2462389 - SAML2.0: Renew IdP signing certificate on Service Provider on NetWeaver ABAP without downtime

• Your Identity Provider (IdP) renews or updates the signing certificate.
• You do not want to have downtime of the SAML 2.0 authentication due to signature verification errors.
• Error "Signature validation with the configured primary certificate failed. Details: SSFW_KRN_VERIFY failed with: Signature verification failed (for signer) or Envelope failed (for recipient)" is given in SAML trace after SSO logon fails. The IdP is signing the assertion with different certificate than that stored in transaction STRUST -> folder SSF SAML2 Service Provider - S -> certificate list and you need to upload the correct certificate as the secondary certificate

• SAP enhancement package 2 for SAP NetWeaver 7.0
• SAP NetWeaver 7.3
• SAP enhancement package 1 for SAP NetWeaver 7.3
• SAP NetWeaver 7.4
• SAP NetWeaver 7.5 and higher

SAML 2.0, renew certificate, verify signature, trusted provider, primary signing certificate, secondary signing certificate, SSFW_KRN_VERIFY, The validation of message 'Response' failed , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , How To