This document is intended to help you configure trust with a SAML 2.0 corporate identity provider. In this scenario Identity Authentication acts as a proxy to delegate the authentication to the SAML 2.0 corporate identity provider.
Identity Authentication can use a SAML 2.0 identity provider as an external authenticating authority. Identity Authentication thus acts as a proxy to delegate authentication to the external corporate identity provider. The requests for authentication sent by a service provider will be forwarded to the corporate identity provider.
As an identity provider proxy, Identity Authentication will act as an SAML 2.0 identity provider to the service provider, and as an SAML 2.0 service provider to the corporate identity provider. Once a user is authenticated at the corporate identity provider, successive authentication requests from service providers, which use the same corporate identity provider will not be forwarded to it as long as the session at Identity Authentication is active. Identity Authentication will issue assertions based on the user data received during the first authentication.
If an application requires force authentication (ForceAuthn="true"), users have to authenticate themselves against the corporate identity provider each time they access the application even if single sign-on (SSO) is enabled.
To use Identity Authentication as a proxy to delegate authentication to an external corporate identity provider you have to configure trust with that corporate identity provider.
If you want to change one corporate identity provider with another, for example move from a SAML identity provider to an OpenID Connect one, it's helpful to know the applications that the corporate identity provider uses. To see the applications that have established trust with a specific corporate identity provider, sign in to the administration console and go to Identity Providers > Corporate Identity Providers > identity provider from the list > Trusting Applications.
To configure trust with the corporate identity provider, follow the procedures below:
Set up trust with Identity Authentication as a service provider.
You have the SAML 2.0 metadata of Identity Authentication. For more information how to download the metadata, see Tenant SAML 2.0 Configurations.
-
Register Identity Authentication as a service provider at the corporate identity provider.
If you want to use IdP-initiated single sign-on (SSO) from your corporate identity provider, you have to add the parameter
sp=<sp_name>to the assertion consumer service (ACS) endpoint configured on your corporate identity provider side for Identity Authentication.https://<the current ACS endpoint URL>?sp=<sp_name>>
spis the name of the SAML 2 service provider for which SSO is performed.To see how to download the SAML 2.0 metadata of Identity Authentication read Tenant SAML 2.0 Configurations.
-
Optional: Download the corporate identity provider SAML 2.0 metadata.
You need the corporate SAML 2.0 metadata for the setup of the trust on Identity Authentication. Optionally, you can make the configurations manually.
Set up trust with a corporate identity provider in the administration console for SAP Cloud Identity Services.
-
You are assigned the Manage Corporate Identity Providers role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
-
You have registered Identity Authentication as service provider at the corporate identity provider.
-
You have the corporate identity provider SAML 2.0 metadata.
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Identity Providers, choose the Corporate Identity Providers tile.
-
Select the corporate identity provider that you want to configure.
If you need to change the protocol, see Choose Identity Provider Type..
-
Under SAML 2.0, choose SAML 2.0 Configuration.
-
Upload the corporate identity provider metadata XML file, use metadata URL, or manually enter the communication settings negotiated between Identity Authentication and the identity provider.
Use a file with an extension
.xml.When the identity provider metadata is uploaded, or the metadata URL is used, the fields are populated automatically with the parsed data from the XML file. The minimum configuration is to complete the Name field, add at least one single sign-on endpoint, and provide a signing certificate.
You can add up to two signing certificates. Both signing certificates are accepted according to the certificate validity.
Field
Description
Choose:
- Metadata File
- Metadata URL
-
The metadata XML file of the identity provider.
-
The URL with identity provider metadata.
The metadata URL must not contain query parameter.
Name
The entity ID of the identity provider.
Single Sign-On Endpoint URL
The URL of the identity provider single sign-on endpoint that receives authentication requests.
Single Logout Endpoint URL
The URL of the identity provider's single logout endpoint that receives logout messages.
Binding
The SAML-specified HTTP binding used by the identity provider showing how the various SAML protocol messages can be carried over underlying transport protocols.
Signing Certificate
A base64-encoded certificate used by the service provider to sign digitally SAML protocol messages sent to Identity Authentication.
Use the Add button to add a second signing certificate.
If you have two certificates, you can choose a default one, to mark your primary certificate.
-
Optional: Choose the digest algorithm for signing outgoing messages from the dropdown list in the Algorithm section. You have the following options:
-
SHA-1
-
SHA-256 - the default option
The algorithm must be SHA-256 if the Identity provider type is set at Microsoft ADFS / Entra ID.
-
SHA-512
-
-
Optional: Sign SAML 2.0 authentication requests. You have the following options:
Option
Notes
Sign authentication requests
Enabled - default configuration
Sign single logout messages
Enabled - default configuration
-
Optional: Enable or disable the Include scoping attribute to include or exclude the Scoping element in the SAML 2.0 request.
The default setting for the Include scoping is enabled. The Scoping element sent in the SAML 2.0 request is 1.
If the identity provider type is set at Microsoft ADFS / Entra ID the default setting for the Include scoping is disabled and the Scoping element is not sent in the SAML 2.0 request.
-
Save your selection.
Once the identity provider has been updated, the system displays the message Identity provider <name of identity provider> updated.
-
Select the configured identity provider as the authenticating identity provider for the application. For more information, see Choose Default Identity Provider for an Application.
-
(Optional) Configure the Name ID Format Attribute Sent to the SAML 2.0 Corporate IdP
Related Information