Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SMP3: How to renew self signed SAML service provider certificate?

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎05-25-2016 10:53 AM


Are you using SAML authentication flow in your SMP 3.0 application? Is that generated certificate self-signed one (by SMP itself) ? Did you already know its expiration date? Or has it already expired? And now, user can't be on-boarded on SMP.

 

(we had same situation. So hereby, i am sharing what all we did to get rid of it)

 

There are many blogs on how SAML Flow works and how to configure it. I am not going to explain it here.

 

In order SAML flow to work, initially, metadata file of Local service provider (here its SMP) needs to be shared with Identity provider team. You provide a LSP name, Base URL (e.g. https://server:port).

Next, what about values for signing key and signing certificate?

 

Option A: Either you can go with by just clicking on 'Generate key pair' option to get these values filled automatically (SMP does this work) Not recommended for productive environment

Option B: Generate these values from a Certificate Authority (recommended for productive environment)



 

Option A:

 

In this case, from where SMP takes default inputs and generate self signed certificate?

 

To check this, Go to Settings > System > scroll down > SAML SERVICE PROVIDER CERTIFICATE GENERATOR SETTINGS

 



Here you can see that, there are default values for the subject, certificate is valid only for 1 year

 

(you still not sure when that generated certificate is going to be expired, here is a quick way to check. Copy the 'Signing certificate' content in a notepad and save it as .cer , double click on certificate file)

 

We were told by IdP team that they are seeing error with the SMP LSP metadata file.

 
Unable to validate SAML2 Trusted Service Provider. The trusted relationship with this entity will not be functional!
Error Validating X509 Certificate of Trusted Provider
Trusted Provider Type: SAML2 Trusted Service Provider
Trusted Provider Id: SAMLTEST
Error Validating X509 Signing Certificate
X509 Certificate Version: 3
X509 Certificate Subject: C=DE L=Walldorf O=SAP SE
X509 Certificate Issuer: C=DE L=Walldorf O=SAP SE
X509 Certificate Serial Number: xxxxx
X509 Certificate Start Date: 2015-05-20 10:18:28
X509 Certificate Expiration Date: 2016-05-20 10:18:28
X509 Certificate Validation Root Exception: com.novell.nidp.NIDPException: Certification path could not be validated. Could not validate certificate: NotAfter: Fri May 20 10:18:28 CEST 2016 Root Cause: java.security.cert.CertPathBuilderException: Certification path could not be validated.

Then we figured out the issue (already highlighted above) that generated certificate had expired.

 

How to renew it?

 

  1. Increase number of years to 1 or 2 or as much as you want :wink:

  2. Save it

  3. Generate new keypair

  4. download new metadata file

  5. share it with IdP team


 

Note: Even you can provide your company specific subject also (we went with default parameters)



 

Before step#4, download new metadata file, you can validate above settings:



    • Copy signing  certificate content in a notepad

    • save it with .cer extension

    • double click on it and confirm





 



Here, everything looks fine and now you can share new metadata file with IdP team.

 

Option B: Talk to your CA team.

 

Hope this helps.

 

Thanks andreas.wegmann for your inputs.

 

Regards,

JK

Labels in this area
Popular Blog Posts