SAP Knowledge Base Article - Public

3226460 - Frequently Asked Questions on ByD Security Topics

Symptom

This KBA is to list the most frequently asked questions and answers on ByD Security Topics

Scope of this KBA is restricted to,

  • SSO
  • Certificates
  • SSL

Environment

SAP Business ByDesign

Resolution

1: You are configuring SSO (using any IDP) to connect with ByD and would like to know whether it possible to display below options after completing the SSO settings in IDP and SAP Business ByDesign?

・Login using SSO from the login screen
・Normal login using SAP Business ByDesign login ID and password

Answer:

It is not possible to have such screen in SAP Business bydesign. For basic authentication (User name and Password), the URL is myXXXXXX.sapbydesign.com. In case of SSO enabled then the URL will have -SSO.

These two are different options for logging into the system and above option is not possible

2: How to configure SSO in AZURE to connect with SAP Business bydesign?

Refer to Microsoft tutorial - https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sapbusinessbydesign-tutorial

3: How to set up Single Sign-On in ByDesign?

Please follow the help document

https://help.sap.com/docs/SAP_CLOUD_FOR_CUSTOMER/abfba1342cfb4832ab722fa041f6c4b7/f1e6f23267b542ce9a906823c70dc583.html?locale=en-US

4: Is User Certificate and Tenant Certificate same?

No, Both the certificates are different

5: How to Logon ByD by Using Client Certificate (X.509)?

Users can log on using client certificate to ByDesign. Please follow the help document https://help.sap.com/docs/SAP_BUSINESS_BYDESIGN/2754875d2d2a403f95e58a41a9c7d6de/9af7170c8661101482cd8d8dce5e5949.html

6: Can SAP provide me the certificate for testing?

No. Customer needs to get the certificate from one of the trusted Certificate Authorities. Please find more details here https://help.sap.com/docs/SAP_CLOUD_FOR_CUSTOMER/abfba1342cfb4832ab722fa041f6c4b7/e2edbf58fb334439892eda3e6afc87b9.html?locale=en-US (document is for C4C but still applicable for ByD).

7: Where to get information about configuring SSO?

Refer to the blog - https://blogs.sap.com/2017/05/24/single-sign-on-sso-with-sap-business-bydesign/

8: Is it possible to change Predefined SOD Conflicts?

yes, it is possible be enabling the view IAM_VIEW_CONFLICT. For more details refer to the ByD Security Guide

9: Does it contain a path when downloading the tenant certificate?

When downloading the tenant certificate, it contains only the tenant certificate. The "Certification Path" of the Windows certificate viewer shows the issuer certificates if they are present in the system. If necessary, user can download the issuer certificate from SAP Trust Center Services by clicking the link "SAP Passport CA G2".

10. You have a requirement to have the tenant certifcate with 4096 bits, is it possible in ByD?

Tenant certificate with 4096 bits key size is not supported. ByD supports only up to 2048 bits key size.

11. How to configure "Log out URL" and "Relay State" via SSO connect to ByDesign?

Single Logout URL can be found in the SP Metadata XML which is downloadable from: Application and User Management -> Common Tasks -> Configure Single Sign-On -> SP Metadata button.

Regarding RelayState parameter, please check https://blogs.sap.com/2019/02/19/what-is-relaystate-in-saml-and-how-to-configure-relaystate-on-as-abap/

12. How to Import Key Pair File to a Third Party Tool?

For configuration refer to the documentation

13. When using Federation Services with SSO, is it possible for ByD to automatically pull the certificate when it is about to expire?

Currently ByD does not support automatically pulling of certificates from federation services for SSO setup.

14. Which encryption protocol for secure communication is supported in ByD?

For SAP Business ByDesign, the system currently supports TLS 1.2 encryption protocol for secure communication. If you are already using HTTPS for communication, then you are already using TLS 1.2. You do not need to take any further action if your communication is already using TLS 1.2.

However, if your communication is using TLS 1.1, you should take action to update your system to support TLS 1.2 to ensure secure communication with the provider's service.

15. Why do you see different behaviour of SoD Conflicts for same Business Roles in two systems?

You get SOD conflicts when assigning Application and User Management Workcenter.

The workcenter Application and User Management is for ByDesign Systems and not for C4C Systems. Kindly assign Administrator workcenter which is for C4C Systems instead of Application and User management Workcenter.

If you like to use Business Roles workcenter, then it will be available in General settings workcenter view which is in Administrator workcenter.

Select Administrator Workcenter --> General Settings view

16. You are getting Certificate Prompt Popup eventhough you have already logged in to the tenant ?

User has to verify whether there is some refresh time at IDP side. The popup to select certificate might come when a new request for authentication is generated at IDP side.

17.How to Replace New Root Certificate in to the tenant ?

Here we have taken example DigiCert Global Root G2 as New Root Certificate.

     Steps:

  1. Go to Application and User Management Work Center
  2. Navigate to Common tasks Work Center View
  3. Select Edit Certificate Trust List
  4. Choose Upload 
  5. Save your changes

Note : Your trust store must include the old root certificate as well as the new root certificate

18. Is it possible to disable the option “upload certificate” in "Configure OAuth 2.0 Identity Providers?

It is not possible to disable this option. In order to avoid any wrong certificate, You can assign the access to the link 'Configure OAuth 2.0 Identity Provider' in Administrator->Common tasks to only the key users so that no wrong certificate is uploaded in future.

19. User is unable to update expiring certificate with renewed certificate for Oauth due to '500 SAP Internal Server Error'.

When an IDP updates its signing/encryption certificate, they may reuse the same old key pair and update only the "valid from date", "valid to date" and "serial number". Therefore such new certificates cannot be put alongside the old certificates in the address book table as they violate the public key fingerprint (PKFINGERPRINT) unique index. Please create a case to SAP to correct the inconsistency.

SSO on ByD Mobile APP

1. Can sso also be used for the ByD Mobile App?

Yes, it can. The SSO Url, configured for the system, has to be used in the mobile app

2. What kind of security poilicy do i have to choose?

Security Policies can be selected as desired. No SSO-specific setup needed here

Additional information:

For ByD Mobile specifically, no additional setup is needed. Identity Provider has to be configured by the User.

SSO configuration for the system has to be configured in the workcenter Application and User Management / Configure Single Sign-On

Keywords

SSO, certificate, authentication, FAQ, TLS, mobile SSO , KBA , SRD-CC-SEC , Security , Problem

Product

SAP Business ByDesign all versions