You have a means of accessing the metadata of the provider from a secure source.
If you upload the metadata from a file, the system assumes that you got the file from a trustworthy source. The service provider accepts the metadata. However, if the metadata is signed by the identity provider, the service provider checks that the issuer of the certificate of the signer is trusted by the SAP NetWeaver Application Server (AS) Java. If the AS Java does not trust the issuer, the service provider rejects the metadata.
If you upload the metadata from a URL, the service provider distinguishes between accessing the URL with HTTP or HTTPS in addition to whether or not the metadata is signed.
Protocol |
Metadata is Signed |
Metadata is Unsigned |
---|---|---|
HTTP |
If the issuer of the signing certificate is trusted, the service provider accepts the metadata. |
The service provider rejects the metadata. There is no way for the service provider to verify the source of the metadata. |
HTTPS |
If the issuer of the signing certificate is trusted, the service provider accepts the metadata. As an additional check, you can require the service provider to check if the issuer of the server certificate for Secure Sockets Layer (SSL) is trusted. If the issuer is not trusted, the service provider rejects the metadata. |
If the issuer of the server certificate for SSL is trusted, the service provider accepts the metadata. |
When you make changes to the configuration of a trusted provider, you must update the configuration of the trust relationship to match. The following is a list of changes that require an update of the trusted provider configuration:
New certificates for digital signature or encryption
You can have a primary and secondary certificate for signatures and encryption. This enables you to span the time when an old certificate is due to expire and you have not yet configured all peers to accept the new one.
Changed signature or encryption options
Changed Single Sign-On, Single Log-Out, or Artifact Resolution Service endpoints
Changes in the authentication requirements the trusted provider supports