Symptom
- How to change an SAML v2 certificate
- Steps for updating an DES/3DES token
- What is the process for updating an SSO certificate or token?
- Can multiple/rolling IDP signing certificates be configured in SuccessFactors?
Environment
SAP SuccessFactors HXM Suite
Resolution
The process to update a security certificate/token is done in Provisioning. Only Partners and Support have access to Provisioning. Please contact your Implementation Partner, provide the certificate for them and requesting the change.
If you don't have an Implementation Partner, please follow the process below:
- Open an case with Customer Support selecting the component LOD-SF-PLT-CER
- Attach on the case the new Signing certificate/token in a plain text format or .cert format
- Provide the availability of your IT team or specialist to have a meeting with SuccessFactors to execute a simultaneous replacement of the certificate on both sides
Notes:
- The process usually takes about 30 minutes to install and verify. But, for proper planning on Support end, please raise these tickets at least 5-7 working days ahead of time.
- This meeting will need to be scheduled during regular business hours. We don't update certificates on weekends.
- Please request the meeting time and we will get back to you with the invitation details
- Only one IDP signing certificate can be configured in SuccessFactors at one time. It is not possible to add multiple/rolling signing certificates in provisioning.
- Partners, follow instructions in KB article 2317944 - SAML 2.0 Provisioning Guide - Troubleshooting Tips and Tricks - Common Errors and Resolutions > section How to Update the SAML verifying certificate?
IMPORTANT:
For those customers still using the old SSO certificate AND not integrated with SAP Cloud Identity Services – Identity Authentication, users will no longer be able to access SAP SuccessFactors HCM suite, causing downtime for the system. Therefore, we are requesting all SAP SuccessFactors HCM suite SSO customers not yet integrated with the Identity Authentication service to migrate to Identity Authentication or renew the certificate.
See Also
Keywords
sf, success factors, bizx, biz x, SSO, SAML2, SAML v2, signing certificate, expired, expiration, format, cert, Renewal of Single-Sign-On Specifically, the current SAP SuccessFactors HCM suite Single Sign-On (SSO) certificate is set to expire on June 2, 2025. After June 2, 2025, for those customers still using the old SSO certificate AND not integrated with SAP Cloud Identity Services – Identity Authentication, users will no longer be able to access SAP SuccessFactors HCM suite, causing downtime for the system. Therefore, we are requesting all SAP SuccessFactors HCM suite SSO customers not yet integrated with the Identity Authentication service to migrate to Identity Authentication or renew the certificate before June 2, 2025, to avoid downtime. , KBA , LOD-SF-PLT-CER , SAML Certificate Change , How To