Hi everybody,
we are facing the challenge that the signing certificate of our central corporate SAML2 IDP is due to be renewed. It is the first time since we started using SAML2 for our SAP system landscape.
SAML2 Service Provider configuration typically keeps the IDP's signing certificate in it's configuration to be able to verify the IDP's information for authenticity. Now how can we survive the renewal without a fully synchronous configuration change for all (perhaps 40?) service providers at that exact point in time when the IDP's certificate is changed? Unfortunately I am not able to find any information on this process.
This might be helpful: Our IDPs signing certificate is (and will be) signed by our CA.
What we found out so far:
AS ABAP: We are confident that we can solve the issue by importing the RootCA's and the SubCA's certificate into the "SSF SAML2 Service Provider - S" PSE's certificate list. We did this to a system and removed the old IDP's certificate and SAML2 is still working. We take this as an indication that we will survive the IDP change as long as the new IDP certificate is also signed by the same CA.
Is this assumption correct?
AS JAVA: We are guessing that we can solve this in a comparable way as on AS ABAP by importing the RootCA's and SubCA's certificate into the SAML2 Key Storage View somehow. We need to verify.
Is this the correct way? What details do we need to take care of?
SCP Identity Authentication Service (IAS): There is only a place for one unique signing certificate in the Corporate IDP configuration section.
Is there a way to have a failure-free transition with IAS at all? And if yes - then how?
Thank's a lot!
Cheers, Lutz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.