Show TOC

Updating the Configuration of a Trusted ProviderLocate this document in the navigation structure

Prerequisites

You have a means of accessing the metadata of the provider from a secure source.

  • If you upload the metadata from a file, the system assumes that you got the file from a trustworthy source. The service provider accepts the metadata. However, if the metadata is signed by the identity provider, the service provider checks that the issuer of the certificate of the signer is trusted by the SAP NetWeaver Application Server (AS) Java. If the AS Java does not trust the issuer, the service provider rejects the metadata.

  • If you upload the metadata from a URL, the service provider distinguishes between accessing the URL with HTTP or HTTPS in addition to whether or not the metadata is signed.

    Protocol

    Metadata is Signed

    Metadata is Unsigned

    HTTP

    If the issuer of the signing certificate is trusted, the service provider accepts the metadata.

    The service provider rejects the metadata. There is no way for the service provider to verify the source of the metadata.

    HTTPS

    If the issuer of the signing certificate is trusted, the service provider accepts the metadata. As an additional check, you can require the service provider to check if the issuer of the server certificate for Secure Sockets Layer (SSL) is trusted. If the issuer is not trusted, the service provider rejects the metadata.

    If the issuer of the server certificate for SSL is trusted, the service provider accepts the metadata.

Context

When you make changes to the configuration of a trusted provider, you must update the configuration of the trust relationship to match. The following is a list of changes that require an update of the trusted provider configuration:

  • New certificates for digital signature or encryption

    You can have a primary and secondary certificate for signatures and encryption. This enables you to span the time when an old certificate is due to expire and you have not yet configured all peers to accept the new one.

  • Changed signature or encryption options

  • Changed Single Sign-On, Single Log-Out, or Artifact Resolution Service endpoints

  • Changes in the authentication requirements the trusted provider supports

Procedure

  1. Start SAP NetWeaver Administrator.
  2. Choose Start of the navigation path Configuration Management Next navigation step Security Next navigation step Authentication and Single Sign-On End of the navigation path and choose Start of the navigation path SAML 2.0 Next navigation step Trusted Providers End of the navigation path.
  3. From the list of trusted providers, show the identity providers.
  4. Select an identity provider.
  5. Choose the Update pushbutton and choose one of the following:

    • Specifying Metadata URL

      Provide the URL of the metadata XML file for the identity provider and determine if you want to verify the SSL server certificate of the identity provider.

      • If the metadata is unsigned and you are accessing the URL with HTTPS, select the Verify SSL Peer Identity checkbox. Otherwise the service provider rejects the metadata. To view the certificates of the certificate authorities the AS Java trusts, choose the Trusted Issuers pushbutton.

        For more information about configuring the trusted issuers, see Selecting the Keystore View for SSL for the Service Provider .

      • If the metadata is signed and you are accessing the URL with HTTPS, you can select the Verify SSL Peer Identity checkbox as an option to confirm the identity of the identity provider.

      • If you are accessing the URL with HTTP, clear the Verify SSL Peer Identity checkbox.

    • Uploading Metadata File

      Provide the path to the metadata XML file for the identity provider.

  6. Follow the instructions in the wizard to update the configuration.