SAP Concur SAMLv2 SSO Certificate Expiration



|Client Fact Sheet |

|SAP Concur SAMLv2 SSO Certificate Expiration |

|June 25, 2020 |

|Published: June 5, 2020 |

|This fact sheet provides information about the upcoming |Contents |

|expiration of the SAP Concur SAMLv2 SSO certificate and |SAP Concur SAMLv2 SSO Certificate Expiration 1 |

|provides steps for renewing the certificate. |Overview 1 |

| |Certificate Expiration Testing 1 |

| |Testing Results 2 |

| |The Renewed Certificate 3 |

| |Updating the Certificate at the IdP 4 |

| |ADFS 5 |

| |AzureAD 6 |

| |OneLogin 7 |

| |Ping Identity 8 |

| |Okta 8 |

SAP Concur SAMLv2 SSO Certificate Expiration

Overview

The certificate provided by the SAP Concur SAMLv2 service, which is used to establish a Single-Sign On (SSO) connection with an IdP, will expire on June 25th, 2020. Unless the certificate is renewed before the June 25, 2020 expiration date, the certificate expiration might prevent users from being able to successfully sign in to SAP Concur products.

SAP Concur offers Single-Sign On (SSO) to help make the user login process easier and more secure. SAP Concur’s most recent SSO support is the second version of its SAML support, SAMLv2.

SSO requires that trust be established between the Identity Provider (IdP) and the Service Provider (SP). This trust is established in part by cryptographic use of certificates provided by the service provider, in this case, SAP Concur solutions. The IdP uses these certificates to validate messages from the SP, and to optionally encrypt messages sent to the SP.

Certificate Expiration Testing

SAP Concur has tested a sampling of IdPs to determine how connections established in different scenarios behave after the certificate expires. The following table displays the results of those tests.

N Not all IdPs could be tested, and not all configurations of IdPs could be tested, so the information below should be taken as a guide rather than a guarantee of behavior.

| |Prior to June 25th |After June 25th |

|Concur's SAML2 SP cert |Existing |Updated |Updated |

|Signs SAML Request | | | |

|IdP's SP cert/metadata |Existing |Existing |Updated |

|Validates SAML Request signature |(valid) |(expired) |(valid) |

|Encrypts SAML Response | | | |

|Scenarios |IdP | | | |

|IdP Initiated SSO |Okta |✓ |✓ |✓ |

|SAML Response signed with IdP certificate | | | | |

| |ADFS |✓ |✓ |✓ |

| |Ping |✓ |✓ |✓ |

| |One |✓ |✓ |✓ |

|SP Initiated SSO |Okta |✓ |✓ |✓ |

|SAML Request signed with SP certificate | | | | |

| |ADFS |✓ |✓ |✓ |

| |Ping |✓ |✓ |✓ |

| |One |✓ |✓ |✓ |

|Encrypted SAML Response |Okta |✓ |✓ |✓ |

|SAML Response encrypted with SP certificate public| | | | |

|key | | | | |

| |ADFS |✓ |Fail |✓ |

| |Ping |✓ |✓ |✓ |

| |One |✓ |✓ |✓ |

Testing Results

The testing results show that even with an expired SP certificate, nearly all scenarios continued to function successfully.

The scenario that fails is Encrypted SAML Responses with Active Directory Federation Services (ADFS) as the IdP. In this case, once the current certificate expires, ADFS will not apply encryption using the expired certificate. Customers who fall under this scenario must update their encryption certificate before June 25, 2020.

N Encrypting the SAML Response is optional, so this failure will not affect all ADFS customers – only those that have opted to encrypt SAML Responses.

The Renewed Certificate

The SAP Concur metadata has already been updated to include the renewed certificate.

The renewed certificate can be viewed by clicking the following link:

SAP Concur SAMLv2 SSO Certificate Metadata

N We do not recommend copying and pasting the renewed certificate from the URL provided. Copying and pasting a certificate from a browser does not always work as expected.

The SP metadata includes four certificate blocks, appearing in the metadata in this order:

• The current certificate for “signing” (which expires on June 25, 2020)

• The renewed certificate for “signing”

• The current certificate for “encryption” (which expires on June 25, 2020)

• The renewed certificate for “encryption”

The same certificate is used for both signing and encryption. The new certificate is as follows:

-----BEGIN CERTIFICATE-----MIIF4TCCA8mgAwIBAgIJAL1TvT9lBgHdMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYDVQQGEwJVUzET MBEGA1UECBMKV2FzaGluZ3RvbjERMA8GA1UEBxMIQmVsbGV2dWUxEjAQBgNVBAoTCVNBUCBDb251 cjEWMBQGA1UECxMNQ29yZSBTZXJ2aWNlczEiMCAGA1UEAxMZY29yZS1zYW1sLXByb2QuY29uY3Vy LmNvbTAeFw0yMDA0MjMyMjA0MjFaFw0yNTA0MjIyMjA0MjFaMIGFMQswCQYDVQQGEwJVUzETMBEG A1UECBMKV2FzaGluZ3RvbjERMA8GA1UEBxMIQmVsbGV2dWUxEjAQBgNVBAoTCVNBUCBDb251cjEW MBQGA1UECxMNQ29yZSBTZXJ2aWNlczEiMCAGA1UEAxMZY29yZS1zYW1sLXByb2QuY29uY3VyLmNv bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALvWJvcbuskNPDLQOk8Df0pGmKAWT2sI 0Ug9HxyWmSoXR5ltHvHZ8nZOeQvMzgXJO2dT70+7SuIg6or3IZG2jCi30tjlolIPB6pdbQtHe+em wjbjTpyJDSlH57NaeebiYpUas9H/3PAdo3K8Jdt4zbwjzbg7vvL0SIDpW428sUsnJgTc75asjreA hZikW0tohnKfRRp6O6CXJgissx3KdNpGD7bu1NKtfmb2NGve7Igt/qZt63ZEEjLn01TgQAM1cZaL jp61fC87k6T8a3qaa2ndSIKeoa7lb5g2WVWZFl2nkLd+e/m5Lr0SCeJ4X0bGeNDnH+MyAT8xKZL2 jSGraNko46ibL36lO0AP8/LfDprmP+0SczIw42sxHSGf8E0qrOHyu/oSodWqMuiLdrFhNlxYRT8W 6BroD56AgmbhQ0Dev159+myxbWm0QM7eyskmpeS25/OccURhbu2sTIGousTXwvjNHPA6hJ+8iTJ6 JWqTOg1BPYk6iHLjYj5/8x8gTVRo1qiFnUl0Wl2BXjmzbWclonjwQ66XaN+0I7OpbZEUjtGRgQCr i/51ekdWaxbib9OpVnvv9Ht9oHk6tMqUHasZv6WLeZJKAB9LngPdfUjwBB5p4eLsbqP27oi6gpp1 2YyW3F0tkf/FOnTjZ4UZFWj2vt4JnDdTQ1nyR1DOxJJdAgMBAAGjUjBQMAwGA1UdEwQFMAMBAf8w CwYDVR0PBAQDAgTwMDMGA1UdEQQsMCqCCmNvbmN1ci5jb22BHGNvcmUtc2VydmljZXNAZ3JvdXBz LnNhcC5jb20wDQYJKoZIhvcNAQELBQADggIBAHf5TaBFFJA/KbFzZSQNaUp/iR7wSeIasxIzi02L +aM+XOuoZrOpHj35ncku3vWPLKnxEXmZp+MRwvlY1PzX6BfOo1yzk+Vlr1fA5nmwbeh+xCq5+T/n EvgFSDF6fl78tFb5DVU/I1NAHv+paUEIJXx2Yr+4geYA+d7tqrwYPzb/k0Q+tFLDmJ6CBg9oCFje twX01/7sWzWeBu79Jjr4KXAlp4iy1u1U3CiXaR+GSunW3dN+uxp1i99sVE6ZRkaDa4M8P+gTZqF2 sogujDYv5XOKxtr3osqUfqNCwTv+x3Rq0g9aEtigOKN1SdnbOLl848wTQQVmrpbZw5MXwCvWBNHh avaUTikcPM1RrgxXmsg5ysJYwPCgDUnNE70U9cQ6Xs8UnotMh6s8B/NN03e8LeXRUUG/co6vGOcT AZH7gb8SAN7ymhP9agcGmSTuA4YlmkPd7jOLMz7R+mf3+MnKCbmTq1S29jsAXZw6dfCyiO4XsPwp t3essXPaDzqA9YUKv8vipXmkTD8ucR7p9c7GnzyiuKXsc/+ZiRm+Rva8q9sZQ8GDgGi7knXFW6Qd NuIS9mcQKJBlzwFORa/ZTnRa3ooXykkQfkDOBTwamOCt0D8Vz2CV5mNjgt5E3+6WVOoIhRX23/gV Pj3Sg+SwpYBOG6sC1YTCs8d8zxCiPLGv4Uns

-----END CERTIFICATE-----

We recommend you use one of the following processes to renew the certificate.

• To renew the certificate by copying from this Fact Sheet:

1. Select the certificate above, including the following lines:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

2. Paste the certificate into a plain text editor such as NotePad, VIM, or TextMate.

N Pasting the certificate into a plain text editor removes hidden formatting from the source application (Microsoft Word) that might change the content of the certificate, causing it to fail.

3. Save the file.

4. Use the saved file as the source for the new certificate metadata.

• To renew the certificate by copying from the URL:

1. Click the following link to navigate to the SP metadata URL:

SAP Concur SAMLv2 SSO Certificate Metadata

5. Copy the second certificate with the KeyDescriptor use=”signing” or use="encryption" (these certificates are the same).

6. Open a plain text editor.

7. Paste the certificate into the editor.

8. Add the following text at the beginning of the file:

-----BEGIN CERTIFICATE-----

9. Add the following text at the end of the file:

-----END CERTIFICATE-----

10. Save the file.

11. Use the saved file as the source for the new certificate metadata.

Updating the Certificate at the IdP

This section contains information useful for updating IdP configurations with the new certificate.

N Not all IdPs could be tested, and not all configurations of IdPs could be tested, so the information that in this section should be taken as a guide rather than a guarantee of behavior.

ADFS

Customers using ADFS can use the following instructions to help update their configuration.

• To update your ADFS configuration:

1. Save the renewed certificate by following one of the procedures in the preceding The Renewed Certificate section.

1. Find the SAP Concur configuration within the IdP:

a. In the ADFS configuration, browse to Relying Party Trusts.

b. Open the Properties for the SAP Concur configuration.

2. Add the new encryption certificate:

a. Click the Encryption tab.

b. Click Browse and then navigate to the file with the renewed certificate you created in Step 1 of this procedure.

[pic]

c. Click Open.

d. Confirm that the expiration date has changed to April 22, 2025.

3. Add the new signing certificate.

a. Click the Signature tab.

b. Click Add and then navigate to the file with the renewed certificate you created in Step 1 of this procedure.

[pic]

c. Click Open.

d. Confirm that another certificate has been added to the configuration, and the expiration date has changed to April 22, 2025.

N Do not remove the signing cert that expires on June 25th, 2020 until after June 25th, 2020.

AzureAD

1. Save the renewed certificate by following one of the procedures in the preceding The Renewed Certificate section.

1. In Enterprise Applications, select the SAP Concur application.

2. In the Security section, click Token encryption.

N If there is no active encryption token, encrypted SAML responses are not enabled, and no changes are necessary.

3. Click Import Certificate and then navigate to the file with the renewed certificate you created in Step 1 of this procedure.

[pic]

12. Select the newly imported certificate, click the elipses (…)and select Activate token encryption from the list.

[pic]

OneLogin

1. Save the renewed certificate by following one of the procedures in the preceding The Renewed Certificate section.

13. Go to Configuration.

a. If Encrypt assertion is not selected, encrypted SAML responses are not enabled, and no changes are necessary.

b. If Encrypt assertion is selected, proceed to the next step.

1. Open the file you saved in Step 1 of this procedure, and copy and paste the renewed certificate into the SAML Encryption section.

[pic]

Ping Identity

1. Go to the Concur Application in Ping.

2. In the Connection Configuration, do one of the following:

a. Paste the following URL into the Upload Metadata field: 



b. Save the renewed certificate to your local machine by following one of the procedures in the preceding The Renewed Certificate section, click Or use local file, and then navigate to the file you saved.

[pic]

1. If SAML Responses are being encrypted (or this wants to be enabled), save the renewed certificate to your local machine by following one of the procedures in the The Renewed Certificate section.

14. In the Connection Configuration, navigate to the Encryption Certificate option, click Choose File, and then navigate to the file you saved in Step 3 of this procedure.

[pic]

Okta

1. Save the renewed certificate by following one of the procedures in the preceding The Renewed Certificate section.

2. Navigate to the Applications section.

3. Select the application to update.

4. Navigate to the Sign On tab.

5. Click Edit to edit the settings.

6. For the Encryption Certificate, click Browse.

7. Browse to the file you saved in Step 1 of this procedure and then click Upload.

[pic]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download