Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
JingjingWang
Product and Topic Expert
Product and Topic Expert
708

In this blog, we will share steps with you explaining how to import the new Open Connectors SAML metadata to your SAP Cloud Identity Services. This information is relevant for any customer relying on the custom identity provider for your Open Connectors instance. 

 

Prerequisites 

You need the following systems in place to successfully perform the steps described in this blog: 

 

Context 

SAP will renew the SAML metadata of Open Connectors for SAP identity provider (default) (https://accounts.sap.com) for security purposes every year automatically. This has no impact on your systems, and no action is needed from customers who use the default SAP Identity Provider. However, this process will impact customers who use the custom identity provider in Open Connectors: Once the SAML metadata has expired, the login to Open Connectors will fail. The Open Connectors runtime will not be impacted. Customers can avoid this impact by importing the new SAML metadata into the SAP Cloud Identity Services before the SAML metadata expires. 

The metadata renewal process is the same for the standalone version of Open Connectors in both Neo and Cloud Foundry.   

 

Download the New SAML Metadata from Open Connectors 

  1. Get the identity provider ID: Retrieve the identity provider ID via Curl command (or import the curl command to POSTMAN). 

 

 

curl --location 'https://api.openconnectors.<region>.ext.hana.ondemand.com/elements/api-v2/accounts/identity-providers' \ 
--header 'accept: application/json' \ 
--header 'Authorization: <OCN authorization header>'

 

 

You can get the id value from the response. Search for the line with “id”.

HubertWang_1-1706502781067.png

Notes: 

  • The response will be empty if you haven’t configured the custom identity provider in your tenant.  
  • The response may contain multiple custom identity providers. Please get the id value from the active (isDefault is true) identity provider. 
  • Find the region of your Open Connectors tenant. To do so, access your tenant and check the URL.HubertWang_2-1706502880252.png
  • To get the Open Connectors authorization header, access the system, click on Settings > Authorization Header.HubertWang_3-1706502908167.png

 

Activate the Backup Certificate as Primary Certificate

  1. Perform the following Curl command: 

 

 

curl --location --request PATCH 'https://api.openconnectors.<region>.ext.hana.ondemand.com/elements/api-v2/accounts/identity-providers/<id>' \ 
--header 'Authorization: <OCN authorization header>' \ 
--header 'Content-Type: application/json' \ 
--header 'accept: application/json' \ 
--data '{ 
"useBackupSpCert": true 
}' 

 

 

Notes: 

  • Replace the region with the value you got from the previous step. 
  • Replace the id with the value you got from the previous step. 

 

Download the New SAML Metadata

  1. Open the following URL in your browser and save the content as an xml file:  

https://api.openconnectors.<region>.ext.hana.ondemand.com/elements/api-v2/authentication/saml/<id>/m... 

HubertWang_4-1706503073676.png

Notes: 

  • Replace the region with the value you got from the previous step. 
  • Replace the id with the value you got from the previous step. 

 

Import the New SAML Metadata to your Cloud Identity Services 

  1. Log in to your Cloud Identity Services and find the Open Connectors application you configured.  
  2. Click SAML 2.0 Configuration. HubertWang_6-1706503171884.png

     

     
  3. Select theBrowse” button to import the xml file you’ve downloaded in the previous step. Click Save.  HubertWang_7-1706503193742.png

     

Validate 

Close your browser and reopen it. Try to log in to your Open Connectors tenant. If your login was successful, you’ve successfully renewed your SAML metadata. Otherwise, please return to the steps described in this blog and try again.  

If you need support, create a ticket to LOD-OCN-SRV component.