SAP Knowledge Base Article - Public

2542839 - Service Provider certificate expires in X days message in SAP Analytics Cloud ***FAQ***

Symptom

  • You received an email indicating Service Provider certificate expires in 30 days.
  • After a successful logon to SAP Analytics Cloud you can see a similar message:
    • Identity provider metadata expires on <DATE>.

Environment

SAP Analytics Cloud

Cause

SAP Analytics Cloud uses SAML as an authentication method. Therefore, it always uses certificates. It is a Service Provider for the standard SAP Cloud Identity as well as for SAP Cloud Platform HANA databases.

Resolution

Renewing

Renew the SAP Analytics Cloud certificate (SAML Service Provider) in the main menu System > Administration > Security area.

When the renewal process is complete, a new metadata.xml file will be immediately downloaded to your browser.

Save this file to be used in other identity provider systems.

If you use the standard SAP Cloud Identity provider:

  • If you are not 100% sure of what this means, try to login to your tenant, you should be redirected to:
    https://cloudanalytics.accounts.ondemand.com/saml2/idp/sso/cloudanalytics.accounts.ondemand.com
  • If that is the case, you are using the standard SAP Cloud Identity. You don't need to do anything else.

If you are using a custom SAML Identity Provider:

  • Send the saved metadata.xml file to your SAML IdP administrator to update the certificate.
  • If you are using Active Directory Federation Services (AD FS), your active directory (AD) administrator can follow the steps indicated in article 2506765.

You configured an SAP Cloud Platform connection using SAML SSO:

  • You configured a live connection to HANA in SAP Cloud Platform by following this guide: Live Data Connection to SAPCP with SSO
  • You will need to update your HANA database using the steps described in the above guide.

You configured SAP Hybris Cloud Edition or S/4HANA Cloud Edition

  • Using SAML SSO: You need to follow the steps indicated in the article 2654241 to update your own SAP Cloud Identity Authentication Service (IAS).
  • Using OAuth: This authentication method also uses the certificate that was renewed. You need to edit the connection as indicated in the section: Live Data Connection to SAP S/4HANA Cloud Edition via OAuth.

Do I need to change Cloud Connector or importing connections?

  • No. Renewing this certificate only affects the SAML configuration as a Service Provider.
  • Importing data from data sources does not use SAML.

I have received an email saying "Signature certificate of identity provider expired", what do I need to do?

If the custom IdP certificate is expired or is about to expire, there is new feature to update the SAML IDP Signing Certificate from 2019.22.

Details in Help guide below:
Updating the SAML IdP Signing Certificate

  • When using a custom SAML IdP, certificates are used, and these can expire from both sides. In this case, your IdP metadata is no longer valid, and must be updated in SAP Analytics Cloud.
  • To resolve this, please request your Identity Provider Administrator to provide the latest metadata.xml and upload it to SAP Analytics Cloud under Menu - System - Administration - Security
  • If you face issues, please refer to the KBA 2855391 for further assistance

See Also

Your feedback is important to help us improve our knowledge base.
Please rate how useful you found this article by using the star rating feature at the beginning of this article.
Thank you.

Keywords

SAML, certificate, renew, renewal, expired, expiration, Cloud for Analytics, BusinessObjectsCloud, BOC, SAC, SAP BusinessObjects Cloud, Business Objects, SAC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, adfs ad admin, active directory, view metadata details , KBA , LOD-ANA , SAP Analytics Cloud (SAC) , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , Problem

Product

SAP Analytics Cloud 1.0