You as a tenant administrator can view and download the tenant SAML 2.0 metadata. You can also change the name format and update your certificate used by the identity provider to digitally sign the messages for the applications.
You are assigned the Manage Tenant Configuration role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
The signing certificate is one and the same for SAML 2.0 and OpenId Connect. Note that a change in one of the configurations will also affect the other one.
The signature and digest methods in the XML of the metadata file depend on the signing certificate, which is configured for the identity provider. If the certificate is issued with the SHA256withRSA algorithm, then the signature method is
rsa-sha256, and the digest method issha256. In all other cases, for example, if the certificate is issued with the SHA256withECDSA algorithm, the signature method isrsa-sha1, and the digest method issha1.By default, the signing certificates of the new tenants are issued with the SHA256withRSA.
It takes 2 minutes for the configuration changes to take place.
To view and download the tenant SAML 2.0 metadata, or to change the name format, or the default certificate, proceed as follows:
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Applications and Resources, choose the Tenant Settings tile.
At the top of the page, you can view the administrative and license relevant information of the tenant.
-
Under Single Sign-On, choose the SAML 2.0 Configuration list item.
The SAML 2.0 Configuration page that opens displays the name of the identity provider, its endpoints, and its signing certificate.
-
Optional: To download the identity provider's metadata, press the Download Metadata File button and choose one of the options.
- Default-certificate
- Non-default certificate
- All certificates
-
Optional: To change the name of the identity provider, choose under the Identity Provider Settings tab the Edit button next to the Name field, select the name from the dropdown list, and save your changes.
The drop-down list offers the following options:
Issuer
Notes
Default Issuer format
https://<tenant ID>.accounts.ondemand.com
Legacy Issuer format
<tenant ID>.accounts.ondemand.com
Common domain
https://<tenant ID>.accounts.cloud.sap
Custom Domain (if configured)
<custom domain host>
Tenants in China region
https:// <tenant ID>.accounts.sapcloud.cn
Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation email with a URL in it. This URL contains the tenant ID.
Change the name of the identity provider on the service provider side, or the name of the identity provider on the corporate identity provider side, every time you change the name format of the identity provider in the administration console. If you have set trusts with more than one service provider, or corporate identity provider, change the name in every provider. For more information about how to edit the name, see the documentation of the respective service or corporate identity providers.
If the change of the name is successful, the system displays the message Tenant <name of tenant> updated.
-
Optional: To update your signing certificate, choose under the Signing Certificates tab the +Add button on the right. You can choose from the following options:
- Regenerate the existing certificate with new validity, reusing the same private key > Next Step > Choose validity from the drop down > Next Step > Finish.
- Create new a self-signed certificate with a new private key and the same Subject DN > Next Step > Select key size > Choose validity from the drop down > Next Step > Finish.
- Download your Certificate Signing Request > Next Step > add Subject DN and select key size and validity from the options > Next Step > Download CSR. Use the downloaded .csr file to generate a certificate from the trusted CA. Copy the newly generated certificate, choose ✏️, and paste the certificate as text in the Certificate Information field.
To change the default certificate for the tenant, choose Edit > the new certificate from the list > Save.
When you change the default certificate for the tenant, you must also update the trust with the service provider. For more information see Configure SAML 2.0 Service Provider.
Related Information
Get SAML 2.0 IdP Metadata via Parameter
Tenant OpenID Connect Configurations
Change Tenant Texts Via Administration Console
Configure Master Data Texts Via Administration Console
Configure Links Section on Sign-In Screen
Add Instructions Section on Sign-In Screen
Configure X.509 Client Certificates for User Authentication
Enable Users to Generate and Authenticate with Certificates
Configure Allowed Logon Identifiers
Configure User Identifier Attributes
Configure Trust this browser Option
Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices
Configure Initial Password and Email Link Validity
Use Custom Domain in Identity Authentication
Change a Tenant's Display Name
Configure Default Risk-Based Authentication for All Applications in the Tenant
Configure Sinch Service in Administration Console
Configure RADIUS Server Settings (Beta)
Configure Mail Server for Application Processes
Send System Notifications via Emails
Configure Customer Managed Keys in Administration Console (Restricted Availability)
Configure Default Language for End User Screens
Reuse SAP Cloud Identity Services Tenants for Different Customer IDs