You have configured an identity provider in your network.
If you intend to add the identity provider manually (without using a metadata XML file), you have to import the public-key certificates of the identity provider for the digital signatures of SAML messages. You also have to import the public-key certificates of the identity provider for encryption of SAML messages, if they are required. Import these certificates into the key storage of the SAP NetWeaver Application Server (AS) Java.
For more information, see Using the AS Java Key Storage .
If you intend to add the identity provider from a metadata file, you should have a means of accessing the metadata of the provider from a secure source.
If you upload the metadata from a file, you must ensure that you got the file from a trustworthy source. The service provider accepts the metadata. However, if the metadata is signed by the identity provider, the service provider checks that the issuer of the signer's certificate is trusted by the SAP NetWeaver Application Server (AS) Java. If the AS Java does not trust the issuer, the service provider rejects the metadata.
If you upload the metadata from a URL, the service provider distinguishes between accessing the URL with HTTP or HTTPS in addition to whether the metadata is signed or not.
Protocol |
Metadata is Signed |
Metadata is Unsigned |
---|---|---|
HTTP |
If the issuer of the signing certificate is trusted, the service provider accepts the metadata. |
The service provider rejects the metadata. There is no way for the service provider to verify the source of the metadata. |
HTTPS |
If the issuer of the signing certificate is trusted, the service provider accepts the metadata. As an additional check, you can require the service provider to check if the issuer of the server certificate for Secure Sockets Layer (SSL) is trusted. If the issuer is not trusted, the service provider rejects the metadata. |
If the issuer of the server certificate for SSL is trusted, the service provider accepts the metadata. |
Use this procedure to identify an identity provider for your service provider to trust. The service provider requests identity information from the identity provider, which you configure the service provider to trust, for applications the service provider is protecting.