Hello Everyone,
This blog is based on SAP note 2462389 - SAML2.0: Renew IdP signing certificate on Service Provider on NetWeaver ABAP without downt.... In our environment, we have encountered situation to update Azure idP signing certificate, and I could not be able to find any relevant blog for step by step procedure except this SAP note. In this blog I have provided all the steps one-by-one to update signing certificate in SAML2 t-code.
First of all go to STRUST t-code and check the validity of existing certificate by navigating to STRUST-->SSF SAML2 Service Provider-->Signature.
As per above screenshot, we can see that Signing certificate is about to expire on 22nd March, 2024. In our organization, we have dedicated Azure team who can provide new idP certificate. There are many formats available to download certificate like Base64 certificate download, PEM certificate download, Raw certificate download, Download federated certificate XML, etc. I have requested to provide certificate of Base64 type. Make sure you ask to provide certificate against registered SAP Provider otherwise SSO functionality would be break.
Once new Base64 type certificate received from Azure team, BASIS team member can execute t-code SAML2.
Login with your SAP system user id and password. If you have SSO enabled for this system, you can request SAP security team to reset password for your id.
Once login successfully, we can go to Trusted Provider-->Signature and Encryption tab.
From above screenshot, we can see there is Secondary Signing Certificate tab is there. Click on Edit button and then click on Browse to upload new signing certificate.
Click on Choose File to upload certificate.
Click on OK button.
One can click on Details button to see the validity and other details about certificate.
After clicking on Save button, it was not allowed to save and giving an error message as "Saving trusted provider data failed. You can get more information by collecting traces using tool http(s)://host:port/sap/bc/webdynpro/sap/sec_diag_tool?sap-clientXXX". I have collected the trace and it was giving an exception as SAML20 SAML20 CX_SAML20_CORE: Certificates cannot be saved in PSE: 'An exception with the type CX_SY_FILE_AUTHORITY wa'. Long text: Certificates cannot be saved in PSE: 'An exception with the type CX_SY_FILE_AUTHORITY wa.
I have followed multiple SAP notes but none of it helped to solve the issue. Finally it was resolved after providing proper authorization to my id. I have generated SU53 screenshot and provided the same to SAP security team, and once they have provided authorization, I could able to save it.
Following screenshot is error message of trace which I have collected.
Once certificate is saved in SAML2 t-code, go to STRUST-->SSF SAML2 Service Provider - Signature. we can see certificate updated there as well.
We can ask Azure idP team to activate the new certificate in order to see whether functionality is working fine or not.
Perform couple of tests like opening Fiori Launchpad and raising an FF ID.
Now, we can remove old certificate from STRUST. We can follow SAP note: 2541887 - SAML2.0: Signing Certificate can't be uploaded to Trusted Providers configuration in trans... for the same.
Inside STRUST click on Edit button and go to Certificate-->Address Book
We can see total two certificates. One is new one and another one is older. Scroll right and select the old validity date line to delete the same.
Once the certificate is deleted with old expiration date, we can see only one certificate is listed in Address Book.
To verify whether certificate is removed or not, open SAML2 and go to Trusted Provider-->Signature and Encryption tab.
This removal won't impact in certificate list inside STRUST, so we have to manually delete from there.
After removal from Certificate List, we can see only new signing certificate is visible at both places (inside STRUST and SAML2).
I hope this would help to BASIS team members to update signing certificate in SAML2. Kindly check and let me know the feedback in comment section.
Regards,
Harshil Shah
- SAP Managed Tags:
