Update from SAP DITA CMS (squashed):

commit 21327830d68bde6684bce1626ab8a48d913812ef Author: REDACTED Date: Wed Mar 13 13:42:40 2024 +0000 Update from SAP DITA CMS 2024-03-13 13:42:40 Project: dita-all/wbz1500991557538 Project map: 1334e860f4d64684a929f6a7afeea339.ditamap Language: en-US commit 382ff2d00e85fbe8cf7ffc12aaadd7203c29f850 Author: REDACTED Date: Wed Mar 13 13:30:53 2024 +0000 Update from SAP DITA CMS 2024-03-13 13:30:53 Project: dita-all/wbz1500991557538 Project map: 1334e860f4d64684a929f6a7afeea339.ditamap Language: en-US commit 0b57e50605d0152fa5f689449bcb91642ddb581f Author: REDACTED Date: Tue Mar 12 10:39:49 2024 +0000 Update from SAP DITA CMS 2024-03-12 10:39:49 Project: dita-all/wbz1500991557538 Project map: 1334e860f4d64684a929f6a7afeea339.ditamap Language: en-US commit 1a8b07d5c1f55924d1e8a862bf2b8f2f6a73e175 Author: REDACTED Date: Mon Mar 11 07:39:35 2024 +0000 Update from SAP DITA CMS 2024-03-11 07:39:35 ################################################## [Remaining squash message was removed before commit...]
SAP-docs · Mar 14, 2024 · 0b216c4 · 0b216c4
1 parent 82d7e49
commit 0b216c4
Show file tree

Hide file tree

Showing 56 changed files with 2,662 additions and 390 deletions.
diff --git a/docs/Development/configure-certificates-for-api-authentication-47e9866.md b/docs/Development/configure-certificates-for-api-authentication-47e9866.md
@@ -133,7 +133,7 @@ Once your certificate is added you can see a table with all your certificates an
 
 [Disable Client ID Locking](disable-client-id-locking-aa38152.md "You can disable the automatic lock of the client ID after five failed logon attempts.")
 
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
 
 [SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
 

diff --git a/docs/Development/configure-jwt-for-oauth-client-authentication-1bdc729.md b/docs/Development/configure-jwt-for-oauth-client-authentication-1bdc729.md
@@ -2,7 +2,7 @@
 
 # Configure JWT for OAuth Client Authentication
 
-Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client authentication in token requests to OpenID Connect applications.
+Configure the JSON Web Token \(JWT\) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.
 
 
 
@@ -11,7 +11,8 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
 ## Prerequisites
 
 -   You have an OpenID Connect application.
--   You have created and configured a corporate identity provider of type *OpenID Connect Compliant* in the administration console for SAP Cloud Identity Services. For more information, see [Configure Trust with OpenID Connect Corporate Identity Provider](../Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
+
+-   \(For the *Configure Trust by Issuer*\) You have created and configured a corporate identity provider of type *OpenID Connect Compliant* in the administration console for SAP Cloud Identity Services. For more information, see [Configure Trust with OpenID Connect Corporate Identity Provider](../Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
 
 
 
@@ -33,83 +34,186 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
 
 5.  Under *Application APIs*, choose *Client Authentication*.
 
-6.  Choose the *Add* button in the *JSON Web Tokens* section.
-
-7.  Provide the required info in the popup.
-
-
-    <table>
-    <tr>
-    <th valign="top">
-
-
-
-    </th>
-    <th valign="top">
-
-
-
-    </th>
-    </tr>
-    <tr>
-    <td valign="top">
-
-    **Description**
-
-    </td>
-    <td valign="top">
-
-    This field is optional. You can provide information about the token here.
-
-    </td>
-    </tr>
-    <tr>
-    <td valign="top">
-
-    **Issuer**
-
-    </td>
-    <td valign="top">
-
-    The issuer is a corporate identity provider of type *OpenID Connect Compliant*. It must be created and configured in the administration console first.
-
-    </td>
-    </tr>
-    <tr>
-    <td valign="top">
-
-    **Subject**
-
-    </td>
-    <td valign="top">
-
-    The sub \(subject\) that is expected in the token.
-
-    > ### Tip:  
-    > If you want to use an OAuth 2.0 token from Microsoft Entra ID as client credentials for an OpenID Connect application in Identity Authentication, and your OAuth client in Microsoft Entra ID belongs to an Enterprise Application, the subject in the token is the Object ID of the Enterprise Application.
-
-
-
-    </td>
-    </tr>
-    <tr>
-    <td valign="top">
-
-    **Scope**
-
-    </td>
-    <td valign="top">
-
-    > ### Note:  
-    > This section is read-only. The predefined choice is OpenID.
-
-
-
-    </td>
-    </tr>
-    </table>
-
-8.  Save your configuration.
+6.  Under *JSON Web Tokens*, configure one of the following options:
+
+    -   \(For RFC 7523-based JWT client tokens\) Choose the *Add* button for *Configure Trust by Issuer* and provide the required info in the popup:
+
+        **Configure Trust by URI**
+
+
+        <table>
+        <tr>
+        <th valign="top">
+
+        Field
+
+        </th>
+        <th valign="top">
+
+        Notes
+
+        </th>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *Description*
+
+        </td>
+        <td valign="top">
+        
+        \(Optional\) You can provide information about the token here.
+
+        </td>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *Issuer*
+
+        </td>
+        <td valign="top">
+        
+        \(Required\) The issuer is a corporate identity provider of type *OpenID Connect Compliant*. It must be created and configured in the administration console first.
+
+        </td>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *Subject*
+
+        </td>
+        <td valign="top">
+        
+        The sub \(subject\) that is expected in the token.
+
+        > ### Tip:  
+        > If you want to use an OAuth 2.0 token from Microsoft Entra ID as client credentials for an OpenID Connect application in Identity Authentication, and your OAuth client in Microsoft Entra ID belongs to an Enterprise Application, the subject in the token is the Object ID of the Enterprise Application.
+
+
+        
+        </td>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *API Access*
+
+        </td>
+        <td valign="top">
+        
+        > ### Note:  
+        > This section is read-only. The predefined choice is OpenID.
+
+
+        
+        </td>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *API Permission Groups*
+
+        </td>
+        <td valign="top">
+        
+        \(Optional\) `API Permission Groups` field is enabled only when the *Provided APIs* ption is configured. For more information, see [Provide APIs for Consumption by Other Applications](provide-apis-for-consumption-by-other-applications-9d2fe83.md).
+
+        </td>
+        </tr>
+        </table>
+        
+    -   \(For OpenID Connect-based JWT client tokens\) Choose the *Add* button for *Configure Trust by URI* and provide the required info in the popup:
+
+        **Configure Trust by URI**
+
+
+        <table>
+        <tr>
+        <th valign="top">
+
+        Field
+
+        </th>
+        <th valign="top">
+
+        Notes
+
+        </th>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *Description*
+
+        </td>
+        <td valign="top">
+        
+        \(Optional\) You can provide information about the URI here.
+
+        </td>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *URI*
+
+        </td>
+        <td valign="top">
+        
+        \(Required\) The JSON Web Key Set \(JWKS\) URI of the trusted party.
+
+        </td>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *Refresh Interval*
+
+        </td>
+        <td valign="top">
+        
+        \(Optional\) Refreshes the URI automatically if it is older than the selected interval. Choose from:
+
+        -   24 hours \(default choice\)
+
+        -   12 hours
+
+
+
+        
+        </td>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *API Access*
+
+        </td>
+        <td valign="top">
+        
+        > ### Note:  
+        > This section is read-only. The predefined choice is OpenID.
+
+
+        
+        </td>
+        </tr>
+        <tr>
+        <td valign="top">
+        
+        *API Permission Groups*
+
+        </td>
+        <td valign="top">
+        
+        \(Optional\) `API Permission Groups` field is enabled only when the *Provided APIs* option is configured. For more information, see [Provide APIs for Consumption by Other Applications](provide-apis-for-consumption-by-other-applications-9d2fe83.md).
+
+        </td>
+        </tr>
+        </table>
+        
 
 
 **Related Information**  
@@ -125,3 +229,9 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
 
 [SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
 
+[JSON Web Token \(JWT\) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://www.rfc-editor.org/rfc/rfc7523)
+
+[Proof-of-Possession Key Semantics for JSON Web Tokens \(JWTs\)](https://www.rfc-editor.org/rfc/rfc7800.html)
+
+[JSON Web Token Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+
diff --git a/docs/Development/configure-secrets-for-api-authentication-9ea13fe.md b/docs/Development/configure-secrets-for-api-authentication-9ea13fe.md
@@ -127,7 +127,7 @@ Once your secret is generated you can see a table with your secrets and informat
 
 [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
 
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
 
 [SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
 
diff --git a/docs/Development/disable-client-id-locking-aa38152.md b/docs/Development/disable-client-id-locking-aa38152.md
@@ -48,7 +48,7 @@ To disable the *Client ID Lock* option, follow the procedure below:
 
 [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
 
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
 
 [SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
 
diff --git a/docs/Development/scim-rest-api-authentication-mechanisms-e3f31bd.md b/docs/Development/scim-rest-api-authentication-mechanisms-e3f31bd.md
@@ -17,5 +17,5 @@ To call the methods of this SCIM REST API you must have a system as administrato
 
 [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
 
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
 
diff --git a/docs/Development/unlock-client-id-e5a6b85.md b/docs/Development/unlock-client-id-e5a6b85.md
@@ -41,7 +41,7 @@ To unlock the client ID before the automatic unlock time of 60 minutes has passe
 
 [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
 
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
 
 [SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
 

diff --git a/...Integrating-the-Service/integrating-the-service-with-sap-task-center-ab5e90e.md b/...Integrating-the-Service/integrating-the-service-with-sap-task-center-ab5e90e.md
@@ -14,10 +14,13 @@ The Global User ID specifies an identifier for a user that is unique across tech
 
 This attribute is automatically generated by Identity Authentication at user creation, and it can be changed by the admin after that. It can be provisioned to various SAP cloud solutions by Identity Provisioning.
 
-The Global User ID addresses the challenge of integrating user-related data across system boundaries. SAP Task Center is an example of a service which requires the use of the Global User ID as a common user identifier. SAP Task Center provides a single entry point for business users to access their tasks. This scenario needs an enterprise-wide mapping of users to relate tasks to each other in different systems.
+> ### Remember:  
+> When Identity Authentication uses a corporate identity provider \(IdP\) to authenticate the users, the *Enable the Use Identity Authentication user store* option under the *Identity Federation* configuration of the corporate IdP must be enabled, and the users must exist in the Identity Directory, the local user store of Identity Authentication users store.
+
+The Global User ID addresses the challenge of integrating user-related data across system boundaries. SAP Task Center is an example of a service, which requires the use of the Global User ID as a common user identifier. SAP Task Center provides a single entry point for business users to access their tasks. This scenario needs an enterprise-wide mapping of users to relate tasks to each other in different systems.
 
 > ### Note:  
-> Use the Global User ID as a common user identifier for SAP if you expect to use applications which require one identifier in all solutions like SAP Task Center. For more information, see [System Integration Guide for SAP Cloud Identity Services and SAP Task Center](https://help.sap.com/viewer/b95c3d5bab324a3a8409eee5267a5b75/Cloud/en-US/27947dfb325047018603446439050a6b.html).
+> Use the Global User ID as a common user identifier for SAP if you expect to use applications, which require one identifier in all solutions like SAP Task Center. For more information, see [System Integration Guide for SAP Cloud Identity Services and SAP Task Center](https://help.sap.com/viewer/b95c3d5bab324a3a8409eee5267a5b75/Cloud/en-US/27947dfb325047018603446439050a6b.html).
 
 
 
@@ -29,14 +32,14 @@ The Global User ID addresses the challenge of integrating user-related data acro
 
 ### Identity Authentication
 
-For every newly created user \(self-registered, imported, or manually created - via the administraton console or API\), Identity Authentication generates a Global User ID. It is unique and can be changed later by the tenant administrator.
+For every newly created user \(self-registered, imported, or manually created - via the administration console or API\), Identity Authentication generates a Global User ID. It is unique and can be changed later by the tenant administrator.
 
 The system generated attribute value is 36 characters long \(32 hexadecimal characters and 4 hyphens\).
 
 > ### Example:  
 > f81d4fae-7dec-11d0-a765-00a0c91e6bf6
 
-This attribute can be sent from Identity Authentication to applications as user attribute, `Subject Name Identifier`, and default attribute in the SAML assertion. The Global User ID is also put in the `id_token` if the application uses OpenID connect.
+This attribute can be sent from Identity Authentication to applications as a user attribute, `Subject Name Identifier`, and default attribute in the SAML assertion. The Global User ID is also put in the `id_token` if the application uses OpenID connect.
 
 
 
@@ -72,7 +75,7 @@ The Global User ID is provisioned by the Identity Provisioning using the SCIM at
 
 SAP Identity Management \(on-premise solution\) supports reading users with Global User ID from Identity Authentication using the Identity Management *SCI* connector. SCI stands for SAP Cloud Identity, the former name of Identity Authentication. It is not possible to use the Identity Management SCIM connector in a hybrid scenario with Identity Provisioning for that purpose.
 
-Once loaded in SAP Identity Management, users with Global User ID can be provisioned to SAP S/4HANA on-premise systems only. In this case, the Identity Management *ABAP* or *BusinessSuite* connector are used.
+Once loaded in SAP Identity Management, users with Global User ID can be provisioned to SAP S/4HANA on-premise systems only. In this case, the Identity Management *ABAP* or *BusinessSuite* connectors are used.
 
 When SAP Identity Management provisions a new user to Identity Authentication, the Global User ID is generated by the service and returned back as a response. It is stored in the Identity Management MX\_USER\_UUID attribute.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -17,5 +17,5 @@ To call the methods of this SCIM REST API you must have a system as administrato

		[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")

		[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
		[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")