3593591 - Expiring or Expired Recruiting Application Certificates in IAS - Recruiting

Scenario 1:
Customer receives emails from ias@notifications.sap.com about expiring or expired certificates.
Notifications relate to CSB or RCM applications configured in IAS as part of the Internal Career Site Powered by CSB configuration and refer to Signing or Encryption certificates.

Scenario 2:
Customer is implementing ICS and when following the implementation steps, exports the metadata from Admin Center > Manage Service Provider Configuration for Identity Authentication Service 
When uploading the file to IAS via the Load from File button, they get the error : The uploaded certificate has expired.



Important note : the expiring signing certificate only affects the logout workflow from RCM. Its expiration, while it should be corrected, will not affect the ICS workflows themselves such as applies or access to the candidate profile. 

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

• SAP SuccessFactors Recruiting Marketing
• Internal Career Site Powered by CSB
• IAS Console

NOTE THAT THE CERTIFICATE WAS UPDATED WITH PATCH P11 BY OUR OPERATIONS TEAM SO THAT UPLOADING THE EXPORTED METADATA INTO IAS NO LONGER SHOWS THE EXPIRED ERROR AND THE MANUAL SOLUTION IS NO LONGER REQUIRED.
TO UPDATE THE CERTIFICATE CUSTOMERS CAN SIMPLY REEXPORT AND REUPLOAD THE METADATA FROM ADMIN CENTRE TO IAS.

If the notification related to the RCM certificates:
These certificates are stored at server level so need to be updated by Engineering. 
Following the completion of the deployed update, for some tenants the expiry date of the Recruiting Management IAS certificate is still not showing as updated.

Important Note:
If your system met all prerequisites (RMK-BIZX integration, BIZX IAS, and RCM ICS feature enabled), the process updated the certificates.
If not, please refer to the relevant scenario below. 

Scenario 1: Existing Customers Without ICS Feature Enabled

If the Internal Career Site (ICS) feature is currently not enabled in Manage Recruiting Sites, the certificate could not be retrieved during the update process and migration was skipped and there was no change made to the system. If you decide to enable ICS, please follow the action required. 

Action Required:

1. Enable the ICS switch in Manage Recruiting Sites.
2. Follow the manual certificate update steps outlined in the Solution section below.

 Scenario 2 : Customers in Implementation Phase

Customers currently implementing Recruiting might have had incomplete configurations at the time of the update.

Action Required:

1. Ensure RMK-BIZX Integration, BIZX IAS, and RCM ICS are enabled.
2. Manually update the certificate using the steps in the Solution section below.

 Scenario 3: New Customers 

For customers who enable BIZX IAS integration, BIZX IAS, and RCM ICS after June 1, the Career Site certificate is not automatically pushed to IAS when uploading the metadata obtained from Admin Center.

Action Required:

1. Validate that all required features are enabled.
2. Manually update the certificate in IAS (see below).

Solution : Manual Certificate Update in IAS

Follow these steps to manually update the Career Site certificate in your IAS tenant:

1. Log in to your IAS Admin Console.
2. Navigate to Applications & Resources -> Applications.
3. Search using your <bizx_company_id> and select RCM Career Application.
4. Go to SAML 2.0 Configuration -> Certificates.
5. In SAML 2.0 configuration page, make sure the entityId is configured with Career URL followed by the entity which is same as <bizx_company_id> in point #3.
6. Edit the Metadata URL field and update it using the following syntax: <host>/career-ics-metadata?company=<bizx company id>

For eg: https://career10.successfactors.com/career-ics-metadata?company=bizxcompany id

Once the correct URL is entered, the certificate will automatically update.

If the notification related to the CSB certificates:
These are generated in CSB and validity is set at the time of generation. Regenerating the metadata will update the date accordingly:

1. Navigate to CSB > Settings > IDP Configuration.

2. Download the metadata by clicking on Generate and then Export Metadata.

3. Open Cloud Identity Services > Applications & Resources.

4. Import the previously downloaded metadata by clicking on Upload Metadata.
   
   

Expiring, IAS, Certificates, Cloud Identity Services. RCM-149696 PTCH-46534 , KBA , LOD-SF-RMK-ICS , Internal Career Site Builder (CSB, IAS, etc ...) , Problem