diff --git a/docs/Development/configure-certificates-for-api-authentication-47e9866.md b/docs/Development/configure-certificates-for-api-authentication-47e9866.md
index 94962d0..462325c 100644
--- a/docs/Development/configure-certificates-for-api-authentication-47e9866.md
+++ b/docs/Development/configure-certificates-for-api-authentication-47e9866.md
@@ -133,7 +133,7 @@ Once your certificate is added you can see a table with all your certificates an
[Disable Client ID Locking](disable-client-id-locking-aa38152.md "You can disable the automatic lock of the client ID after five failed logon attempts.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
diff --git a/docs/Development/configure-jwt-for-oauth-client-authentication-1bdc729.md b/docs/Development/configure-jwt-for-oauth-client-authentication-1bdc729.md
index 451112a..93a486b 100644
--- a/docs/Development/configure-jwt-for-oauth-client-authentication-1bdc729.md
+++ b/docs/Development/configure-jwt-for-oauth-client-authentication-1bdc729.md
@@ -2,7 +2,7 @@
# Configure JWT for OAuth Client Authentication
-Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client authentication in token requests to OpenID Connect applications.
+Configure the JSON Web Token \(JWT\) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.
@@ -11,7 +11,8 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
## Prerequisites
- You have an OpenID Connect application.
-- You have created and configured a corporate identity provider of type *OpenID Connect Compliant* in the administration console for SAP Cloud Identity Services. For more information, see [Configure Trust with OpenID Connect Corporate Identity Provider](../Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
+
+- \(For the *Configure Trust by Issuer*\) You have created and configured a corporate identity provider of type *OpenID Connect Compliant* in the administration console for SAP Cloud Identity Services. For more information, see [Configure Trust with OpenID Connect Corporate Identity Provider](../Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
@@ -33,83 +34,186 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
5. Under *Application APIs*, choose *Client Authentication*.
-6. Choose the *Add* button in the *JSON Web Tokens* section.
-
-7. Provide the required info in the popup.
-
-
-
-
- |
-
-
-
- |
-
-
-
-
- |
-
-
- |
-
- **Description**
-
- |
-
-
- This field is optional. You can provide information about the token here.
-
- |
-
-
- |
-
- **Issuer**
-
- |
-
-
- The issuer is a corporate identity provider of type *OpenID Connect Compliant*. It must be created and configured in the administration console first.
-
- |
-
-
- |
-
- **Subject**
-
- |
-
-
- The sub \(subject\) that is expected in the token.
-
- > ### Tip:
- > If you want to use an OAuth 2.0 token from Microsoft Entra ID as client credentials for an OpenID Connect application in Identity Authentication, and your OAuth client in Microsoft Entra ID belongs to an Enterprise Application, the subject in the token is the Object ID of the Enterprise Application.
-
-
-
- |
-
-
- |
-
- **Scope**
-
- |
-
-
- > ### Note:
- > This section is read-only. The predefined choice is OpenID.
-
-
-
- |
-
-
-
-8. Save your configuration.
+6. Under *JSON Web Tokens*, configure one of the following options:
+
+ - \(For RFC 7523-based JWT client tokens\) Choose the *Add* button for *Configure Trust by Issuer* and provide the required info in the popup:
+
+ **Configure Trust by URI**
+
+
+
+
+ |
+
+ Field
+
+ |
+
+
+ Notes
+
+ |
+
+
+ |
+
+ *Description*
+
+ |
+
+
+ \(Optional\) You can provide information about the token here.
+
+ |
+
+
+ |
+
+ *Issuer*
+
+ |
+
+
+ \(Required\) The issuer is a corporate identity provider of type *OpenID Connect Compliant*. It must be created and configured in the administration console first.
+
+ |
+
+
+ |
+
+ *Subject*
+
+ |
+
+
+ The sub \(subject\) that is expected in the token.
+
+ > ### Tip:
+ > If you want to use an OAuth 2.0 token from Microsoft Entra ID as client credentials for an OpenID Connect application in Identity Authentication, and your OAuth client in Microsoft Entra ID belongs to an Enterprise Application, the subject in the token is the Object ID of the Enterprise Application.
+
+
+
+ |
+
+
+ |
+
+ *API Access*
+
+ |
+
+
+ > ### Note:
+ > This section is read-only. The predefined choice is OpenID.
+
+
+
+ |
+
+
+ |
+
+ *API Permission Groups*
+
+ |
+
+
+ \(Optional\) `API Permission Groups` field is enabled only when the *Provided APIs* ption is configured. For more information, see [Provide APIs for Consumption by Other Applications](provide-apis-for-consumption-by-other-applications-9d2fe83.md).
+
+ |
+
+
+
+ - \(For OpenID Connect-based JWT client tokens\) Choose the *Add* button for *Configure Trust by URI* and provide the required info in the popup:
+
+ **Configure Trust by URI**
+
+
+
+
+ |
+
+ Field
+
+ |
+
+
+ Notes
+
+ |
+
+
+ |
+
+ *Description*
+
+ |
+
+
+ \(Optional\) You can provide information about the URI here.
+
+ |
+
+
+ |
+
+ *URI*
+
+ |
+
+
+ \(Required\) The JSON Web Key Set \(JWKS\) URI of the trusted party.
+
+ |
+
+
+ |
+
+ *Refresh Interval*
+
+ |
+
+
+ \(Optional\) Refreshes the URI automatically if it is older than the selected interval. Choose from:
+
+ - 24 hours \(default choice\)
+
+ - 12 hours
+
+
+
+
+ |
+
+
+ |
+
+ *API Access*
+
+ |
+
+
+ > ### Note:
+ > This section is read-only. The predefined choice is OpenID.
+
+
+
+ |
+
+
+ |
+
+ *API Permission Groups*
+
+ |
+
+
+ \(Optional\) `API Permission Groups` field is enabled only when the *Provided APIs* option is configured. For more information, see [Provide APIs for Consumption by Other Applications](provide-apis-for-consumption-by-other-applications-9d2fe83.md).
+
+ |
+
+
+
**Related Information**
@@ -125,3 +229,9 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
+[JSON Web Token \(JWT\) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://www.rfc-editor.org/rfc/rfc7523)
+
+[Proof-of-Possession Key Semantics for JSON Web Tokens \(JWTs\)](https://www.rfc-editor.org/rfc/rfc7800.html)
+
+[JSON Web Token Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+
diff --git a/docs/Development/configure-secrets-for-api-authentication-9ea13fe.md b/docs/Development/configure-secrets-for-api-authentication-9ea13fe.md
index ad42d59..d0ad853 100644
--- a/docs/Development/configure-secrets-for-api-authentication-9ea13fe.md
+++ b/docs/Development/configure-secrets-for-api-authentication-9ea13fe.md
@@ -127,7 +127,7 @@ Once your secret is generated you can see a table with your secrets and informat
[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
diff --git a/docs/Development/disable-client-id-locking-aa38152.md b/docs/Development/disable-client-id-locking-aa38152.md
index 88eb60f..10e9c72 100644
--- a/docs/Development/disable-client-id-locking-aa38152.md
+++ b/docs/Development/disable-client-id-locking-aa38152.md
@@ -48,7 +48,7 @@ To disable the *Client ID Lock* option, follow the procedure below:
[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
diff --git a/docs/Development/scim-rest-api-authentication-mechanisms-e3f31bd.md b/docs/Development/scim-rest-api-authentication-mechanisms-e3f31bd.md
index 65d2082..4dbef7f 100644
--- a/docs/Development/scim-rest-api-authentication-mechanisms-e3f31bd.md
+++ b/docs/Development/scim-rest-api-authentication-mechanisms-e3f31bd.md
@@ -17,5 +17,5 @@ To call the methods of this SCIM REST API you must have a system as administrato
[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
diff --git a/docs/Development/unlock-client-id-e5a6b85.md b/docs/Development/unlock-client-id-e5a6b85.md
index 28f2f97..240ce4a 100644
--- a/docs/Development/unlock-client-id-e5a6b85.md
+++ b/docs/Development/unlock-client-id-e5a6b85.md
@@ -41,7 +41,7 @@ To unlock the client ID before the automatic unlock time of 60 minutes has passe
[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-47e9866.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-1bdc729.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-e3f31bd.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
diff --git a/docs/Integrating-the-Service/integrating-the-service-with-sap-task-center-ab5e90e.md b/docs/Integrating-the-Service/integrating-the-service-with-sap-task-center-ab5e90e.md
index 44b12eb..a7dc3de 100644
--- a/docs/Integrating-the-Service/integrating-the-service-with-sap-task-center-ab5e90e.md
+++ b/docs/Integrating-the-Service/integrating-the-service-with-sap-task-center-ab5e90e.md
@@ -14,10 +14,13 @@ The Global User ID specifies an identifier for a user that is unique across tech
This attribute is automatically generated by Identity Authentication at user creation, and it can be changed by the admin after that. It can be provisioned to various SAP cloud solutions by Identity Provisioning.
-The Global User ID addresses the challenge of integrating user-related data across system boundaries. SAP Task Center is an example of a service which requires the use of the Global User ID as a common user identifier. SAP Task Center provides a single entry point for business users to access their tasks. This scenario needs an enterprise-wide mapping of users to relate tasks to each other in different systems.
+> ### Remember:
+> When Identity Authentication uses a corporate identity provider \(IdP\) to authenticate the users, the *Enable the Use Identity Authentication user store* option under the *Identity Federation* configuration of the corporate IdP must be enabled, and the users must exist in the Identity Directory, the local user store of Identity Authentication users store.
+
+The Global User ID addresses the challenge of integrating user-related data across system boundaries. SAP Task Center is an example of a service, which requires the use of the Global User ID as a common user identifier. SAP Task Center provides a single entry point for business users to access their tasks. This scenario needs an enterprise-wide mapping of users to relate tasks to each other in different systems.
> ### Note:
-> Use the Global User ID as a common user identifier for SAP if you expect to use applications which require one identifier in all solutions like SAP Task Center. For more information, see [System Integration Guide for SAP Cloud Identity Services and SAP Task Center](https://help.sap.com/viewer/b95c3d5bab324a3a8409eee5267a5b75/Cloud/en-US/27947dfb325047018603446439050a6b.html).
+> Use the Global User ID as a common user identifier for SAP if you expect to use applications, which require one identifier in all solutions like SAP Task Center. For more information, see [System Integration Guide for SAP Cloud Identity Services and SAP Task Center](https://help.sap.com/viewer/b95c3d5bab324a3a8409eee5267a5b75/Cloud/en-US/27947dfb325047018603446439050a6b.html).
@@ -29,14 +32,14 @@ The Global User ID addresses the challenge of integrating user-related data acro
### Identity Authentication
-For every newly created user \(self-registered, imported, or manually created - via the administraton console or API\), Identity Authentication generates a Global User ID. It is unique and can be changed later by the tenant administrator.
+For every newly created user \(self-registered, imported, or manually created - via the administration console or API\), Identity Authentication generates a Global User ID. It is unique and can be changed later by the tenant administrator.
The system generated attribute value is 36 characters long \(32 hexadecimal characters and 4 hyphens\).
> ### Example:
> f81d4fae-7dec-11d0-a765-00a0c91e6bf6
-This attribute can be sent from Identity Authentication to applications as user attribute, `Subject Name Identifier`, and default attribute in the SAML assertion. The Global User ID is also put in the `id_token` if the application uses OpenID connect.
+This attribute can be sent from Identity Authentication to applications as a user attribute, `Subject Name Identifier`, and default attribute in the SAML assertion. The Global User ID is also put in the `id_token` if the application uses OpenID connect.
@@ -72,7 +75,7 @@ The Global User ID is provisioned by the Identity Provisioning using the SCIM at
SAP Identity Management \(on-premise solution\) supports reading users with Global User ID from Identity Authentication using the Identity Management *SCI* connector. SCI stands for SAP Cloud Identity, the former name of Identity Authentication. It is not possible to use the Identity Management SCIM connector in a hybrid scenario with Identity Provisioning for that purpose.
-Once loaded in SAP Identity Management, users with Global User ID can be provisioned to SAP S/4HANA on-premise systems only. In this case, the Identity Management *ABAP* or *BusinessSuite* connector are used.
+Once loaded in SAP Identity Management, users with Global User ID can be provisioned to SAP S/4HANA on-premise systems only. In this case, the Identity Management *ABAP* or *BusinessSuite* connectors are used.
When SAP Identity Management provisions a new user to Identity Authentication, the Global User ID is generated by the service and returned back as a response. It is stored in the Identity Management MX\_USER\_UUID attribute.
diff --git a/docs/Monitoring-and-Reporting/access-audit-logs-aws-azure-infrastructure-a3e793c.md b/docs/Monitoring-and-Reporting/access-audit-logs-aws-azure-infrastructure-a3e793c.md
index 71ca71a..4166fc1 100644
--- a/docs/Monitoring-and-Reporting/access-audit-logs-aws-azure-infrastructure-a3e793c.md
+++ b/docs/Monitoring-and-Reporting/access-audit-logs-aws-azure-infrastructure-a3e793c.md
@@ -21,7 +21,7 @@ You have a subaccount in your global account on SAP BTP, Cloud Foundry. For more
>
> For tenants on the SAP infrastructure, see [Access Audit Logs \(SAP Infrastructure\)](access-audit-logs-sap-infrastructure-9f6b9a4.md).
-To view the audit logs for tenants on the AWS and Azure infrastructure you must add configurations in the SAP BTP cockpit and the administration console for SAP Cloud Identity Services first.
+To view the audit logs for tenants on the AWS and Azure infrastructure, you must add configurations in the SAP BTP cockpit and the administration console for SAP Cloud Identity Services first.
The audit log entries for tenants on the AWS and Azure infrastructure are retained for 90 days.
@@ -120,9 +120,9 @@ To view the audit logs, follow the procedures below:
2. Choose the *Audit and Change Logs* tile.
-3. Choose the *Cloud Foundry* tab.
+3. Choose the *Audit Logs* tab.
-4. Choose *Add*.
+4. Choose *\+Add*.
5. Fill in the required information in the pop up and save your changes.
@@ -338,6 +338,60 @@ To view the audit logs, follow the procedures below:
+
+
+
+ |
+
+ US West / East US
+
+ |
+
+
+ azure-eastus
+
+ |
+
+
+ cf-us20
+
+ |
+
+
+ US West \(WA\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+
+
+ |
+
+
+
+
+ |
+
+
+
+
+ |
+
+
+
+
|
@@ -428,7 +482,7 @@ To view the audit logs, follow the procedures below:
|
- Europe / Germany Frankfurt\(\)
+ Europe / Germany \(Frankfurt\)
|
@@ -603,15 +657,392 @@ To view the audit logs, follow the procedures below:
Yes
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Europe / Germany \(Frankfurt\)
+
+ |
+
+
+ eu-de-2
+
+ |
+
+
+ cf-eu10
+
+ |
+
+
+ Europe \(Frankfurt\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-eu11
+
+ |
+
+
+ Europe \(Frankfurt\) EU Access
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu20
+
+ |
+
+
+ Europe \(Netherlands\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu30
+
+ |
+
+
+ Europe \(Frankfurt\) GCP
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Australia \(Sydney\)
+
+ |
+
+
+ ap-au-1
+
+ |
+
+
+ cf-ap10
+
+ |
+
+
+ Australia \(Sydney\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-ap20
+
+ |
+
+
+ Australia \(Sydney\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Japan \(Tokyo\)
+
+ |
+
+
+ ap-jp-1
+
+ |
+
+
+ cf-jp10
+
+ |
+
+
+ Japan \(Tokyo\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-jp20
+
+ |
+
+
+ Japan \(Tokyo\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ US East / East US
+
+ |
+
+
+ na-us-2
+
+ |
+
+
+ cf-us10
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-us21
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Europe / Netherlands \(Amsterdam\)
+
+ |
+
+
+ eu-nl-1
+
+ |
+
+
+ cf-eu10
+
+ |
+
+
+ Europe \(Frankfurt\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-eu11
+
+ |
+
+
+ Europe \(Frankfurt\) EU Access
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu20
+
+ |
+
+
+ Europe \(Netherlands\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu30
+
+ |
+
+
+ Europe \(Frankfurt\) GCP
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ US East / East US
+
+ |
+
+
+ na-us-1
+
+ |
+
+
+ cf-us10
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-us21
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ No
+
|
6. Save your changes.
+ > ### Caution:
+ > If your SAP Cloud Identity Services tenant is migrated to a new region, you must remove the current configuration and repeat procedure with the new region.
+
7. View the audit logs. You have two options to do that:
- - \(if subdomain is configured\) choose the link to the *Audit Log Viewer* in the *Audit Service Configuration* in the administration console
+ - \(if subdomain is configured\) choose the link to the *Audit Log Viewer* in the *Audit Service Configuration* in the administration console.
- in the cockpit, navigate to *Services* \> *Instances and Subscriptions* \> *Audit Log Viewer*.
diff --git a/docs/Monitoring-and-Reporting/access-audit-logs-sap-infrastructure-9f6b9a4.md b/docs/Monitoring-and-Reporting/access-audit-logs-sap-infrastructure-9f6b9a4.md
index 27224e6..a465b92 100644
--- a/docs/Monitoring-and-Reporting/access-audit-logs-sap-infrastructure-9f6b9a4.md
+++ b/docs/Monitoring-and-Reporting/access-audit-logs-sap-infrastructure-9f6b9a4.md
@@ -10,10 +10,8 @@ Access the audit logs for changes in the personal data, successful, and failed a
> ### Note:
> The content in this section is only relevant for tenants on the SAP infrastructure.
->
-> For tenants on the AWS and Azure infrastructure, see [Access Audit Logs \(AWS, Azure Infrastructure\)](access-audit-logs-aws-azure-infrastructure-a3e793c.md).
-To view the audit logs you should generate Client ID and Client Secret for audit logs in the administration console for SAP Cloud Identity Services first. After that you should obtain an access token, and then call the audit log retrieval API to access the data.
+To view the audit logs, you should generate Client ID and Client Secret for audit logs in the administration console for SAP Cloud Identity Services first. After that you should obtain an access token, and then call the audit log retrieval API to access the data.
The audit log entries for tenants on the SAP infrastructure are retained for 201 days.
@@ -43,26 +41,952 @@ The Client ID and Client Secret for the current tenant are generated in the admi
2. Choose the *Audit and Change Logs* tile.
-3. Choose the *NEO* tab.
+3. Choose one of the following options:
-4. Under *Generate Client Credentials for Audit Logs* choose the *Generate* button.
+ - *NEO* tab
+ - Under *Generate Client Credentials for Audit Logs* choose the *Generate* button.
- A dialog box with the generated Client ID and Client Secret appears.
+ A dialog box with the generated Client ID and Client Secret appears.
- > ### Remember:
- > Make sure that you copy the Client Secret from the dialog box. When you choose *OK*, the dialog box closes, and you can’t retrieve the Client Secret from the system anymore.
+ > ### Remember:
+ > Make sure that you copy the Client Secret from the dialog box. When you choose *OK*, the dialog box closes, and you can’t retrieve the Client Secret from the system anymore.
+ The generated Client ID can be seen in the *Generate Client Credentials for Audit Logs* section under the *NEO* tab.
+ > ### Tip:
+ > To delete the client credentials, choose the  icon next to the generated Client ID. This deletes the Client ID and Client Secret from the system.
-
+ - *Cloud Foundry* tab
-## Results
+ 1. Choose *\+Add*.
+ 2. Fill in the required information in the pop up and save your changes.
+
+
+
+
+ |
+
+ Configuration
+
+ |
+
+
+ Notes
+
+ |
+
+
+ |
+
+ *Tenant ID*
+
+ |
+
+
+ Required. The tenant ID of your Cloud Foundry account.
+
+ |
+
+
+ |
+
+ *Region*
+
+ |
+
+
+ SAP BTP, Cloud Foundry region. You can choose a region from the options in the dropdown. For more information, see the mapping table.
+
+ |
+
+
+ |
+
+ *Subdomain*
+
+ |
+
+
+ Optional. If you provide it, a link to the *Audit Log Viewer* is added in the *Audit Service Configuration*, and you can access the audit logs directly from the administration console.
+
+ |
+
+
+
+ **Identity Authentication - Cloud Foundry Regions Mapping**
+
+
+
+
+ |
+
+ Identity Authentication
+
+ |
+
+
+ Cloud Foundry Regions
+
+ |
+
+
+ |
+
+ Region
+
+ |
+
+
+ Infrastructure
+
+ |
+
+
+ Technical Name
+
+ |
+
+
+ Name
+
+ |
+
+
+ Default
+
+ |
+
+
+ |
+
+ North America \(Canada Central\) / Canada \(Toronto\)
+
+ |
+
+
+ azure-canadacentral
+
+ |
+
+
+ cf-ca10
+
+ |
+
+
+ Canada \(Montreal\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ US West / West US 2
+
+ |
+
+
+ azure-westus2
+
+ |
+
+
+ cf-us20
+
+ |
+
+
+ US West \(WA\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-us21
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-us10
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-us30
+
+ |
+
+
+ US Central \(IA\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ US West / East US
+
+ |
+
+
+ azure-eastus
+
+ |
+
+
+ cf-us20
+
+ |
+
+
+ US West \(WA\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+
+
+ |
+
+
+
+
+ |
+
+
+
+
+ |
+
+
+
+
+ |
+
+
+ |
+
+ Singapore
+
+ |
+
+
+ aws-ap-southeast-1
+
+ |
+
+
+ cf-ap11
+
+ |
+
+
+ Singapore
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-ap21
+
+ |
+
+
+ Singapore
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ South Korea / South Korea \(Seoul\)
+
+ |
+
+
+ aws-ap-northeast-2
+
+ |
+
+
+ cf-ap12
+
+ |
+
+
+ South Korea \(Seoul\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Europe / Germany \(Frankfurt\)
+
+ |
+
+
+ aws-eu-central-1
+
+ |
+
+
+ cf-eu11
+
+ |
+
+
+ Europe \(Frankfurt\) EU Access
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-eu10
+
+ |
+
+
+ Europe \(Frankfurt\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu20
+
+ |
+
+
+ Europe \(Netherlands\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu30
+
+ |
+
+
+ Europe \(Frankfurt\) GCP
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Europe / Switzerland
+
+ |
+
+
+ azure-switzerlandnorth
+
+ |
+
+
+ cf-ch20
+
+ |
+
+
+ Switzerland \(Zurich\) Azure EU Access
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Asia Pacific
+
+ |
+
+
+ aws-ap-south-1
+
+ |
+
+
+ cf-in30
+
+ |
+
+
+ India \(Mumbai\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Brazil
+
+ |
+
+
+ aws-sa-east-1
+
+ |
+
+
+ cf-br10
+
+ |
+
+
+ Brazil \(São Paulo\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Europe / Germany \(Frankfurt\)
+
+ |
+
+
+ eu-de-2
+
+ |
+
+
+ cf-eu10
+
+ |
+
+
+ Europe \(Frankfurt\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-eu11
+
+ |
+
+
+ Europe \(Frankfurt\) EU Access
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu20
+
+ |
+
+
+ Europe \(Netherlands\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu30
+
+ |
+
+
+ Europe \(Frankfurt\) GCP
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Australia \(Sydney\)
+
+ |
+
+
+ ap-au-1
+
+ |
+
+
+ cf-ap10
+
+ |
+
+
+ Australia \(Sydney\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-ap20
+
+ |
+
+
+ Australia \(Sydney\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Japan \(Tokyo\)
+
+ |
+
+
+ ap-jp-1
+
+ |
+
+
+ cf-jp10
+
+ |
+
+
+ Japan \(Tokyo\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-jp20
+
+ |
+
+
+ Japan \(Tokyo\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ US East / East US
+
+ |
+
+
+ na-us-2
+
+ |
+
+
+ cf-us10
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-us21
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ Europe / Netherlands \(Amsterdam\)
+
+ |
+
+
+ eu-nl-1
+
+ |
+
+
+ cf-eu10
+
+ |
+
+
+ Europe \(Frankfurt\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-eu11
+
+ |
+
+
+ Europe \(Frankfurt\) EU Access
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu20
+
+ |
+
+
+ Europe \(Netherlands\)
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+ cf-eu30
+
+ |
+
+
+ Europe \(Frankfurt\) GCP
+
+ |
+
+
+ No
+
+ |
+
+
+ |
+
+
+
+ |
+
+
+ |
+
+ US East / East US
+
+ |
+
+
+ na-us-1
+
+ |
+
+
+ cf-us10
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ Yes
+
+ |
+
+
+ |
+
+ cf-us21
+
+ |
+
+
+ US East \(VA\)
+
+ |
+
+
+ No
+
+ |
+
+
+
+ 3. Save your changes.
+
+ > ### Caution:
+ > If your SAP Cloud Identity Services tenant is migrated to a new region, you must remove the current configuration and repeat procedure with the new region.
+
+ 4. View the audit logs. You have two options to do that:
+ - \(if subdomain is configured\) choose the link to the *Audit Log Viewer* in the *Audit Service Configuration* in the administration console
+
+ - in the cockpit, navigate to *Services* \> *Instances and Subscriptions* \> *Audit Log Viewer*.
+
+
+ The configuration will be enabled with the next 15 minutes.
+
+ **Next Steps**: \(Optional\) Retrieve the audit logs via the Audit Log Retrieval API. See [Audit Log Retrieval API Usage for Subaccounts in the Cloud Foundry Environment](https://help.sap.com/docs/btp/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment).
-The generated Client ID can be seen in the *Generate Client Credentials for Audit Logs* section under the *NEO* tab.
-> ### Tip:
-> To delete the client credentials, choose the  icon next to the generated Client ID. This deletes the Client ID and Client Secret from the system.
@@ -108,7 +1032,7 @@ Use the Client ID and Client Secret generated for the current tenant in the admi
>
>
>
-> Rot/Amsterdam
+> Amsterdam
>
> |
>
@@ -241,7 +1165,7 @@ Use the Client ID and Client Secret generated for the current tenant in the admi
## Context
-To access the audit logs you should call the audit log retrieval API. You need the Client ID and Client Secret for the current tenant, generated in the administration console for SAP Cloud Identity Services, and the access token. For more information, see [Audit Log Retrieval API Usage](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/e4d818da43af43e1983df8e9e5caadb2.html).
+To access the audit logs, you should call the audit log retrieval API. You need the Client ID and Client Secret for the current tenant, generated in the administration console for SAP Cloud Identity Services, and the access token. For more information, see [Audit Log Retrieval API Usage](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/e4d818da43af43e1983df8e9e5caadb2.html).
You can filter the audit logs by time and/or categories. The categories that you can filter are:
@@ -286,7 +1210,7 @@ You can filter the audit logs by time and/or categories. The categories that you
> |
>
>
-> Rot/Amsterdam
+> Amsterdam
>
> |
>
diff --git a/docs/Monitoring-and-Reporting/audit-logs-ad47e37.md b/docs/Monitoring-and-Reporting/audit-logs-ad47e37.md
index 7002c73..1e8c385 100644
--- a/docs/Monitoring-and-Reporting/audit-logs-ad47e37.md
+++ b/docs/Monitoring-and-Reporting/audit-logs-ad47e37.md
@@ -2,11 +2,11 @@
# Audit Logs
-Tenant administrators can access the audit logs for changes in the personal data, successful, and failed authentications in Identity Authentication.
+Tenant administrators can access the audit logs for changes in the personal data, and successful, and failed authentications in Identity Authentication.
Identity Authentication runs on several underlying *Infrastructure-as-a-Service* technologies and regions. Some are owned by SAP and some are owned by our partner infrastructure providers, including Amazon Web Services and Microsoft Azure. For more information, see [Regional Availability](../regional-availability-be600ca.md).
-Based on the infrastructure the tenant is running on there are two different procedure for accessing the audit logs.
+Based on the infrastructure the tenant is running on there are two different procedures for accessing the audit logs.
> ### Note:
> The audit log entries are retained for:
diff --git a/docs/Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md b/docs/Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md
index 7c589bc..022834c 100644
--- a/docs/Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md
+++ b/docs/Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md
@@ -2,12 +2,15 @@
# View Troubleshooting Logs
-Tenant administrator can filter and view troubleshooting logs directly in the administration console for SAP Cloud Identity Services.
+Tenant administrator can filter and view troubleshooting logs directly in the administration console for SAP Cloud Identity Services to diagnose problems with authentication.
## Context
+> ### Tip:
+> Use the audit logs option to track changes in the personal data.
+
The maximum number of log entries is 1000. The search criteria you can choose include:
@@ -94,3 +97,8 @@ Once you have the results you can filter them by *Time*, *Severity*, *IP Address
- View information about the JWT payload of the OpenID Connect tokens issued or received by Identity Authentication. For more information, see [Logging OpenID Connect Tokens](logging-openid-connect-tokens-b6c42b5.md)
+**Related Information**
+
+
+[Audit Logs](audit-logs-ad47e37.md "Tenant administrators can access the audit logs for changes in the personal data, and successful, and failed authentications in Identity Authentication.")
+
diff --git a/docs/Operation-Guide/configure-authentication-context-028cee2.md b/docs/Operation-Guide/configure-authentication-context-028cee2.md
index 0b3e6fe..c85d435 100644
--- a/docs/Operation-Guide/configure-authentication-context-028cee2.md
+++ b/docs/Operation-Guide/configure-authentication-context-028cee2.md
@@ -23,16 +23,61 @@ Tenant administrator can configure the authentication context in the request sen
4. Choose the *Trust* tab.
-5. Under *Conditional Authentication*, choose *Configure SAML 2.0 Requests to Corporate Identity Providers*.
-
-6. Under *Configure Authentication Context*, choose one of the following options:
+5. Under *Conditional Authentication*, choose *Configure Requests to Corporate Identity Providers*.
+
+6. You have the following options:
+
+
+
+
+ |
+
+ Protocol
+
+ |
+
+
+ Configuration
+
+ |
+
+
+ |
+
+ **SAML 2.0**
+
+ |
+
+
+ Choose one of the following and save your changes.
- *None* - Authentication context is not sent. The requested authentication context from the service provider is ignored.
- - *Service Provider Authentication Context* - The received authentication context from the service provider is sent.
+ - \(Available only for SAML 2.0 applications\) *Service Provider Authentication Context* - The received authentication context from the service provider is sent.
- *Password Protected Transport* - Authentication context class `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport` is sent. The requested authentication context from the service provider is ignored.
-7. Save your changes.
+
+ |
+
+
+ |
+
+ **OpenID Connect**
+
+ |
+
+
+ Add the authentication context class references and save your changes.
+
+ > ### Note:
+ > You can add up to 20 authentication context class references with a length of up to 99 characters each.
+
+
+
+ |
+
+
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md b/docs/Operation-Guide/configure-authentication-request-to-corporate-idps-7eac7e8.md
similarity index 86%
rename from docs/Operation-Guide/configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md
rename to docs/Operation-Guide/configure-authentication-request-to-corporate-idps-7eac7e8.md
index d120f8e..9e25e5c 100644
--- a/docs/Operation-Guide/configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md
+++ b/docs/Operation-Guide/configure-authentication-request-to-corporate-idps-7eac7e8.md
@@ -1,6 +1,6 @@
-# Configure SAML 2.0 Authentication Request to Corporate IdPs
+# Configure Authentication Request to Corporate IdPs
**Related Information**
diff --git a/docs/Operation-Guide/configure-certificates-for-api-authentication-c408083.md b/docs/Operation-Guide/configure-certificates-for-api-authentication-c408083.md
index c333036..bec25a8 100644
--- a/docs/Operation-Guide/configure-certificates-for-api-authentication-c408083.md
+++ b/docs/Operation-Guide/configure-certificates-for-api-authentication-c408083.md
@@ -133,7 +133,7 @@ Once your certificate is added you can see a table with all your certificates an
[Disable Client ID Locking](disable-client-id-locking-f1dc77e.md "You can disable the automatic lock of the client ID after five failed logon attempts.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-c599c89.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
diff --git a/docs/Operation-Guide/configure-different-trust-configurations-for-the-same-identity-authentication-ba2faa9.md b/docs/Operation-Guide/configure-different-trust-configurations-for-the-same-identity-authentication-ba2faa9.md
index 9acd448..cdfc55f 100644
--- a/docs/Operation-Guide/configure-different-trust-configurations-for-the-same-identity-authentication-ba2faa9.md
+++ b/docs/Operation-Guide/configure-different-trust-configurations-for-the-same-identity-authentication-ba2faa9.md
@@ -45,7 +45,7 @@ When Identity Authentication verifies the SAML2.0 message coming from the corpor
4. Choose the *Trust* tab.
-5. Under *Conditional Authentication*, choose *Configure SAML 2.0 Requests to Corporate Identity Providers*.
+5. Choose *Conditional Authentication* \> *Configure Requests to Corporate Identity Providers* \> *SAML 2.0*.
6. Under *Configure Issuer Name*, type the issuer suffix, which you want to add to the Identity Authentication default issuer name.
diff --git a/docs/Operation-Guide/configure-identity-provisioning-target-systems-for-real-time-user-provisioning-3349645.md b/docs/Operation-Guide/configure-identity-provisioning-target-systems-for-real-time-user-provisioning-3349645.md
index d4790a9..326c9f1 100644
--- a/docs/Operation-Guide/configure-identity-provisioning-target-systems-for-real-time-user-provisioning-3349645.md
+++ b/docs/Operation-Guide/configure-identity-provisioning-target-systems-for-real-time-user-provisioning-3349645.md
@@ -113,7 +113,7 @@ The configuration of the OAuth authentication scenario is done in the SAP BTP co
`https:///ipsproxy/service/api/v1/systems//entities/user`
- For example: `https://mytenantaccounts.ondemand.com/ipsproxy/api/v1/systems/12ab12345-6789-e1b2-12ib-12a34iade678d/entities/user`
+ For example: `https://mytenant.accounts.ondemand.com/ipsproxy/api/v1/systems/12ab12345-6789-e1b2-12ib-12a34iade678d/entities/user`
> ### Tip:
> The `source_system_id` is a randomly generated string of numbers and letters. You can see this ID at the end of the URL, when the respective source system is chosen in Identity Provisioning.
diff --git a/docs/Operation-Guide/configure-jwt-for-oauth-client-authentication-db97a69.md b/docs/Operation-Guide/configure-jwt-for-oauth-client-authentication-db97a69.md
index 4b94a18..723478c 100644
--- a/docs/Operation-Guide/configure-jwt-for-oauth-client-authentication-db97a69.md
+++ b/docs/Operation-Guide/configure-jwt-for-oauth-client-authentication-db97a69.md
@@ -2,7 +2,7 @@
# Configure JWT for OAuth Client Authentication
-Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client authentication in token requests to OpenID Connect applications.
+Configure the JSON Web Token \(JWT\) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.
@@ -11,7 +11,8 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
## Prerequisites
- You have an OpenID Connect application.
-- You have created and configured a corporate identity provider of type *OpenID Connect Compliant* in the administration console for SAP Cloud Identity Services. For more information, see [Configure Trust with OpenID Connect Corporate Identity Provider](configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
+
+- \(For the *Configure Trust by Issuer*\) You have created and configured a corporate identity provider of type *OpenID Connect Compliant* in the administration console for SAP Cloud Identity Services. For more information, see [Configure Trust with OpenID Connect Corporate Identity Provider](configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
@@ -33,83 +34,186 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
5. Under *Application APIs*, choose *Client Authentication*.
-6. Choose the *Add* button in the *JSON Web Tokens* section.
-
-7. Provide the required info in the popup.
-
-
-
-
- |
-
-
-
- |
-
-
-
-
- |
-
-
- |
-
- **Description**
-
- |
-
-
- This field is optional. You can provide information about the token here.
-
- |
-
-
- |
-
- **Issuer**
-
- |
-
-
- The issuer is a corporate identity provider of type *OpenID Connect Compliant*. It must be created and configured in the administration console first.
-
- |
-
-
- |
-
- **Subject**
-
- |
-
-
- The sub \(subject\) that is expected in the token.
-
- > ### Tip:
- > If you want to use an OAuth 2.0 token from Microsoft Entra ID as client credentials for an OpenID Connect application in Identity Authentication, and your OAuth client in Microsoft Entra ID belongs to an Enterprise Application, the subject in the token is the Object ID of the Enterprise Application.
-
-
-
- |
-
-
- |
-
- **Scope**
-
- |
-
-
- > ### Note:
- > This section is read-only. The predefined choice is OpenID.
-
-
-
- |
-
-
-
-8. Save your configuration.
+6. Under *JSON Web Tokens*, configure one of the following options:
+
+ - \(For RFC 7523-based JWT client tokens\) Choose the *Add* button for *Configure Trust by Issuer* and provide the required info in the popup:
+
+ **Configure Trust by URI**
+
+
+
+
+ |
+
+ Field
+
+ |
+
+
+ Notes
+
+ |
+
+
+ |
+
+ *Description*
+
+ |
+
+
+ \(Optional\) You can provide information about the token here.
+
+ |
+
+
+ |
+
+ *Issuer*
+
+ |
+
+
+ \(Required\) The issuer is a corporate identity provider of type *OpenID Connect Compliant*. It must be created and configured in the administration console first.
+
+ |
+
+
+ |
+
+ *Subject*
+
+ |
+
+
+ The sub \(subject\) that is expected in the token.
+
+ > ### Tip:
+ > If you want to use an OAuth 2.0 token from Microsoft Entra ID as client credentials for an OpenID Connect application in Identity Authentication, and your OAuth client in Microsoft Entra ID belongs to an Enterprise Application, the subject in the token is the Object ID of the Enterprise Application.
+
+
+
+ |
+
+
+ |
+
+ *API Access*
+
+ |
+
+
+ > ### Note:
+ > This section is read-only. The predefined choice is OpenID.
+
+
+
+ |
+
+
+ |
+
+ *API Permission Groups*
+
+ |
+
+
+ \(Optional\) `API Permission Groups` field is enabled only when the *Provided APIs* ption is configured. For more information, see [Provide APIs for Consumption by Other Applications](../Development/provide-apis-for-consumption-by-other-applications-9d2fe83.md).
+
+ |
+
+
+
+ - \(For OpenID Connect-based JWT client tokens\) Choose the *Add* button for *Configure Trust by URI* and provide the required info in the popup:
+
+ **Configure Trust by URI**
+
+
+
+
+ |
+
+ Field
+
+ |
+
+
+ Notes
+
+ |
+
+
+ |
+
+ *Description*
+
+ |
+
+
+ \(Optional\) You can provide information about the URI here.
+
+ |
+
+
+ |
+
+ *URI*
+
+ |
+
+
+ \(Required\) The JSON Web Key Set \(JWKS\) URI of the trusted party.
+
+ |
+
+
+ |
+
+ *Refresh Interval*
+
+ |
+
+
+ \(Optional\) Refreshes the URI automatically if it is older than the selected interval. Choose from:
+
+ - 24 hours \(default choice\)
+
+ - 12 hours
+
+
+
+
+ |
+
+
+ |
+
+ *API Access*
+
+ |
+
+
+ > ### Note:
+ > This section is read-only. The predefined choice is OpenID.
+
+
+
+ |
+
+
+ |
+
+ *API Permission Groups*
+
+ |
+
+
+ \(Optional\) `API Permission Groups` field is enabled only when the *Provided APIs* option is configured. For more information, see [Provide APIs for Consumption by Other Applications](../Development/provide-apis-for-consumption-by-other-applications-9d2fe83.md).
+
+ |
+
+
+
**Related Information**
@@ -125,3 +229,9 @@ Configure the issuer and subject of tokens for JSON Web Token \(JWT\) client aut
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-c599c89.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
+[JSON Web Token \(JWT\) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://www.rfc-editor.org/rfc/rfc7523)
+
+[Proof-of-Possession Key Semantics for JSON Web Tokens \(JWTs\)](https://www.rfc-editor.org/rfc/rfc7800.html)
+
+[JSON Web Token Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md b/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md
index 13da6c9..ebf3d75 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md
@@ -174,7 +174,12 @@ To configure an OpenID Connect trusted application in the administration console
- Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
--
+- Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+
+ > ### Note:
+ > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.
+
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md b/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md
index 18fc896..4ed21a8 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md
@@ -174,7 +174,12 @@ To configure an OpenID Connect trusted application in the administration console
- Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
--
+- Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+
+ > ### Note:
+ > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.
+
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md b/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md
index 57f2bef..f5f3fc0 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md
@@ -134,7 +134,12 @@ To configure an OpenID Connect trusted application in the administration console
- Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
--
+- Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+
+ > ### Note:
+ > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.
+
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md b/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md
index 673e09d..a1d950b 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md
@@ -134,7 +134,12 @@ To configure an OpenID Connect trusted application in the administration console
- Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
--
+- Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+
+ > ### Note:
+ > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.
+
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md b/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md
index 3229b1b..a69a874 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md
@@ -41,81 +41,14 @@ To configure an OpenID Connect trusted application in the administration console
5. Under *SINGLE SIGN-ON*, choose *OpenID Connect Configuration*.
-6. Manually enter the communication settings negotiated between Identity Authentication and the client.
-
-
-
-
- |
-
- Setting
-
- |
-
-
- Description
-
- |
-
-
- |
-
- *Name \(mandatory\)*
-
- |
-
-
- Provide a name of your choice.
-
- |
-
-
- |
-
- *Redirect URIs \(optional\)*
-
- |
-
-
- The redirection URIs to which the response can be sent. You can add up to 20 redirect URIs.
-
- |
-
-
- |
-
- *Post Logout Redirect URIs \(optional\)*
-
- |
-
-
- The redirection URIs where the user can be forwarded after logout. You can add up to 20 redirect URIs.
-
- |
-
-
- |
-
- *Front-Channel Logout URIs \(optional\)*
-
- |
-
-
- URIs which will be requested for logout. You can add up to 20 URIs.
-
- |
-
-
-
- > ### Tip:
- > For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
+6. Under the *Configure Manually* section provide a name of your choice.
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
> ### Tip:
> When the default identity provider certificate is changed with a new one, and the old one is not used anymore, we recommend you to delete the old certificate.
-8. Select the *Password* grant type.
+8. Select the *Password*
> ### Note:
> Beware that for each flow the respective grant type must be selected. All other grant types can be deselected if they aren't required by the application.
@@ -134,4 +67,9 @@ To configure an OpenID Connect trusted application in the administration console
- Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
--
+- Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+
+ > ### Note:
+ > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.
+
+
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md b/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md
index f895348..46407c0 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md
@@ -41,81 +41,14 @@ To configure an OpenID Connect trusted application in the administration console
5. Under *SINGLE SIGN-ON*, choose *OpenID Connect Configuration*.
-6. Manually enter the communication settings negotiated between Identity Authentication and the client.
-
-
-
-
- |
-
- Setting
-
- |
-
-
- Description
-
- |
-
-
- |
-
- *Name \(mandatory\)*
-
- |
-
-
- Provide a name of your choice.
-
- |
-
-
- |
-
- *Redirect URIs \(optional\)*
-
- |
-
-
- The redirection URIs to which the response can be sent. You can add up to 20 redirect URIs.
-
- |
-
-
- |
-
- *Post Logout Redirect URIs \(optional\)*
-
- |
-
-
- The redirection URIs where the user can be forwarded after logout. You can add up to 20 redirect URIs.
-
- |
-
-
- |
-
- *Front-Channel Logout URIs \(optional\)*
-
- |
-
-
- URIs which will be requested for logout. You can add up to 20 URIs.
-
- |
-
-
-
- > ### Tip:
- > For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
+6. Under the *Configure Manually* section provide a name of your choice.
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
> ### Tip:
> When the default identity provider certificate is changed with a new one, and the old one is not used anymore, we recommend you to delete the old certificate.
-8. Select the *Password* grant type.
+8. Select the *Password*
> ### Note:
> Beware that for each flow the respective grant type must be selected. All other grant types can be deselected if they aren't required by the application.
@@ -134,7 +67,12 @@ To configure an OpenID Connect trusted application in the administration console
- Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
--
+- Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+
+ > ### Note:
+ > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.
+
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md b/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md
index 5288d49..c52b1bf 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md
@@ -134,7 +134,12 @@ To configure an OpenID Connect trusted application in the administration console
- Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
--
+- Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+
+ > ### Note:
+ > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.
+
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md b/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md
index 428a7e6..0ce01f2 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md
@@ -134,7 +134,12 @@ To configure an OpenID Connect trusted application in the administration console
- Configure HTTP basic authentication for the application. For more information about the configuration, see [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md).
--
+- Enable the public client flows option for this application. In the administration console, choose *the OpenID connect application* \> *Client Authentication under the Trust tab* \> *Enable Public Client Flows under Plublic Client*. Optionally, you can configure the API permission groups. For more information, see [Consuming APIs from Other Applications](../Development/consuming-apis-from-other-applications-29e204d.md) .
+
+ > ### Note:
+ > The *Public* client type is used for environments where it is difficult to protect the client credential, such as mobile and desktop applications, and client-side parts of web applications.
+
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md b/docs/Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md
index ae7ec36..cfe1d0a 100644
--- a/docs/Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md
+++ b/docs/Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md
@@ -36,6 +36,15 @@ The rule is valid for any *IP range*, *Forwarded IP Range*, *Group*, *Authentica
+
+
+## Context
+
+> ### Tip:
+> We recommend you to enable the back-up channels. Thus, the users can use the option as an alternative when they don't have access to the TOTP device or application.. For more information, see [Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices](enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md).
+
+
+
## Procedure
diff --git a/docs/Operation-Guide/configure-secrets-for-api-authentication-5c3c35e.md b/docs/Operation-Guide/configure-secrets-for-api-authentication-5c3c35e.md
index 23d6ad8..551527d 100644
--- a/docs/Operation-Guide/configure-secrets-for-api-authentication-5c3c35e.md
+++ b/docs/Operation-Guide/configure-secrets-for-api-authentication-5c3c35e.md
@@ -127,7 +127,7 @@ Once your secret is generated you can see a table with your secrets and informat
[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-c599c89.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
diff --git a/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-successfactors-systems-to-iden-671d2e6.md b/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-successfactors-systems-to-iden-671d2e6.md
index 9daf667..d5396f5 100644
--- a/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-successfactors-systems-to-iden-671d2e6.md
+++ b/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-successfactors-systems-to-iden-671d2e6.md
@@ -137,7 +137,7 @@ To configure a source system, follow the steps below:
Technical user added in the source system that has administrator permissions to access the OData API. It can be provided by the external source system administrator.
- For more information of the permission settings of the user, see [Granting Permissions to API User](https://help.sap.com/viewer/0377d826832f445e82d09fdac7228f34/latest/en-US/650350ce2e274ee5b1f19c8cb3b1531d.html).
+ For more information of the permission settings of the user, see [Setting Up an API User for Sync Jobs in SAP SuccessFactors](https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/568fdf1f14f14fd089a3cd15194d19cc/0a6e6705d89e42649e3aa8732f2b0724.html?version=2311).
*Technical User Secret*
diff --git a/docs/Operation-Guide/corporate-user-store-cloud-foundry-environment-9942ede.md b/docs/Operation-Guide/corporate-user-store-cloud-foundry-environment-9942ede.md
index b690be4..4488b77 100644
--- a/docs/Operation-Guide/corporate-user-store-cloud-foundry-environment-9942ede.md
+++ b/docs/Operation-Guide/corporate-user-store-cloud-foundry-environment-9942ede.md
@@ -118,7 +118,7 @@ Cloud Foundry Data Center
|
-eu-nl/eu-de - Rot/Amsterdam
+eu-nl - Amsterdam
|
@@ -202,7 +202,7 @@ cf-ap11 - Singapore
|
|
-azr-us-we / US West
+azr-us-we - US West
|
@@ -214,7 +214,7 @@ cf-us20 - US West \(WA\)
|
|
-azr-na-ca / Toronto
+azr-na-ca - Toronto
|
@@ -238,7 +238,7 @@ cf-eu10 - Europe \(Frankfurt\)
|
|
-aws/ap-northeast-2 / Seoul
+aws-ap-northeast-2 - Seoul
|
@@ -250,7 +250,7 @@ cf-ap12 - South Korea \(Seoul\)
|
|
-ap-sa / Riyadh
+ap-sa - Riyadh
|
@@ -262,7 +262,7 @@ cf-eu10 - Europe \(Frankfurt\)
|
|
-ap-ae / Dubai
+ap-ae - Dubai
|
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-411c3c6.md b/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-411c3c6.md
index 6fda221..3004909 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-411c3c6.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-411c3c6.md
@@ -147,5 +147,5 @@ To create a new OpenID Connect application follow the procedure below:
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-8445e3f.md b/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-8445e3f.md
index f030374..cb37836 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-8445e3f.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-8445e3f.md
@@ -147,7 +147,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
**Related Information**
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-98015c8.md b/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-98015c8.md
index a599d05..7b49c08 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-98015c8.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-98015c8.md
@@ -149,7 +149,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
**Related Information**
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-c5b80bf.md b/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-c5b80bf.md
index 21e2e13..7eb86ab 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-c5b80bf.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-c5b80bf.md
@@ -149,5 +149,5 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-3f180e5.md b/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-3f180e5.md
index 5941b0a..aa63faf 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-3f180e5.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-3f180e5.md
@@ -147,5 +147,5 @@ To create a new OpenID Connect application follow the procedure below:
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-b19f5e3.md b/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-b19f5e3.md
index 3a3d561..2a9dde0 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-b19f5e3.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-b19f5e3.md
@@ -147,7 +147,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
**Related Information**
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-b099d8c.md b/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-b099d8c.md
index 540835e..4616773 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-b099d8c.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-b099d8c.md
@@ -147,7 +147,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
**Related Information**
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-d5a9903.md b/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-d5a9903.md
index 2c8c559..83ebfc4 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-d5a9903.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-d5a9903.md
@@ -147,5 +147,5 @@ To create a new OpenID Connect application follow the procedure below:
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-43d94a5.md b/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-43d94a5.md
index c0d6e5d..d806d1f 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-43d94a5.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-43d94a5.md
@@ -149,5 +149,5 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-e5b761a.md b/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-e5b761a.md
index 9e25e7b..5478eea 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-e5b761a.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-e5b761a.md
@@ -149,7 +149,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
**Related Information**
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-4e1bfa4.md b/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-4e1bfa4.md
index 750a169..255a7ba 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-4e1bfa4.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-4e1bfa4.md
@@ -147,7 +147,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
**Related Information**
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-e3baf39.md b/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-e3baf39.md
index c7b91da..655cb6f 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-e3baf39.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-e3baf39.md
@@ -147,7 +147,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
- [Protecting Application Forms with Google reCAPTCHA](protecting-application-forms-with-google-recaptcha-b84ce17.md)
- [Configure Identity Federation](configure-identity-federation-c029bbb.md)
-- [Configure SAML 2.0 Authentication Request to Corporate IdPs](configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+- [Configure Authentication Request to Corporate IdPs](configure-authentication-request-to-corporate-idps-7eac7e8.md)
**Related Information**
diff --git a/docs/Operation-Guide/delete-users-bbfaf5f.md b/docs/Operation-Guide/delete-users-bbfaf5f.md
index d02cb6b..71ad31e 100644
--- a/docs/Operation-Guide/delete-users-bbfaf5f.md
+++ b/docs/Operation-Guide/delete-users-bbfaf5f.md
@@ -6,6 +6,15 @@ As a tenant administrator, you can delete users in the administration console.
+
+
+## Context
+
+> ### Remember:
+> You are not allowed to delete your own user profile.
+
+
+
## Procedure
1. Sign in to the administration console for SAP Cloud Identity Services.
@@ -14,17 +23,14 @@ As a tenant administrator, you can delete users in the administration console.
The system displays the first 20 users in the tenant sorted by their user ID number.
-3. Find the user that you want to delete.
-
- For more information about how to find a user in Identity Authentication, see [Search Users](search-users-06078a6.md).
-
-4. Select the checkbox next to the user or users that you want to delete.
+3. Select the checkbox next to the user or users that you want to delete.
- You are not allowed to delete your own user profile.
+ > ### Tip:
+ > If you don't see the user or users that you want to delete, you can expand the list or use the search field. For more information, see [Search Users](search-users-06078a6.md).
-5. Press *Delete*.
+4. Press *Delete*.
-6. Confirm the operation.
+5. Confirm the operation.
> ### Caution:
> If the user you delete is also an administrator, he or she will be removed from the administrator list too. For more information about how to remove and administrator, without deleting it from the user data base, see [Edit Administrator Authorizations](edit-administrator-authorizations-86ee374.md).
diff --git a/docs/Operation-Guide/disable-client-id-locking-f1dc77e.md b/docs/Operation-Guide/disable-client-id-locking-f1dc77e.md
index 26ce498..424ef8e 100644
--- a/docs/Operation-Guide/disable-client-id-locking-f1dc77e.md
+++ b/docs/Operation-Guide/disable-client-id-locking-f1dc77e.md
@@ -48,7 +48,7 @@ To disable the *Client ID Lock* option, follow the procedure below:
[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-c599c89.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
diff --git a/docs/Operation-Guide/enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md b/docs/Operation-Guide/enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md
index 34d978f..8ca359b 100644
--- a/docs/Operation-Guide/enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md
+++ b/docs/Operation-Guide/enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md
@@ -32,6 +32,9 @@ The primary channel to deactivate a device is the passcode generated by the mobi
When the back-up channels, *SMS* and/or *Email* are enabled in the administration console, the user can choose from the options on the profile page: *Existing Multi-Factor Authentication*, *Passcode by SMS*, and *Passcode by Email*.
+> ### Tip:
+> We recommend you to enable the back-up channels. Thus the users can use the option as an alternative when they don't have access to the TOTP device or application.
+
> ### Remember:
> It takes 2 minutes for the configuration changes to take place.
diff --git a/docs/Operation-Guide/user-management-228428f.md b/docs/Operation-Guide/managing-users-228428f.md
similarity index 99%
rename from docs/Operation-Guide/user-management-228428f.md
rename to docs/Operation-Guide/managing-users-228428f.md
index 4fc4c72..bb6116c 100644
--- a/docs/Operation-Guide/user-management-228428f.md
+++ b/docs/Operation-Guide/managing-users-228428f.md
@@ -1,6 +1,6 @@
-# User Management
+# Managing Users
Tenant administrators can manage user accounts via the administration console for SAP Cloud Identity Services, and via APIs.
diff --git a/docs/Operation-Guide/operation-guide-6a8e67c.md b/docs/Operation-Guide/operation-guide-6a8e67c.md
index a073b5b..7c5fb89 100644
--- a/docs/Operation-Guide/operation-guide-6a8e67c.md
+++ b/docs/Operation-Guide/operation-guide-6a8e67c.md
@@ -17,7 +17,7 @@ This guide is for administrators. It explains how administrators can configure I
[Configuring Terms of Use](configuring-terms-of-use-61d3a86.md "You can configure a custom terms of use document by creating a new document, adding and editing its language versions, and defining the document for an application.")
-[User Management](user-management-228428f.md "Tenant administrators can manage user accounts via the administration console for SAP Cloud Identity Services, and via APIs.")
+[Managing Users](managing-users-228428f.md "Tenant administrators can manage user accounts via the administration console for SAP Cloud Identity Services, and via APIs.")
[Groups](groups-ddd067c.md "Tenant administrators can create groups, and assign and unassign these groups to users via the administration console for SAP Cloud Identity Services.")
diff --git a/docs/Operation-Guide/scim-rest-api-authentication-mechanisms-c599c89.md b/docs/Operation-Guide/scim-rest-api-authentication-mechanisms-c599c89.md
index 5fe904a..ba52ded 100644
--- a/docs/Operation-Guide/scim-rest-api-authentication-mechanisms-c599c89.md
+++ b/docs/Operation-Guide/scim-rest-api-authentication-mechanisms-c599c89.md
@@ -17,5 +17,5 @@ To call the methods of this SCIM REST API you must have a system as administrato
[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
diff --git a/docs/Operation-Guide/unlock-client-id-665b9e0.md b/docs/Operation-Guide/unlock-client-id-665b9e0.md
index 6b15316..4c31663 100644
--- a/docs/Operation-Guide/unlock-client-id-665b9e0.md
+++ b/docs/Operation-Guide/unlock-client-id-665b9e0.md
@@ -41,7 +41,7 @@ To unlock the client ID before the automatic unlock time of 60 minutes has passe
[Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md "This document describes how developers configure the certificates used for authentication when the API methods and OpenID Connect scenarios of Identity Authentication are used.")
-[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the issuer and subject of tokens for JSON Web Token (JWT) client authentication in token requests to OpenID Connect applications.")
+[Configure JWT for OAuth Client Authentication](configure-jwt-for-oauth-client-authentication-db97a69.md "Configure the JSON Web Token (JWT) - the issuer and subject of tokens for JWT client authentication in token requests, or the URI for JSON web key retrieval for client authentication.")
[SCIM REST API Authentication Mechanisms](scim-rest-api-authentication-mechanisms-c599c89.md "See how to configure the authentication mechanisms for the SCIM REST API methods of Identity Authentication.")
diff --git a/docs/Operation-Guide/user-attributes-ed2797d.md b/docs/Operation-Guide/user-attributes-ed2797d.md
index 33fed27..fe498e8 100644
--- a/docs/Operation-Guide/user-attributes-ed2797d.md
+++ b/docs/Operation-Guide/user-attributes-ed2797d.md
@@ -15,6 +15,9 @@ Tenant administrator has an overview of all the attributes provided to the appli
>
> When the application uses a corporate IdP for authentication, and *Identity Federation* is disabled, Identity Authentication sends to the application the attributes that come from the corporate identity provider without changing them, and if configured, some of the same values with additional attribute names, namely configured on the trust to the corporate IdP, enriched assertion attributes or enriched token claims.
+> ### Tip:
+> For OpenID Connect, the supported scopes are `email`, `profile`, `openid`, and `groups`. The usage of these claims ensure uniqueness, especially in proxy mode, they are recommended over the configuration of attributes in the administration console for SAP Cloud Identity Services.
+
The application can get different values for a certain attribute name. The following options for sources are possible:
- *Identity Directory* - The local user attribute. You choose the value from a drop-down. See [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md).
@@ -22,12 +25,16 @@ The application can get different values for a certain attribute name. The follo
- *Expression* - A static or dynamic value. It can be a user attribute coming from *Identity Directory* or *Corporate Identity Provider*, or even a combination of all sources. See [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
> ### Tip:
-> The *Identity Directory* source maps to the the *Assertion Attributes* term used before in this documentation.
+> The *Identity Directory* source maps to the *Assertion Attributes* term used before in this documentation.
>
> Depending on the scenario, the *Corporate Identity Provider* and *Expression* map to the *Default Attributes* term used before in this documentation.
> ### Note:
> You can specify multiple user attribute values for each user attribute. Up to 300 attribute values are allowed for self-created customer applications and automatically created single-tenant applications, and up to 50 attribute values for automatically created single-tenant applications.
+>
+> - for OpenID Connect - the attributes are included in the token as string if there is one value, and array if multiple.
+>
+> - for SAML 2.0 - the attributes are included in the assertion as one attribute statement with multiple values in it.
diff --git a/docs/index.md b/docs/index.md
index 3102264..d155de7 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -53,7 +53,7 @@
- [Configure OpenID Connect Application for Implicit Flow](Operation-Guide/configure-openid-connect-application-for-implicit-flow-26090fd.md)
- [Configure OpenID Connect Application for JWT Bearer Flow](Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md)
- [Configure OpenID Connect Application for Token Exchange](Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md)
- - [Configure SAML 2.0 Authentication Request to Corporate IdPs](Operation-Guide/configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
+ - [Configure Authentication Request to Corporate IdPs](Operation-Guide/configure-authentication-request-to-corporate-idps-7eac7e8.md)
- [Configure Authentication Context](Operation-Guide/configure-authentication-context-028cee2.md)
- [Configure Different Trust Configurations for the Same Identity Authentication](Operation-Guide/configure-different-trust-configurations-for-the-same-identity-authentication-ba2faa9.md)
- [User Attributes](Operation-Guide/user-attributes-ed2797d.md)
@@ -182,7 +182,7 @@
- [Define an Email Template Set for an Application](Operation-Guide/define-an-email-template-set-for-an-application-fc6b54a.md)
- [Delete an Email Template Set](Operation-Guide/delete-an-email-template-set-6fce69d.md)
- [Allowed Placeholders per Email Template](Operation-Guide/allowed-placeholders-per-email-template-c0d4a76.md)
- - [User Management](Operation-Guide/user-management-228428f.md)
+ - [Managing Users](Operation-Guide/managing-users-228428f.md)
- [Import CSV File with Full User Profile](Operation-Guide/import-csv-file-with-full-user-profile-f54b900.md)
- [Import or Update Users for a Specific Application](Operation-Guide/import-or-update-users-for-a-specific-application-33838e0.md)
- [Create a New User](Operation-Guide/create-a-new-user-348deef.md)
diff --git a/docs/product-details-4d404b1.md b/docs/product-details-4d404b1.md
index e46178c..f2cff48 100644
--- a/docs/product-details-4d404b1.md
+++ b/docs/product-details-4d404b1.md
@@ -211,7 +211,7 @@ Administrators can manage the users in the tenant.
|
-[User Management](Operation-Guide/user-management-228428f.md)
+[Managing Users](Operation-Guide/managing-users-228428f.md)
|
diff --git a/docs/regional-availability-be600ca.md b/docs/regional-availability-be600ca.md
index cb76387..633e6c7 100644
--- a/docs/regional-availability-be600ca.md
+++ b/docs/regional-availability-be600ca.md
@@ -10,9 +10,12 @@ The productive domain represents the productive environment. It can be used by c
The productive domain is available on a country/regional basis, where each country/region represents the locations of data centers.
-A customer or partner account is associated with a particular data center and this is independent of your own location. For example, you could be located in North America, but operate your account in Europe. Thus you use a data center that is situated in Europe.
+A customer or partner account is associated with a particular data center and this is independent of your own location. For example, you could be located in North America, but operate your account in Europe. Thus, you use a data center that is situated in Europe.
-Country/regions with two data centers operate in high availability \(HA\) mode among the respective data centers. Tenants located in these country/regions are distributed among the data centers there.
+> ### Note:
+> In cases of significant performance issues or latency, you can request a tenant migration to a new region by reporting an incident on [SAP Support Portal Home](https://support.sap.com/en/index.html) with a component `BC-IAM-IDS`.
+
+Country/regions with more than one data centers operate in high availability \(HA\) mode among the respective data centers. Tenants located in these country/regions are distributed among the data centers there.
The country/region, domain, data center, and IP address are listed below:
@@ -267,7 +270,7 @@ Europe
|
-Germany \(Rot\) / Netherlands \(Amsterdam\) / Germany \(Frankfurt\)
+Netherlands \(Amsterdam\) / Germany \(Frankfurt\)
|
diff --git a/docs/tenant-model-and-licensing-93160eb.md b/docs/tenant-model-and-licensing-93160eb.md
index 6157026..5340f78 100644
--- a/docs/tenant-model-and-licensing-93160eb.md
+++ b/docs/tenant-model-and-licensing-93160eb.md
@@ -332,6 +332,438 @@ You can now start testing Identity Authentication and Identity Provisioning feat
> ### Note:
> If you encounter any issues and you need support, send an email to `SAPCPTrialSupport@sap.com` or start a discussion in [SAP Community](https://community.sap.com/).
+
+
+
+
+## Data Center Mapping
+
+Below is the mapping between the multi-environment subaccount in the Cloud Foundry region and the region of the Identity Authentication tenant:
+
+**Region Mapping: Cloud Foundry - Identity Authentication**
+
+
+
+
+|
+
+IaaS Provider
+
+ |
+
+
+Cloud Foundry - Region Name
+
+ |
+
+
+Cloud Foundry - Region Key
+
+ |
+
+
+Identity Authentication - Data Center
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+Australia \(Sydney\)
+
+ |
+
+
+ap10
+
+ |
+
+
+Australia \(Sydney\) / Japan \(Tokyo\)
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+Asia Pacific \(Singapore\)
+
+ |
+
+
+ap11
+
+ |
+
+
+Singapore
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+Asia Pacific \(Seoul\)
+
+ |
+
+
+ap12
+
+ |
+
+
+Seoul \(South Korea\)
+
+ |
+
+
+|
+
+Microsoft Azure
+
+ |
+
+
+Australia \(Sydney\)
+
+ |
+
+
+ap20
+
+ |
+
+
+Australia \(Sydney\) / Japan \(Tokyo\)
+
+ |
+
+
+|
+
+Microsoft Azure
+
+ |
+
+
+Singapore
+
+ |
+
+
+ap21
+
+ |
+
+
+Singapore
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+Brazil \(São Paulo\)
+
+ |
+
+
+br10
+
+ |
+
+
+Brazil \(São Paulo\)
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+Canada \(Montreal\)
+
+ |
+
+
+ca10
+
+ |
+
+
+Canada \(Toronto\)
+
+ |
+
+
+|
+
+Microsoft Azure
+
+ |
+
+
+Switzerland \(Zurich\)
+
+ |
+
+
+ch20
+
+ |
+
+
+Switzerland \(Zürich\)
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+Europe \(Frankfurt\)
+
+ |
+
+
+eu10
+
+ |
+
+
+Germany \(Frankfurt\)
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+Europe \(Frankfurt\)
+
+ |
+
+
+eu11
+
+ |
+
+
+Germany \(Frankfurt\)
+
+ |
+
+
+|
+
+Microsoft Azure
+
+ |
+
+
+Europe \(Netherlands\)
+
+ |
+
+
+eu20
+
+ |
+
+
+Netherlands \(Amsterdam\) / Germany \(Frankfurt\)
+
+ |
+
+
+|
+
+Google Cloud
+
+ |
+
+
+India \(Mumbai\) GCP
+
+ |
+
+
+in30
+
+ |
+
+
+India \(Mumbai\)
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+Japan \(Tokyo\)
+
+ |
+
+
+jp10
+
+ |
+
+
+Japan \(Tokyo\) / Japan \(Osaka\)
+
+ |
+
+
+|
+
+Microsoft Azure
+
+ |
+
+
+Japan \(Tokyo\)
+
+ |
+
+
+jp20
+
+ |
+
+
+Japan \(Tokyo\) / Japan \(Osaka\)
+
+ |
+
+
+|
+
+Amazon Web Services
+
+ |
+
+
+US East \(VA\)
+
+ |
+
+
+us10
+
+ |
+
+
+United States \(Sterling\) / United States \(Colorado\)
+
+ |
+
+
+|
+
+Microsoft Azure
+
+ |
+
+
+US West \(WA\)
+
+ |
+
+
+us20
+
+ |
+
+
+West US 2
+
+ |
+
+
+|
+
+Microsoft Azure
+
+ |
+
+
+US East \(VA\)
+
+ |
+
+
+us21
+
+ |
+
+
+United States \(Sterling\) / United States \(Colorado\)
+
+ |
+
+
+|
+
+Google Cloud
+
+ |
+
+
+US Central \(IA\)
+
+ |
+
+
+us30
+
+ |
+
+
+West US 2
+
+ |
+
+
+
**Related Information**
diff --git a/docs/updates-and-notifications-8e44a7a.md b/docs/updates-and-notifications-8e44a7a.md
index ece7ac0..be4fd17 100644
--- a/docs/updates-and-notifications-8e44a7a.md
+++ b/docs/updates-and-notifications-8e44a7a.md
@@ -19,7 +19,7 @@ To get notifications, subscribe for the What's New sections of [Identity Authent
- **Bi-weekly updates** \(standard\) - planned each second Tuesday at 14:00 UTC.
- **Immediate updates** - in case of fixes required for bugs that affect productive application operations, or due to urgent security fixes.
-You can find the planned schedule for upcoming releases at [3409744](https://me.sap.com/notes/3409744).
+You can find the planned schedule for upcoming releases at SAP Note [3409744](https://me.sap.com/notes/3409744).
diff --git a/docs/viewing-assigned-tenants-and-administrators-f56e6f2.md b/docs/viewing-assigned-tenants-and-administrators-f56e6f2.md
index f1d4ecd..3c76a84 100644
--- a/docs/viewing-assigned-tenants-and-administrators-f56e6f2.md
+++ b/docs/viewing-assigned-tenants-and-administrators-f56e6f2.md
@@ -14,6 +14,9 @@ The SAP Cloud Identity Services - Tenants application shows which are the Identi
The default tenants, one test and productive tenant per customer, are provided regardless of the number of contracts signed in which SAP Cloud Identity Services is included or bundled. Additional productive or test tenants beyond the initial ones must be purchased separately. For more information, see [Tenant Model and Licensing](tenant-model-and-licensing-93160eb.md).
+> ### Tip:
+> As an alternative, you can view the tenant administrators of the tenants that are assigned to you and add new administrators in SAP Cloud Identity Services via the [SAP for Me](https://me.sap.com/home) portal. For more information see [Cloud Identity Services Administrators Card](https://support.sap.com/content/s4m/help/systems/systems/details/ias.html).
+
diff --git a/docs/what-s-new-for-identity-authentication-de21efe.md b/docs/what-s-new-for-identity-authentication-de21efe.md
index 7d47ac2..1cf029b 100644
--- a/docs/what-s-new-for-identity-authentication-de21efe.md
+++ b/docs/what-s-new-for-identity-authentication-de21efe.md
@@ -92,6 +92,270 @@ Identity Authentication
+ |
+
+
+Regular Upgrade
+
+ |
+
+
+Identity Authentication has been upgraded.
+
+ |
+
+
+Info only
+
+ |
+
+
+General Availability
+
+ |
+
+
+New
+
+ |
+
+
+Technology
+
+ |
+
+
+Not applicable
+
+ |
+
+
+Identity Authentication
+
+ |
+
+
+2024-03-12
+
+ |
+
+
+2024-03-12
+
+ |
+
+
+|
+
+Identity Authentication
+
+ |
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+ |
+
+
+Custom Schemas
+
+ |
+
+
+You can view via the administration console the assigned attributes from custom schemas. See [List and Edit User Details](Operation-Guide/list-and-edit-user-details-045cb01.md).
+
+ |
+
+
+Info only
+
+ |
+
+
+General Availability
+
+ |
+
+
+New
+
+ |
+
+
+Technology
+
+ |
+
+
+Not applicable
+
+ |
+
+
+Identity Authentication
+
+ |
+
+
+2024-03-12
+
+ |
+
+
+2024-03-12
+
+ |
+
+
+|
+
+Identity Authentication
+
+ |
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+ |
+
+
+OpenID Connect
+
+ |
+
+
+You can configure URI for JSON web key retrieval for client authentication. See [Configure JWT for OAuth Client Authentication](Operation-Guide/configure-jwt-for-oauth-client-authentication-db97a69.md).
+
+ |
+
+
+Info only
+
+ |
+
+
+General Availability
+
+ |
+
+
+New
+
+ |
+
+
+Technology
+
+ |
+
+
+Not applicable
+
+ |
+
+
+Identity Authentication
+
+ |
+
+
+2024-03-12
+
+ |
+
+
+2024-03-12
+
+ |
+
+
+|
+
+Identity Authentication
+
+ |
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+ |
+
+
+OpenID Connect
+
+ |
+
+
+You can add authentication context class references for OpenID Connect corporate IdPs. See [Configure Authentication Context](Operation-Guide/configure-authentication-context-028cee2.md).
+
+ |
+
+
+Info only
+
+ |
+
+
+General Availability
+
+ |
+
+
+New
+
+ |
+
+
+Technology
+
+ |
+
+
+Not applicable
+
+ |
+
+
+Identity Authentication
+
+ |
+
+
+2024-03-12
+
+ |
+
+
+2024-03-12
+
+ |
+
+
+|
+
+Identity Authentication
+
+ |
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
|
@@ -152,7 +416,11 @@ Identity Authentication
|
-Identity Authentication
+- Neo
+- Kyma
+- Cloud Foundry
+
+
|
@@ -214,7 +482,11 @@ Identity Authentication
|
-Identity Authentication
+- Neo
+- Kyma
+- Cloud Foundry
+
+
|
|