SAP Knowledge Base Article - Preview

3068321 - Outbound SSO migration to SHA-256 (Authorized SP Assertion Consumer Service Settings)

Symptom

We are planning to delete SHA1 signing mechanism for SAML exchange between BizX generic IdP and downstream applications with SHA-256 for better security by end of 2024

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

What is Involved

There are Assertion Consumer Service entries in customer provisioning setting and each is meant for the integration with a downstream application (internal/partner/third party). This mechanism that is still using SHA-1 should be changed to SHA-256 immediately.

Towards this, we have introduced Application Name (for better identification) and a flag to indicate whether the integration is using SHA-256 signing mechanism. If the flag is not checked, then by default SHA-1 is used. In addition, we have provided a link to download SuccessFactors IdP metadata for SHA-256. The URL is in the format: https://<DC_URL>/idp/samlmetadata?company=<company_id>&cert=sha2 , however will get the certificate in SHA-256 with or without this parameter in the URL and customer's can now download the certificate, and update or delete existing ACS entries from Admin Center->  Authorized SP Assertion Consumer Service Settings page, in addition to under Provisioning. Also when they create a new ACS entry, SHA-256 Certificate flag is by default checked and can not be unchecked.

Provisioning-> Authorized SP Assertion Consumer Service Settings 

Admin Center->  Authorized SP Assertion Consumer Service Settings page

Note: The downloaded SHA-256 metadata content will not necessarily have the algorithm mentioned, that is not an issue.


Read more...

Environment

SAP SuccessFactors HXM Suite

Keywords

SHA256 Outbound SSO SF-IDP SuccessFactors native IdP , KBA , LOD-SF-PLT-PRV , Provisioning Changes , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , LOD-SF-JAM-INT , Integration with SF BizX , LOD-SF-LMS-INT , Integrations with BizX , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.