Renewing the SAP Analytics Cloud SAML Signing Certificate

To continue using SAML SSO, an administrator must renew the certificate before it is expired.

Context

An email with details on how to renew the SAML X509 certificate will be sent to administrators before the certificate expiry date. If the certificate expiry is less than 30 days away, a warning message will also appear when you log on to SAP Analytics Cloud.
Note
If you click the Renew link on the warning message, you will be taken to the Security tab on the Administration page.

Procedure

  1. Go to Start of the navigation path (Main Menu) Next navigation step  System Next navigation step  Administration Next navigation step SecurityEnd of the navigation path.
  2. Select Renew.
    A confirmation dialog will appear. When you confirm the renewal, a new metadata file will download automatically.
    Note

    The renewal process takes around five minutes to complete.

  3. If you use a custom identity provider, upload the SAP Analytics Cloud metadata file to your SAML Identity Provider (IdP).
    Note

    This step is not required if you use SAP Cloud Identity for authentication.

  4. If you have live data connections to SAP HANA systems that use SAML SSO, you must also upload the new metadata file to your SAP HANA systems.
  5. Log on to SAP Analytics Cloud when five minutes has passed.

Results

If you are able to log on, the certificate renewal was successful. If you cannot logon, try one of the following troubleshooting tips.

If you use SAP Cloud ID for authentication:
  1. Clear the browser cache.
  2. Allow up to five minutes for the SAP Cloud ID service to switch to the new certificate.
If you use a custom identity provider for authentication:
  1. Ensure the new metadata file has been uploaded to your IdP. For more information, see Enabling a Custom SAML Identity Provider.
  2. Clear the browser cache.
  3. Allows up to five minutes for your IdP to switch to the new certificate with the newly uploaded metadata.