Renew the SAP Analytics Cloud SAML Signing Certificate

To continue using SAML SSO, an administrator must renew the certificate before it is expired.


An email with details on how to renew the SAML X509 certificate will be sent to administrators before the certificate expiry date. If the certificate expiry is less than 30 days away, a warning message will also appear when you log on to SAP Analytics Cloud.
If you click the Renew link on the warning message, you will be taken to the Security tab on the Administration page.


  1. From the side navigation, go to Start of the navigation path System Next navigation step  Administration Next navigation step SecurityEnd of the navigation path.
  2. Select Renew.
    A confirmation dialog will appear. When you confirm the renewal, a new metadata file will be downloaded automatically.

    The renewal process takes around five minutes to complete.

  3. If you use a custom identity provider, upload the SAP Analytics Cloud metadata file to your SAML Identity Provider (IdP).

    This step is not required if you use SAP Cloud Identity for authentication.

  4. If you have live data connections to SAP HANA systems that use SAML SSO, you must also upload the new metadata file to your SAP HANA systems.
  5. Log on to SAP Analytics Cloud when five minutes has passed.


If you are able to log on, the certificate renewal was successful. If you cannot logon, try one of the following troubleshooting tips.

If you use SAP Cloud ID for authentication:
  1. Clear the browser cache.
  2. Allow up to five minutes for the SAP Cloud ID service to switch to the new certificate.
If you use a custom identity provider for authentication:
  1. Ensure the new metadata file has been uploaded to your IdP. For more information, see Enable a Custom SAML Identity Provider.
  2. Clear the browser cache.
  3. Allow up to five minutes for your IdP to switch to the new certificate with the newly uploaded metadata.