadns.net`
US East Trial	Azure	`trial-accounts.ondemand.com.cloud.sap.akadns.net`
US West	Azure	`azr-us-we.accounts.ondemand.com.cloud.sap.akadns.net`

Context

Note:

If you have configured a custom domain and you want to add a deprecation trial token for third party cookies deprecation go to Step 10.

Remember:

It takes 2 minutes for the configuration changes to take place.

Procedure

Sign in to the administration console for SAP Cloud Identity Services.
Under Applications and Resources, choose the Tenant Settings tile.

At the top of the page, you can view the administrative and license relevant information of the tenant.
Under Customization, choose the Custom Domain list item.

Provide the required information in the provided fields:

Field	Information
Domain	The host of your custom domain
DN	The `DN` used for the domain certificate. The `CN` attribute is mandatory and must match the custom domain used for the domain certificate.

Save your configuration.
Choose the Download CSR file used for the domain certificate.
1. Select the size of the certificate key. The supported key sizes are 2048, 3072 and 4096. The default value is 3072.
2. Optional: Add an additional subject alternative name to the CSR.
3. Choose the Download button and save the generated CSR file.
Note:

Use this CSR for the custom domain certificate. Each download generates a new key pair for the CSR. Always use the last downloaded CSR file.
Send the CSR to a trusted Certificate Authority to sign the certificate.
Access the tenant's administration console for SAP Cloud Identity Services Applications and Resources > Tenant Settings > Custom Domain > Certificate and upload or insert as text the SSL certificate signed by the trusted CA.

Note:

Make sure that the subject DN in the domain certificate and the configured subject DN match exactly.

You can upload the domain certificate or the complete certificate chain. The certificate chain must contain the domain certificate, the intermediate certificate or certificates, and the trusted CA root certificate in the same order.
Save your configuration.
Optional: Add the third-party cookies deprecation trial token in the input field and save the configuration.

Tip:

For more information about how to get the third-party cookies deprecation trial token, see Deprecation trials.

Results

The custom domain configuration is enabled with the upgrade of Identity Authentication. We recommend you to renew your certificate as early as possible, preferably 30 days before expiration, and no later than the Sunday before productive system upgrade. Identity Authentication has production releases (bi-weekly updates) planned every second Wednesday, 10:00 UTC. There are also immediate updates in case of fixes required for bugs that affect productive application operations, or due to urgent security fixes. For more information on the upgrade calendar of the service, see What's New for Cloud Identity Services.

Next Steps

Configure tenant's name to be the custom host. Select custom host for the name from the dropdown list in the SAML 2.0 or Open ID Connect Configuration settings. For more information, see Tenant SAML 2.0 Configurations Tenant OpenID Connect Configurations
Download the new SAML metadata of the identity provider (IdP). Configure the new metadata of the IdP in every application (service provider) you have set trusts with. For more information about how to configure the metadata, see the documentation of the respective service providers.
If have you configured social identity providers, please check configuration on the social provider side, and configure correctly the redirect URI, using the new custom host.
If have you configured a corporate identity provider, please update the configuration on the corporate identity provider side.