Email

Public Certificate Updates for Single Sign-On (SSO)

Which certificate should the customer use as a signing certificate?

Regardless of the front door URL, the customer should be using the RSA certificate from the primary front door (For example: s1.ariba.com) for each data center. If a customer uses the ECC (ECDSA) certificate from the same server, SSO will fail.

Can the new certificate be added right away?

SAP Ariba will make the certificate change only on the date and time specified in the communication.

Removing or replacing the existing signing certificate in advance of the date and time specified will break SSO.

If a customer’s IDP infrastructure supports having two relying party signing certificates as primary and secondary, they can add the new certificate in advance as a secondary certificate. If the customer IDP infrastructure supports one relying party signing certificate, the customer should make the changes only when Ariba has completed their certificate update.

Should the old certificate be removed after updating the new certificate?

Yes.  It is best practice to remove the old certificate after the change has been implemented by SAP Ariba.

What is metadata for SSO?

Metadata for SSO is sample data that gives the customer the following details:

How do I know if a metadata change is required for my SSO configuration?

Please confirm with your IT Department if updated metadata is required for your SSO configuration.

How can I obtain the metadata for the certificate update for my SSO configuration?

Please log a Case to request the metadata.

How do obtain the updated signing certificate?

To obtain the updated signing certificate for metadata update, please do the following:

  1. Download the RSA certificate for the applicable URL from the Certificate Landing Page.
  2. Open the file using a text editor.
  3. You may copy the contents of the certificate and replace your existing certificate with the new one.

We utilize the Advanced Front Door URL for Single Sign-On (-2 URL).  What certificate should we be using for signing certificate?

The following shows the Signing Certificate URL for the Advanced Front Door:

Advanced Front Door URL

Signing Certificate URL

s1-2.ariba.com

s1.ariba.com

s1-2-eu.ariba.com

s1-eu.ariba.com

s1-2-ru.ariba.com

s1-ru.ariba.com

Terms of Use  |  Copyright  |  Security Disclosure  |  Privacy