SAP Knowledge Base Article - Public

2820521 - Switching SHA-1 to SHA-256 for SAP Analytics Cloud (SAC) Cloud Foundry (CF) Tenants

Symptom

  • For SAP Analytics Cloud (SAC) Cloud Foundry (CF) systems, the SAC metadata shows "SHA1" algorithm is being used:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="xxxxxxxxxxxxxxxx" entityID="xxxxxxxxxxxxxxxxxx">
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#xxxxxxxxxxxxxxxxxx">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>xxxxxxxxxxxxxxxxxxxx=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>

Environment

  •   SAP Analytics Cloud(SAC) Cloud Foundry(CF) Tenants

Reproducing the Issue

  • Login to SAC CF tenant
  • Go to Menu->System->Security->Edit
  • Under "SAML Single Sign-On (SSO) Configuration"->Step 1: Download Service Provider metadata->Click on "Download"
  • Notice SHA-1 is being used as "SignatureMethod Algorithm" and "DigestMethod Algorithm"

Cause

  • This is currently by-design

Resolution

  • The SAML assertions are already signed with SHA256 in production for CF tenants.
  • The algorithm displayed in the metadata may not reflect what is actually used in the SAML request/response.

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, SHA1, SHA-1, SHA-2, SHA-256 , KBA , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-BR , Digital Boardroom (DiBo) , LOD-ANA-PL , Planning Functionality, Planning Models , Problem

Product

SAP Analytics Cloud 1.0