• We have deprecated SHA1 signing mechanism for SAML exchange between BizX generic IdP and downstream application with SHA-256 for better security with 2H2024 release.
•  All authorized SP assertion consumer services (ACS) entries still using SHA-1 signing mechanism has stopped functioning.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

What is Involved

There are Assertion Consumer Service entries in customer provisioning setting and each is meant for the integration with a downstream application (internal/partner/third party). This mechanism that is still using SHA-1 should be changed to SHA-256 immediately.

Towards this, we have introduced Application Name (for better identification) and a flag to indicate whether the integration is using SHA-256 signing mechanism. If the flag is not checked, then by default SHA-1 is used. In addition, we have provided a link to download SuccessFactors IdP metadata for SHA-256. The URL is in the format: https://<DC_URL>/idp/samlmetadata?company=<company_id>&cert=sha2 , however will get the certificate in SHA-256 with or without this parameter in the URL and customer's can now download the certificate, and update or delete existing ACS entries from Admin Center->  Authorized SP Assertion Consumer Service Settings page, in addition to under Provisioning. Also when they create a new ACS entry, SHA-256 Certificate flag is by default checked and can not be unchecked.

Provisioning-> Authorized SP Assertion Consumer Service Settings 

Admin Center->  Authorized SP Assertion Consumer Service Settings page

Note: The downloaded SHA-256 metadata content will not necessarily have the algorithm mentioned, that is not an issue.

SAP SuccessFactors HCM Suite

SHA256 Outbound SSO SF-IDP SuccessFactors native IdP , KBA , LOD-SF-PLT-PRV , Provisioning Changes , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , LOD-SF-JAM-INT , Integration with SF BizX , LOD-SF-LMS-INT , Integrations with BizX , LOD-SF-RNR-INT , Vendor Integrations, Integration Center , LOD-SF-VRP-INT , Integrations with CMP, PM, EC, etc. , LOD-SF-CMP-INT , Integrations & Intelligent Services EC , How To