SAP Knowledge Base Article - Public

2820521 - Switching SHA-1 to SHA-256 for SAP Analytics Cloud (SAC) Cloud Foundry (CF) Tenants


  • For SAP Analytics Cloud (SAC) Cloud Foundry (CF) systems, the SAC metadata shows "SHA1" algorithm is being used:

<?xml version="1.0" encoding="UTF-8"?>
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="xxxxxxxxxxxxxxxx" entityID="xxxxxxxxxxxxxxxxxx">
            <ds:CanonicalizationMethod Algorithm=""/>
            <ds:SignatureMethod Algorithm=""/>
            <ds:Reference URI="#xxxxxxxxxxxxxxxxxx">
                    <ds:Transform Algorithm=""/>
                    <ds:Transform Algorithm=""/>
                <ds:DigestMethod Algorithm=""/>


  •   SAP Analytics Cloud(SAC) Cloud Foundry(CF) Tenants

Reproducing the Issue

  • Login to SAC CF tenant
  • Go to Menu->System->Security->Edit
  • Under "SAML Single Sign-On (SSO) Configuration"->Step 1: Download Service Provider metadata->Click on "Download"
  • Notice SHA-1 is being used as "SignatureMethod Algorithm" and "DigestMethod Algorithm"


  • This is currently by-design


  • The SAML assertions are already signed with SHA256 in production for CF tenants.
  • The algorithm displayed in the metadata may not reflect what is actually used in the SAML request/response.

See Also

Your feedback is important to help us improve our knowledge base.


SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, SHA1, SHA-1, SHA-2, SHA-256 , KBA , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-BR , Digital Boardroom (DiBo) , LOD-ANA-PL , Planning Functionality, Planning Models , Problem


SAP Analytics Cloud 1.0