SAP Knowledge Base Article - Preview

3068321 - Outbound SSO migration to SHA-256 (Authorized SP Assertion Consumer Service Settings)


We are planning to retire SHA-1 signing mechanism for SAML exchange between BizX Generic IdP  and downstream applications in favor of SHA-256 for better security by end of year 2021. (Planned date)

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

What is Involved

There are Assertion Consumer Service entries in customer provisioning setting and each is meant for the integration with a downstream application (internal/partner/third party). This mechanism was using SHA-1 which should be changed to SHA-256 in the future.

Towards this, we have introduced Application Name (for better identification) and a flag to indicate whether the integration is using SHA-256 signing mechanism. If the flag is not checked, then by default SHA-1 is used. In addition, we have provided a link to download SuccessFactors IdP metadata for SHA-256. The URL is in the format: https://<DC_URL>/idp/samlmetadata?company=<company_id>&cert=sha2

Note: The downloaded SHA-256 metadata content will not necessarily have the algorithm mentioned, that is not an issue.



SAP SuccessFactors HXM Suite


SHA256 Outbound SSO SF-IDP SuccessFactors native IdP , KBA , LOD-SF-PLT-PRV , Provisioning Changes , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , LOD-SF-JAM-INT , Integration with SF BizX , LOD-SF-LMS-INT , Integrations with BizX , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.