SAP Knowledge Base Article - Public

3226460 - Frequently Asked Questions on ByD Security Topics

Symptom

This KBA is to list the most frequently asked questions and answers on ByD Security Topics.

Scope of this KBA is restricted to:

  • SSO
  • Certificates
  • SSL

Environment

SAP Business ByDesign

Resolution

1: When configuring SSO (using any IDP) to connect with SAP Business ByDesign, is it possible to display the below options after completing the SSO settings in IDP and SAP Business ByDesign?

・Login using SSO from the login screen.
・Normal login using SAP Business ByDesign login ID and password.

Answer:

It is not possible to have such screen in SAP Business ByDesign. For basic authentication (User name and Password), the URL is myXXXXXX.sapbydesign.com. In case of SSO enabled then the URL will have -SSO.

These two are different options for logging into the system and above option is not possible.

2: How to configure SSO in AZURE to connect with SAP Business ByDesign?

Refer to Microsoft tutorial - Microsoft Entra single sign-on (SSO) integration with SAP Business ByDesign

3: How to set up Single Sign-On in SAP Business ByDesign?

Follow the help document:

Configure Your Solution for Single Sign-On

4: Is User Certificate and Tenant Certificate same?

No, both the certificates are different.

5: How to Logon in SAP Business ByDesign by Using Client Certificate (X.509)?

Users can log on using client certificate to SAP Business ByDesign. Follow the below help document:

Logging on to the System

6: Can SAP provide the certificate for testing?

No. It is required to get the certificate from one of the trusted Certificate Authorities.

Find more details in the below website:

Logon Using Client Certificate (X.509) (Document is for SAP Cloud for Customer but still applicable for SAP Business ByDesign).

7: Where to get information about configuring SSO?

Refer to the blog - Single Sign-On (SSO) with SAP Business ByDesign.

8: Is it possible to change Predefined SOD Conflicts?

Yes, it is possible by enabling the view IAM_VIEW_CONFLICT. For more details refer to the ByD Security Guide.

9: Does it contain a path when downloading the tenant certificate?

When downloading the tenant certificate, it contains only the tenant certificate. The "Certification Path" of the Windows certificate viewer shows the issuer certificates if they are present in the system. If necessary, user can download the issuer certificate from SAP Trust Center Services by clicking the link "SAP Passport CA G2".

10. Is it possible in SAP Business ByDesign to have the tenant certificate with 4096 bits?

Tenant certificate with 4096 bits key size is not supported. SAP Business ByDesign supports only up to 2048 bits key size.

11. How to configure "Log out URL" and "Relay State" via SSO connect to ByDesign?

Single Logout URL can be found in the SP Metadata XML which is downloadable from: Application and User Management -> Common Tasks -> Configure Single Sign-On -> SP Metadata button.

Regarding RelayState parameter, check the below documentation:

What is RelayState in SAML and how to configure RelayState on AS ABAP

12. How to Import Key Pair File to a Third Party Tool?

For configuration refer to the documentation below:

Importing Key Pair File to a Third Party Tool

13. When using Federation Services with SSO, is it possible for SAP Business ByDesign to automatically pull the certificate when it is about to expire?

Currently, SAP Business ByDesign does not support automatically pulling of certificates from federation services for SSO setup.

14. Which encryption protocol for secure communication is supported in SAP Business ByDesign?

For SAP Business ByDesign, the system currently supports TLS 1.2 encryption protocol for secure communication. If you are already using HTTPS for communication, then you are already using TLS 1.2. You do not need to take any further action if your communication is already using TLS 1.2.

However, if your communication is using TLS 1.1, you should take action to update your system to support TLS 1.2 to ensure secure communication with the provider's service.

15. Why is the different behaviour of SoD Conflicts seen for the same Business Roles in two systems?

The SOD conflicts can be seen when assigning Application and User Management Workcenter.

The workcenter Application and User Management is for SAP Business ByDesign Systems and not for SAP Cloud for Customer Systems.

Assign Administrator workcenter which is for Cloud for Customer systems instead of Application and User management Workcenter.

If the Business Roles workcenter is required, then it will be available in General settings workcenter view which is in Administrator workcenter.

Select Administrator Workcenter --> General Settings view

16. The Certificate Prompt Popup is being displayed eventhough the login was already performed in the tenant.

User has to verify whether there is some refresh time at IDP side. The popup to select certificate might come when a new request for authentication is generated at IDP side.

17.How to Replace New Root Certificate in to the tenant?

Here we have taken example DigiCert Global Root G2 as New Root Certificate.

  • Go to DigiCert Trusted Root Authority Certificates website.
  • In the list of certificates, search for DigiCert Global Root G2 & download the PEM file.
  • Upload the PEM file into your trust store in SAP Business ByDesign.

     Steps:

  1. Go to Application and User Management Work Center.
  2. Navigate to Common tasks Work Center View.
  3. Select Edit Certificate Trust List.
  4. Choose Upload.
  5. Save changes.

Note : Your trust store must include the old root certificate as well as the new root certificate.

18. Is it possible to disable the option “upload certificate” in Configure OAuth 2.0 Identity Providers?

It is not possible to disable this option. In order to avoid any wrong certificate, assign the access to the link 'Configure OAuth 2.0 Identity Provider' in Administrator->Common tasks to only the key users so that no wrong certificate is uploaded in future.

19. User is unable to update expiring certificate with renewed certificate for Oauth due to '500 SAP Internal Server Error'.

When an IDP updates its signing/encryption certificate, they may reuse the same old key pair and update only the "valid from date", "valid to date" and "serial number". Therefore such new certificates cannot be put alongside the old certificates in the address book table as they violate the public key fingerprint (PKFINGERPRINT) unique index. In this case, create a case to SAP to correct the inconsistency.

SSO on ByD Mobile APP

1. Can SSO also be used for the ByD Mobile App?

Yes, it can. The SSO Url, configured for the system, has to be used in the mobile app.

2. What kind of security policy do I have to choose?

Security Policies can be selected as desired. No SSO-specific setup needed here.

Additional information:

For ByD Mobile specifically, no additional setup is needed. Identity Provider has to be configured by the User.

SSO configuration for the system has to be configured in the workcenter Application and User Management / Configure Single Sign-On.

Keywords

SSO, certificate, authentication, FAQ, TLS, mobile SSO , KBA , certificate , tls , mobile sso , authentication , SRD-CC-SEC , Security , Problem

Product

SAP Business ByDesign all versions