-Tenant administrator can configure complex custom schema attributes with single-value child attributes. See [Attributes with Default Values](Operation-Guide/attributes-with-default-values-a2f1e46.md).
+Tenant administrator can configure complex custom schema attributes with single-value child attributes. See [Configuring Attributes Based on Flexible Expressions](Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
@@ -4102,7 +4102,7 @@ Proxy Scenarios
-Identity Authentication supports sending of Identity Directory custom schemas attributes as default attributes. See [Attributes with Default Values](Operation-Guide/attributes-with-default-values-a2f1e46.md).
+Identity Authentication supports sending of Identity Directory custom schemas attributes as default attributes. See [Configuring Attributes Based on Flexible Expressions](Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
@@ -5455,7 +5455,7 @@ Two-Factor Authentication
-Tenant administrator can configure applications to require more than one two-factor authentication method. See [Configure Risk-Based Authentication for an Application](Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md#loiobc52fbf3d59447bbb6aa22f80d8b6056), and [Create a New Rule](Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md#loio18d02ab9cc7d4caf83d8654c8c51a175).
+Tenant administrator can configure applications to require more than one two-factor authentication method. See [Configure Risk-Based Authentication for an Application](Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md#loiobc52fbf3d59447bbb6aa22f80d8b6056), and [Create a New Rule](Operation-Guide/create-a-new-rule-18d02ab.md).
-The list of the claims that can't be set via the default attribute configuration is extended with `ias_iss`. See [Attributes with Default Values](Operation-Guide/attributes-with-default-values-a2f1e46.md).
+The list of the claims that can't be set via the default attribute configuration is extended with `ias_iss`. See [Configuring Attributes Based on Flexible Expressions](Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
@@ -6215,7 +6215,7 @@ Risk-Based Authentication
-Tenant administrator can use `Corporate Attribute` to create rules for risk-based authentication for a specific application in the tenant. See [Create a New Rule](Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md#loio18d02ab9cc7d4caf83d8654c8c51a175).
+Tenant administrator can use `Corporate Attribute` to create rules for risk-based authentication for a specific application in the tenant. See [Create a New Rule](Operation-Guide/create-a-new-rule-18d02ab.md).
@@ -6280,7 +6280,7 @@ Assertion Attributes
-Identity Authentication added `locale` as assertion attribute. See [User Attributes Sent to the Application](Operation-Guide/user-attributes-sent-to-the-application-d361407.md).
+Identity Authentication added `locale` as assertion attribute. See [Configuring User Attributes from the Identity Directory](Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md).
diff --git a/docs/2023-what-s-new-for-identity-authentication-archive-1c651db.md b/docs/2023-what-s-new-for-identity-authentication-archive-1c651db.md
new file mode 100644
index 0000000..2a27d6a
--- /dev/null
+++ b/docs/2023-what-s-new-for-identity-authentication-archive-1c651db.md
@@ -0,0 +1,6481 @@
+
+
+
+
+# 2023 What's New for Identity Authentication \(Archive\)
+
+
+
+This page lists the release notes of SAP Cloud Identity Services - Identity Authentication for 2023.
+
+
+
+
+
+****
+
+
+
+
+
+
+Technical Component
+
+
+
+
+Environment
+
+
+
+
+Title
+
+
+
+
+Description
+
+
+
+
+Action
+
+
+
+
+Lifecycle
+
+
+
+
+Type
+
+
+
+
+Line of Business
+
+
+
+
+Modular Business Process
+
+
+
+
+Product
+
+
+
+
+Latest Revision
+
+
+
+
+Available as of
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-12-19
+
+
+
+
+2023-12-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-12-19
+
+
+
+
+2023-12-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+User Attributes for Subscribed Applications
+
+
+
+
+Tenant administrator can enable or disable the attribute mappings inherited from the subscribed multitenant applications. See [Configuring User Attributes from a Corporate Identity Provider](Operation-Guide/configuring-user-attributes-from-a-corporate-identity-provider-621017f.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-12-19
+
+
+
+
+2023-12-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Custom Mail Server
+
+
+
+
+Tenant administrator can configure rate limits per minute for the emails. See [Configure Custom Mail Server](Operation-Guide/configure-custom-mail-server-56cab62.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-12-19
+
+
+
+
+2023-12-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Off-Cycle Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-12-12
+
+
+
+
+2023-12-12
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-12-06
+
+
+
+
+2023-12-06
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-28
+
+
+
+
+2023-11-27
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Tenant Texts
+
+
+
+
+Tenant administrators change the configuration of tenant texts in the administration console for SAP Cloud Identity Services via *Edit* mode. See[Change Tenant Texts Via Administration Console](Operation-Guide/change-tenant-texts-via-administration-console-c24b1d0.md) .
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-28
+
+
+
+
+2023-11-27
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regional Availability
+
+
+
+
+Identity Authentication is now available with a new data center for the SAP infrastructure in North America East. The data center is located in Colorado \(United States\).
+
+Action: We recommend you to add the following IPs to your allowed IP list:
+
+LB IP - 130.214.207.198
+
+NAT IP - 130.214.242.32/27
+
+
+
+
+Recommended
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-28
+
+
+
+
+2023-11-27
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-08
+
+
+
+
+2023-11-08
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Source System, Master Data Texts Configuration
+
+
+
+
+Tenant administrators change the configuration of source systems and master data texts in the administration console for SAP Cloud Identity Services via *Edit* mode. See [External Source Systems](Operation-Guide/external-source-systems-4f02f94.md) and [Configure Master Data Texts Via Administration Console](Operation-Guide/configure-master-data-texts-via-administration-console-c068ac9.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-08
+
+
+
+
+2023-11-08
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Off-Cycle Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-02
+
+
+
+
+2023-11-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Application Development in Authorization Management
+
+
+
+
+Developers can use the developer tools of administration management. They build their own applications with authorization policies. Administrators assign authorization policies to users, change the rules and attribute values of existing policies, and create new authorization policies. See [Configuring Authorization Policies](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/982ac5f91d2346fda8dd8096e861fc36.html?version=Cloud).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-02
+
+
+
+
+2023-11-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+-
+
+
+
+
+
+Root Certificate Replacement
+
+
+
+
+DigiCert has deprecated their DigiCert Global Root CA and will stop issuing certificates for SAP under any of its Intermediate CAs \(ICA\) at the end of 2023. For more information, see DigiCert root and intermediate CA certificate updates 2023.
+
+SAP Cloud Identity Services switches to the G2 ICA and will deploy certificates signed by the new CA for the domains listed below starting in mid-November 2023. This means that the DigiCert Root CA domain certificate will be signed by DigiCert Global Root G2 instead of DigiCert Global Root CA. The following domains are affected:
+
+- \*.accounts.ondemand.com
+
+- \*.accounts.cloud.sap
+
+- \*.accounts.sapcloud.cn
+
+- \*.trial-accounts.ondemand.com
+
+
+Action: If your SAP Cloud Identity Services tenants are running on any of the affected domains, ensure that you trust the new root CA: DigiCert Global Root G2.
+
+
+
+
+Required
+
+
+
+
+Deprecated
+
+
+
+
+Announcement
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-02
+
+
+
+
+2023-11-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+End User Screens
+
+
+
+
+Added Thai, Malay and Vietnamese to the supported languages for end user screens. See [Supported Languages](supported-languages-0ea634d.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-02
+
+
+
+
+2023-11-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Customer Documents
+
+
+
+
+Tenant administrator can upload terms of use and privacy policy documents, and e-mail templates in Thai, Malay and Vietnamese. See [Configuring Terms of Use](Operation-Guide/configuring-terms-of-use-61d3a86.md), [Configuring Privacy Policies](Operation-Guide/configuring-privacy-policies-ed48466.md), and [Configuring Email Templates](Operation-Guide/configuring-email-templates-b2afbcd.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-02
+
+
+
+
+2023-11-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Integration of *Default Attributes* and *Assertion Attributes* in Applications
+
+
+
+
+In the configuration of applications, we have combined the *Default Attributes* and *Assertion Attributes* into a single screen named *Attributes.* This change gives administrators a complete overview of the user attributes configured for an application. See [User Attributes](Operation-Guide/user-attributes-ed2797d.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-02
+
+
+
+
+2023-11-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-10-11
+
+
+
+
+2023-10-11
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Groups
+
+
+
+
+Tenant administrator can add users to a group by filtering them with the `starts with` or `contains` operator. See [Add Users to a Group](Operation-Guide/add-users-to-a-group-d2e1a01.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-10-11
+
+
+
+
+2023-10-11
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Authorizations Based on Policies
+
+
+
+
+The `user.excludedAttributes` attribute is deprecated. See [Configure Authorizations Based on Policies](Operation-Guide/configure-authorizations-based-on-policies-08fea39.md).
+
+Action:
+
+If you have a policy configured with the `user.excludedAttributes` attribute exchange the `user.excludedAttributes` with the `user.attributes` attribute in combination with the "NOT IN" operator.
+
+If the policy is configured with the `user.аttributes` attribute used with the "=" operator, it supports only one attribute. For more attributes, use the "IN" operator adding each attribute separately.
+
+
+
+
+Required
+
+
+
+
+Deprecated
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-10-11
+
+
+
+
+2023-10-11
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+In-App Help
+
+
+
+
+SAP Companion context-sensitive in-app help has been implemented in the administration console for SAP Cloud Identity Services. You can start the in-app help by selecting the *Help* control. The administration console provides *Help Topics*, *Guided Tours*, and *What's New* content. See [SAP Companion User Guide](https://help.sap.com/docs/SAP_ENABLE_NOW/46fcbeb139c4487ba713638cd75d1a19/6208110e6cac1014b670eace620bbd24.html?version=latest).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-10-11
+
+
+
+
+2023-10-11
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-09-28
+
+
+
+
+2023-09-27
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Corporate IdP
+
+
+
+
+Identity Authentication added new parameter `idp` which allows sign in to specific application with specific corporate identity provider. See [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md)and [Configure IdP-Initiated SSO](Operation-Guide/configure-idp-initiated-sso-5d59caa.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-09-28
+
+
+
+
+2023-09-27
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Off-Cycle Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-09-07
+
+
+
+
+2023-09-07
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-30
+
+
+
+
+2023-08-30
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Manage Administrators
+
+
+
+
+Tenant administrator can add another administrator with login name as identifier. See [Add User as Administrator](Operation-Guide/add-administrators-bbbdbdd.md#loio1dc498bff0674743a1a3a0ec3f0bf298).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-30
+
+
+
+
+2023-08-30
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Off-Cycle Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-18
+
+
+
+
+2023-08-17
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-16
+
+
+
+
+2023-08-16
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Risk-Based Authentication
+
+
+
+
+New authentication method *Trusted IdP SAML Assertion* is available when you create a new rule for risk-based authentication. See [Create a New Rule](Operation-Guide/create-a-new-rule-18d02ab.md) .
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-16
+
+
+
+
+2023-08-16
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Implicit Grant Type Not Enabled by Default
+
+
+
+
+As announced 2023-08-16, with this change, new applications have the `Implicit` grant type **disabled** by default.
+
+Action: Check if you require the `Implicit` grant type for new applications:
+
+- Yes: Ensure your processes for creating new applications include explicitly enabling the `Implicit` grant type.
+
+ - For the administration console, see [Configure OpenID Connect Application for Implicit Flow](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/c64180e84cae4303ba80b2d4b59788b7.html).
+
+ - For the Identity service, see [Reference Information for the Identity Service of SAP BTP](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/9379444abf3f4e2cbaade7c4001df381.html).
+
+
+- No: Nothing to do.
+
+
+
+
+
+
+
+Required
+
+
+
+
+General Availability
+
+
+
+
+Announcement
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-22
+
+
+
+
+2023-11-22
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Refresh Token Flow of OIDC Protocol Restricted to Validity of Web Session
+
+
+
+
+As announced 2023-08-16, with this change, the service couples the validity of refresh tokens to the session timeout. Refresh tokens expire with the user session, unless you add the `offline_access scope`.
+
+Action: Check if you define a refresh token validity for your applications longer than 12 h:
+
+- Yes: Ensure that you decouple the refresh token from the user session with the `offline_access` scope.
+
+ For more information, see [Token Policy Configuration for Applications](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/c4ba52e748554863917b046bf1b7b355.html).
+
+- No: Nothing to do.
+
+
+
+
+
+
+
+Required
+
+
+
+
+General Availability
+
+
+
+
+Announcement
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-11-22
+
+
+
+
+2023-11-22
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-03
+
+
+
+
+2023-08-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Subscribed Applications
+
+
+
+
+In the configuration of applications, we have combined the *Default Attributes* and *Assertion Attributes* into a single screen named *Application Attributes*. This change gives administrators a complete overview of the user attributes defined by the multitenant application. See [Configuring User Attributes from a Corporate Identity Provider](Operation-Guide/configuring-user-attributes-from-a-corporate-identity-provider-621017f.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-09
+
+
+
+
+2023-08-30
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Terms of Use Documents
+
+
+
+
+Tenant administrator can delete an entire terms of use documents set. See [\(Optional\) Delete a Terms of Use Document](Operation-Guide/optional-delete-a-terms-of-use-document-6ad5df5.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-03
+
+
+
+
+2023-08-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Privacy Policy Documents
+
+
+
+
+Tenant administrator can delete an entire privacy policy documents set. See [\(Optional\) Delete a Privacy Policy Document](Operation-Guide/optional-delete-a-privacy-policy-document-4b66ac1.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-03
+
+
+
+
+2023-08-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Support for Prompt Parameter
+
+
+
+
+The `prompt` parameter is an optional parameter of an OAuth 2.0 Authorization Request in the OpenID Connect Core 1.0 specification. The service supports the *none* and *login* values for this parameter.
+
+See [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/94ff0b4b0baa45a893c7cd24254b72b7.html).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-08-03
+
+
+
+
+2023-08-02
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Off-Cycle Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-28
+
+
+
+
+2023-07-28
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-19
+
+
+
+
+2023-07-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Removal of Applications of Type Reuse
+
+
+
+
+Applications of type reuse instance aren't visible in the administration console anymore. Changes to these applications didn't have any effect.
+
+
+
+
+Info only
+
+
+
+
+Deleted
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-19
+
+
+
+
+2023-07-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+OpenID Connect
+
+
+
+
+Tenant administrator can configure Identity Authentication to execute the authorization code flow enhanced with PKCE against the corporate identity provider. See [Configure Trust with OpenID Connect Corporate Identity Provider](Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-19
+
+
+
+
+2023-07-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+OpenID Connect
+
+
+
+
+Identity Authentication аdded the `apt_id` to the list of the supported parameters. It is required for multitenant scenarios to identify corresponding Identity Authentication application. See [Call Identity Authentication End Session Endpoint](Operation-Guide/call-identity-authentication-end-session-endpoint-ec674f4.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-19
+
+
+
+
+2023-07-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+User Management
+
+
+
+
+Identity Authentication added the `SCIM ID` to the list of the supported attributes for the export users option. See [Export Existing Users of a Tenant of Identity Authentication](Operation-Guide/export-existing-users-of-a-tenant-of-identity-authentication-40c29d2.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-19
+
+
+
+
+2023-07-19
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regular Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-12
+
+
+
+
+2023-07-05
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Notifications
+
+
+
+
+As of the Jul 5, 2023 upgrade, the first administrator in every new tenant, created after that date, and all newly created administrators are automatically subscribed for system notifications. See [Send System Notifications via Emails](Operation-Guide/send-system-notifications-via-emails-aa04a8b.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-12
+
+
+
+
+2023-07-05
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+REST API
+
+
+
+
+User Management REST API now supports the `applicationId` parameter. The user is created for the application with the specified ID. See [User Registration](Development/user-registration-0aa433c.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-12
+
+
+
+
+2023-07-05
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+User Groups
+
+
+
+
+Tenant administrator can search for specific member in a group via SCIM ID. See [List and Search Users in Groups](Operation-Guide/list-and-search-users-in-groups-4ac340a.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-12
+
+
+
+
+2023-07-05
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Authentication
+
+
+
+
+Support unauthenticated requests with public tokens. See [Call Identity Authentication Introspect Token Endpoint](Operation-Guide/call-identity-authentication-introspect-token-endpoint-a05f14c.md), [Call Identity Authentication Revoke Token Endpoint](Operation-Guide/call-identity-authentication-revoke-token-endpoint-3501e42.md), and [Call Identity Authentication List Sessions Endpoint](Operation-Guide/call-identity-authentication-list-sessions-endpoint-daf7e44.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-07-12
+
+
+
+
+2023-07-05
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Off-Cycle Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-06-29
+
+
+
+
+2023-06-28
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Corporate IdPs
+
+
+
+
+Tenant administrator can copy the settings from a corporate IdP that is already existing in the tenant to a new corporate IdP. See [Create Corporate IdP in Administration Console](Operation-Guide/create-corporate-idp-in-administration-console-ae99ba9.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-06-29
+
+
+
+
+2023-06-28
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-06-09
+
+
+
+
+2023-06-08
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Corporate IdP
+
+
+
+
+Tenant administrator can set the interval for the automatic refresh of the OpenID Connect metadata of the corporate identity provider. See [Configure Trust with OpenID Connect Corporate Identity Provider](Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-06-09
+
+
+
+
+2023-06-08
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+OpenID Connect Configurations
+
+
+
+
+Tenant administrator can set the maximum wait time for front-channel logout. See [Tenant OpenID Connect Configurations](Operation-Guide/tenant-openid-connect-configurations-3d6abcc.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-06-09
+
+
+
+
+2023-06-08
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-05-25
+
+
+
+
+2023-05-25
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Corporate IdPs
+
+
+
+
+You can change the default attributes sent to the application to uppercase or lowercase letters depending on your needs. See [Configuring Attributes Based on Flexible Expressions](Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-05-25
+
+
+
+
+2023-05-25
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-05-17
+
+
+
+
+2023-05-17
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-05-11
+
+
+
+
+2023-05-11
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+OpenID Connect
+
+
+
+
+Identity Authentication now supports new optional parameter `logout_uri` in the `/oauth2/authorize` endpoint. See [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md), [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow with PKCE](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-a721157.md), and [Configure the Client to Call Identity Authentication Authorize Endpoint for Implicit Flow](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-implicit-flow-1ca3dc0.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-05-11
+
+
+
+
+2023-05-11
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Tenant Settings
+
+
+
+
+You can now reuse your existing tenant for configurations and automated subscriptions. See [Reuse SAP Cloud Identity Services Tenants for Different Customer IDs](Operation-Guide/reuse-sap-cloud-identity-services-tenants-for-different-customer-ids-ebd0258.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-05-04
+
+
+
+
+2023-05-04
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-04-27
+
+
+
+
+2023-04-27
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-04-20
+
+
+
+
+2023-04-20
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Rewording of Security Recommendations
+
+
+
+
+We improved security recommendation [BTP-IAS-0017](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-IAS-0017) to list the specific authorizations that we feel are critical not just to the service, but to your landscape as well.
+
+In addition, we reviewed and improved the readability of the other recommendations for the service to make clear when the recommendations apply.
+
+See [SAP Security Recommendations for Identity Authentication](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-04-20
+
+
+
+
+2023-04-20
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Deprecation of Security Recommendation BTP-IAS-0016
+
+
+
+
+Security recommendation BTP-IAS-0016 was too broadly formulated to provide clear guidance to our customers. We removed the recommendation from the list.
+
+For other recommendations for the service, see [SAP BTP Security Recommendations for Identity Authentication](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-service=Identity%20Authentication).
+
+
+
+
+Info only
+
+
+
+
+Deprecated
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-04-20
+
+
+
+
+2023-04-20
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+SMS Verification
+
+
+
+
+Sinch Authentication 365 is deprecated.
+
+Action: We recommend you to configure Sinch Verification in the administration console and start using it. See [Configure Sinch Service in Administration Console](Operation-Guide/configure-sinch-service-in-administration-console-f4a04ed.md).
+
+
+
+
+Recommended
+
+
+
+
+Deprecated
+
+
+
+
+Announcement
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-04-13
+
+
+
+
+2023-04-13
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Tenant Offering
+
+
+
+
+You can now create an SAP Cloud Identity Services trial tenant from an SAP BTP trial account. A trial tenant is intended for testing purposes of SAP Cloud Identity Services – Identity Authentication and Identity Provisioning. See [Tenant Model and Licensing](tenant-model-and-licensing-93160eb.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-04-13
+
+
+
+
+2023-04-13
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Authorizations Based on Policies
+
+
+
+
+\(Beta\) You can configure and assign a granular access control based on policies for the administrators of SAP Cloud Identity Services. See [Configure Authorizations Based on Policies](Operation-Guide/configure-authorizations-based-on-policies-08fea39.md).
+
+
+
+
+Info only
+
+
+
+
+Beta
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-04-04
+
+
+
+
+2023-04-04
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-03-31
+
+
+
+
+2023-03-31
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+User Management
+
+
+
+
+You can configure which user ID attribute can be visible on the *User Management* section in the administration console. See [Search Users](Operation-Guide/search-users-06078a6.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-03-31
+
+
+
+
+2023-03-31
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Global User ID
+
+
+
+
+You can reuse previous versions of the *Global User ID* for one and the same user. See [Search Users](Operation-Guide/search-users-06078a6.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-03-31
+
+
+
+
+2023-03-31
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+OpenID Connect Configurations
+
+
+
+
+You can extend the standard OpenID Connect metadata. See [Tenant OpenID Connect Configurations](Operation-Guide/tenant-openid-connect-configurations-3d6abcc.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-03-31
+
+
+
+
+2023-03-31
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Corporate IdPs
+
+
+
+
+You can check which applications have established trust with a specific corporate identity provider in the administration console. See [Configure Trust with OpenID Connect Corporate Identity Provider](Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md) and [Configure Trust with SAML 2.0 Corporate Identity Provider](Operation-Guide/configure-trust-with-saml-2-0-corporate-identity-provider-33832e5.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-03-31
+
+
+
+
+2023-03-31
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Configuration of Authorization Policies
+
+
+
+
+Authorization management enables administrators to configure authorization policies throughout multiple environments and assign them to users. In the administration console, administrators can create custom authorization policies. They can edit an existing one by adding or deleting restrictions, changing user attribute values, or by combining rules of multiple authorization policies in a new one. See [Configuring Authorization Policies](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/982ac5f91d2346fda8dd8096e861fc36.html?version=Cloud).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-03-31
+
+
+
+
+2023-03-31
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-03-16
+
+
+
+
+2023-03-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Administration Console
+
+
+
+
+The Horizon theme is now available for the administration console of SAP Cloud Identity Services, both the web and mobile version. See [How Far is the Horizon for SAP Cloud Identity Services?](https://blogs.sap.com/2023/03/15/how-far-is-the-horizon-for-sap-cloud-identity-services/).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+
+
+
+
+
+2023-03-16
+
+
+
+
+2023-03-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Troubleshooting
+
+
+
+
+You can filter and view troubleshooting logs directly in the administration console for SAP Cloud Identity Services. See [View Troubleshooting Logs](Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+
+
+
+
+
+2023-03-16
+
+
+
+
+2023-03-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+OpenID Connect
+
+
+
+
+You can configure the access token format. See [Token Policy Configuration for Applications](Operation-Guide/token-policy-configuration-for-applications-c4ba52e.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+
+
+
+
+
+2023-03-16
+
+
+
+
+2023-03-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-03-01
+
+
+
+
+2023-03-01
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-15
+
+
+
+
+2023-02-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+User Management
+
+
+
+
+Application user import was enhanced with new parameters : `userType` and `urn:ietf:params:scim:schemas:extension:sap:2.0:User:mailVerified`. See [Import or Update Users for a Specific Application](Operation-Guide/import-or-update-users-for-a-specific-application-33838e0.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-15
+
+
+
+
+2023-02-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Applications
+
+
+
+
+You can return an application's configuration to its inherited state with the *Inherit from Parent* option via the administration console. See [Edit Applications](Operation-Guide/edit-applications-69d8cad.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-15
+
+
+
+
+2023-02-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Troubleshooting
+
+
+
+
+You can use the troubleshooting logs to analyze OpenID Connect issues with applications and corporate identity providers. See [Logging OpenID Connect Tokens](Monitoring-and-Reporting/logging-openid-connect-tokens-b6c42b5.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-15
+
+
+
+
+2023-02-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+OpenID Connect
+
+
+
+
+Identity Authentication now supports the `groups` value of the `scope` parameter. See [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md) and [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow with PKCE](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-a721157.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-15
+
+
+
+
+2023-02-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+OpenID Connect
+
+
+
+
+Identity Authentication now supports new parameter - `scope` for the service endpoint that returns the tokens issued by the corporate identity provider received during the OpenID Connect \(OIDC\) authentication process. See [Exchanging Identity Authentication Tokens for Tokens from Corporate Identity Providers](Development/exchanging-identity-authentication-tokens-for-tokens-from-corporate-identity-providers-a66753a.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-15
+
+
+
+
+2023-02-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Identity Service
+
+
+
+
+You can use the `refresh-usage-after-renewal` parameter to define the validity of the old refresh token after requesting a new one through the refresh token grant type. See [Reference Information for the Identity Service of SAP BTP](Integrating-the-Service/reference-information-for-the-identity-service-of-sap-btp-9379444.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-15
+
+
+
+
+2023-02-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Administration Console
+
+
+
+
+You can now configure and work with Identity Provisioning in the administration console for SAP Cloud Identity Services.
+
+The entire provisioning functionality, which includes adding, enabling, disabling, deleting, and resetting provisioning systems, running jobs, viewing and downloading logs, is integrated there and can be accessed in the navigation area under SAP Cloud Identity Services.
+
+The latest step in tightening SAP Cloud Identity Services integration allows you to manage your configurations in one place without the need to switch between consoles. To benefit from it, your Identity Provisioning tenant must run on SAP Cloud Identity Services infrastructure.
+
+See [Configure Identity Provisioning in SAP Cloud Identity Services Administration Console](https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/03223babed91493c9305e40269e909d2.html?state=DRAFT&version=Cloud).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-15
+
+
+
+
+2023-02-15
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-09
+
+
+
+
+2023-02-07
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-03
+
+
+
+
+2023-02-03
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-02-02
+
+
+
+
+2023-02-01
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-01-24
+
+
+
+
+2023-01-24
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Manage Applications
+
+
+
+
+Tenant administrator can manage applications in Identity Authentication via API. It offers endpoints for CRUD operations \(GET, PUT, POST, PATCH, DELETE\) over the applications. See [SAP Cloud Identity Services Application Directory](https://api.sap.com/api/SCI_Application_Directory/overview).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+
+
+
+
+
+2023-01-23
+
+
+
+
+2023-01-23
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-01-22
+
+
+
+
+2023-01-20
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+User Management
+
+
+
+
+Tenant administrator can search users by `SCIM ID` in the administration console. See [Search Users](Operation-Guide/search-users-06078a6.md) and [Add Users to a Group](Operation-Guide/add-users-to-a-group-d2e1a01.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-01-22
+
+
+
+
+2023-01-20
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+System Upgrade
+
+
+
+
+Identity Authentication has been upgraded.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-01-19
+
+
+
+
+2023-01-18
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Regional Availability
+
+
+
+
+Identity Authentication is now available with a single data center \(DC\) for the AWS infrastructure in India. See [Regional Availability](regional-availability-be600ca.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-01-19
+
+
+
+
+2023-01-18
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Tenant Settings
+
+
+
+
+The `Login Name` user identifier can be configured as required or nonrequired. See [Configure User Identifier Attributes](Operation-Guide/configure-user-identifier-attributes-8b9fa88.md).
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+New
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-01-19
+
+
+
+
+2023-01-18
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+Administration Console
+
+
+
+
+The administration console was renamed from `Identity Authentication` to `SAP Cloud Identity Services`.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-01-19
+
+
+
+
+2023-01-18
+
+
+
+
+
+
+Identity Authentication
+
+
+
+
+- Neo
+- Kyma
+- Cloud Foundry
+
+
+
+
+
+
+User Management
+
+
+
+
+Identity Authentication renamed user identifier `User UUID` to `Global User ID` in the administration console. The technical name of the attribute remains unchanged `userUuid`.
+
+
+
+
+Info only
+
+
+
+
+General Availability
+
+
+
+
+Changed
+
+
+
+
+Technology
+
+
+
+
+Not applicable
+
+
+
+
+Identity Authentication
+
+
+
+
+2023-01-19
+
+
+
+
+2023-01-18
+
+
+
+
+
diff --git a/docs/Development/add-logon-overlays-in-customer-applications-5e98ecf.md b/docs/Development/add-logon-overlays-in-customer-applications-5e98ecf.md
index d8e272a..dc92336 100644
--- a/docs/Development/add-logon-overlays-in-customer-applications-5e98ecf.md
+++ b/docs/Development/add-logon-overlays-in-customer-applications-5e98ecf.md
@@ -10,7 +10,8 @@ This document describes how service providers that delegate authentication to Id
## Prerequisites
-You have added the domains of the applications for which you want to use overlays as trusted in the administration console for SAP Cloud Identity Services. For more information, see [Configure Trusted Domains](../Operation-Guide/configure-trusted-domains-08fa1fe.md).
+- You have a customer application. For more information, see [Application Types](../application-types-8f61880.md).
+- You have added the domains of the applications for which you want to use overlays as trusted in the administration console for SAP Cloud Identity Services. For more information, see [Configure Trusted Domains](../Operation-Guide/configure-trusted-domains-08fa1fe.md).
diff --git a/docs/Development/change-tenant-texts-rest-api-66ad80a.md b/docs/Development/change-tenant-texts-rest-api-66ad80a.md
index d5e450d..2e97cd6 100644
--- a/docs/Development/change-tenant-texts-rest-api-66ad80a.md
+++ b/docs/Development/change-tenant-texts-rest-api-66ad80a.md
@@ -1119,7 +1119,7 @@ logon.ui.errormessage.INVALID_EMAIL_OTP_CODE=You have entered the wrong code or
logon.ui.errormessage.NO_EMAIL_OTP_CODE_TEMPLATE=Sorry, but sending a code via email is not possible right now. Please contact your administrator before continuing.
-logon.ui.errormessage.UNVERIFIED_EMAIL_FOR_OTP_CODE=We did not send you a code because your email is not verified. Please contact your administrator for assistance.
+logon.ui.errormessage.UNVERIFIED_EMAIL_FOR_OTP_CODE=We did not send you a code because your email has not been verified. Please contact your administrator for assistance.
logon.ui.errormessage.PASSCODE_LOCKED=Your account has been temporarily locked because of too many failed attempts. Your account will be automatically unlocked in 10 minutes.
@@ -1323,9 +1323,9 @@ forgottenPasswordMailConfirm.forgotYourPassword=Forgot My Password
forgottenPasswordMailConfirm.emailSent=If an account exists, an email with a link to reset your password has been sent.
-forgottenPasswordMailConfirm.clickTheLink.days=Click the link contained in the email. You will be forwarded to a page where you can reset your password. The link in the email will expire in {0} days from now.
+forgottenPasswordMailConfirm.clickTheLink.days=Click the link in the email. You will be forwarded to a page where you can reset your password. The link in the email will expire in {0} days.
-forgottenPasswordMailConfirm.clickTheLink.hours=Click the link contained in the email. You will be forwarded to a page where you can reset your password. The link in the email will expire in {0} hours from now.
+forgottenPasswordMailConfirm.clickTheLink.hours=Click the link in the email. You will be forwarded to a page where you can reset your password. The link in the email will expire in {0} hours.
forgottenPasswordMailConfirm.closeButton=Close
@@ -1335,15 +1335,15 @@ informAboutPasswordStatus.passwordNeedsReset=Your Password Needs to Be Reset
informAboutPasswordStatus.emailSent=An email with a link to reset your password has been sent to {0}.
-informAboutPasswordStatus.text=Your password has not been used for more than {0} months. To help maintain your security, your password needs to be reset. We have sent an email to your email address containing a link to a page where you can reset your password. The link in the email will expire {0}.
+informAboutPasswordStatus.text=Your password has not been used for more than {0} months. To help maintain your security, your password needs to be reset. We have sent you an email with a link to a page where you can reset your password. The link in the email expires on {0}.
informAboutPasswordStatus.reason.passwordNotUsed=Your password has not been used for more than {0} months.
informAboutPasswordStatus.reason.insufficientComplexity=Your password does not meet the password complexity requirements.
-informAboutPasswordStatus.maintainSecurity.days=To help maintain your security, your password needs to be reset. We have sent an email to your email address containing a link to a page where you can reset your password. The link in the email will expire in {0} days from now.
+informAboutPasswordStatus.maintainSecurity.days=To help maintain your security, your password needs to be reset. We have sent an email to your email address containing a link to a page where you can reset your password. The link will expire in {0} days.
-informAboutPasswordStatus.maintainSecurity.hours=To help maintain your security, your password needs to be reset. We have sent an email to your email address containing a link to a page where you can reset your password. The link in the email will expire in {0} hours from now.
+informAboutPasswordStatus.maintainSecurity.hours=To help maintain your security, your password needs to be reset. We have sent an email to your email address containing a link to a page where you can reset your password. The link will expire in {0} hours.
passwordForm.invalidInput=Invalid input
@@ -1369,6 +1369,7 @@ policyaccept.ui.errormessage.accepttoproceed=To proceed, accept the privacy poli
policyaccept.ui.errormessage.markcheckbox=To accept the privacy policy, click the checkbox.
+
document.ui.label.headline=Legal Disclaimers
document.ui.label.accessUse=We have updated our legal documents. To access and use {0}, please read and accept the documents below:
@@ -1537,14 +1538,24 @@ registerForm.company=Company
registerForm.streetAddress=Street Address
+registerForm.companyStreetAddress=Street Address
+
registerForm.streetAddress2=Street Address 2
+registerForm.companyStreetAddress2=Street Address 2
+
registerForm.city=City
+registerForm.companyCity=City
+
registerForm.postalcode=ZIP/Postal Code
+registerForm.companyPostalcode=ZIP/Postal Code
+
registerForm.country=Country/Region
+registerForm.companyCountry=Country/Region
+
registerForm.state=State/Province
registerForm.industry=Industry
@@ -1585,7 +1596,7 @@ validation.firstNameInExcludeList=You have chosen a first name that is not allow
validation.lastNameInExcludeList=You have chosen a last name that is not allowed. Please choose a different last name and try again.
-validation.emailInExcludeList=You have chosen an email address that is not allowed. Please choose a different email address and try again.
+validation.emailInExcludeList=You have chosen an email address that is not allowed. Please choose a different one and try again.
general.ui.help.title=Help for
@@ -1599,7 +1610,7 @@ ResourceType.RESOURCE_PRIVACYPOLICY.for=Privacy Policy for {0}
createForgottenPasswordMail.forgotPassword=Forgot My Password
-createForgottenPasswordMail.forgotPassword.text=Enter your credentials below and click Send. An email with a link to a page where you can reset your password will be sent. Note that the email might take a few minutes to reach your inbox.
+createForgottenPasswordMail.forgotPassword.text=Enter your credentials below and click Send. An email will be sent containing a link to a page where you can reset your password. Note that the email might take a few minutes to reach your inbox.
createForgottenPasswordMail.forgotPassword.fioritheme.text=To reset your password, enter your email address and choose Continue.
@@ -1633,11 +1644,11 @@ error.oauth.signing.process.failed.wrong.client.secret.error=Social sign-on fail
error.oauth.access.denied.errorMessage=Access denied from social provider.
-token.invalid=Your email activation link is invalid or already used.
+token.invalid=Your email activation link is invalid or has already been used.
-token.expired=Your email activation link has expired. A new email has automatically been sent. To activate your account, click the link in the new email.
+token.expired=Your email activation link has expired. A new email has been sent automatically. To activate your account, click the link in the new email.
-token.expired.resetPassword=Your reset password link has expired. A new email has automatically been sent. To reset your password, click the link in the new email.
+token.expired.resetPassword=Your reset password link has expired. A new email has been sent automatically. To reset your password, click the link in the new email.
general.auth.request.error=Identity Provider could not process the authentication request received. Delete your browser cache and stored cookies, and restart your browser. If you still experience issues after doing this, please contact your administrator.
@@ -2545,7 +2556,7 @@ userData.label.validTo=Valid to
error.ui.errormessage.idpSsesionExpired=Your session has expired. Please log on again.
-error.ui.errormessage.idpSessionExpiredUserActivation=Your session has expired. Open the email for your account activation and follow the link in it to re-activate your account.
+error.ui.errormessage.idpSessionExpiredUserActivation=Your session has expired. Open the email for your account activation and follow the link it contains to reactivate your account.
error.ui.errormessage.idpSessionExpiredPasswordReset=Your session has expired. Open the email for your password reset and follow the link in it to reset your password.
@@ -2557,6 +2568,7 @@ error.ui.unknown.application.error=An error has occurred. Please visit the appli
error.ui.unexistent.text.resource.error=The requested document does not exist. Please contact your system administrator.
+
sci_eu_data_protection.headline=European Union (EU) Access Mode
sci_eu_data_protection.message=This Identity Authentication landscape is operated and supported in European Union (EU) Access mode. Please confirm that you are either physically located in the EU or that you have positively verified that EU access restrictions do not apply in your situation. Your confirmation will be logged.
@@ -2585,6 +2597,8 @@ error.ui.errormessage.invalidOpenIDTokenHint=OpenID provider cannot process the
error.ui.errormessage.unknownClientId=OpenID provider cannot process the logout request because the client_id is unknown. Please contact your system administrator.
+error.ui.errormessage.clientIdNotUnique=OpenID provider cannot process the logout request because the client_id of the application is not unique. Please also provide [app_tid].
+
error.ui.errormessage.missingOpenIDTokenHintAndClientID=OpenID provider cannot process the logout request because neither client_id nor id_token_hint parameter has been provided with the post_logout_redirect_uri. Please contact your system administrator.
flashes.error_validating_captcha=We are unable to validate your Captcha protection at the moment. Please try again later.
diff --git a/docs/Development/consume-apis-from-other-applications-29e204d.md b/docs/Development/consume-apis-from-other-applications-29e204d.md
index a0cc083..a2edb3f 100644
--- a/docs/Development/consume-apis-from-other-applications-29e204d.md
+++ b/docs/Development/consume-apis-from-other-applications-29e204d.md
@@ -116,8 +116,6 @@ The administrator must ensure that the two applications can share the APIs betwe
5. Check that the API is listed or enter the required data.
- For more information, see [Reference Information for the Identity Service of SAP BTP](../Integrating-the-Service/reference-information-for-the-identity-service-of-sap-btp-9379444.md).
-
> ### Caution:
> The API name must match exactly what is expected by any consumer applications. The name must be unique within all APIs provided by the same provider application. Consumer applications use this name to determine if their application has the rights to access the provider application.
>
diff --git a/docs/Development/extensions-fb31d4e.md b/docs/Development/extensions-fb31d4e.md
index 5d4c8b5..081d895 100644
--- a/docs/Development/extensions-fb31d4e.md
+++ b/docs/Development/extensions-fb31d4e.md
@@ -109,7 +109,7 @@ The Identity Directory SCIM REST API can be manually extended by adding user att
> >
> > ```
-3. Send the already assigned custom attribute by configuring it in the default attributes sent to the application. See [Attributes with Default Values](../Operation-Guide/attributes-with-default-values-a2f1e46.md) under the *Send Identity Directory Custom Schema Attributes* section.
+3. Send the already assigned custom attribute by configuring it in the default attributes sent to the application. See [Configuring Attributes Based on Flexible Expressions](../Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md) under the *Send Identity Directory Custom Schema Attributes* section.
> ### Example:
> The default attributes for the application are configured in the administration console as follows:
diff --git a/docs/Development/identity-directory-scim-rest-api-5be5692.md b/docs/Development/identity-directory-scim-rest-api-5be5692.md
index 64aa1ee..3bdfdcf 100644
--- a/docs/Development/identity-directory-scim-rest-api-5be5692.md
+++ b/docs/Development/identity-directory-scim-rest-api-5be5692.md
@@ -6,9 +6,17 @@ Manage users, groups and custom schemas in the cloud.
-> ### Note:
+> ### Remember:
> The API is available on the SAP Business Accelerator Hub: [Identity Directory Service](https://api.sap.com/api/IdDS_SCIM/overview)
+
+
+
+
+## Prerequisites
+
+To call the methods of this SCIM REST API you must have a system as administrator with an assigned *Manage Users* role. For more details about how to add a system as administrator and assign administrator roles, see [Add System as Administrator](../Operation-Guide/add-administrators-bbbdbdd.md#loiocefb742a36754b18bbe5c3503ac6d87c), and [Edit Administrator Authorizations](../Operation-Guide/edit-administrator-authorizations-86ee374.md).
+
**Related Information**
diff --git a/docs/Development/password-service-rest-api-8d1016b.md b/docs/Development/password-service-rest-api-8d1016b.md
index cc541b1..f4907ed 100644
--- a/docs/Development/password-service-rest-api-8d1016b.md
+++ b/docs/Development/password-service-rest-api-8d1016b.md
@@ -60,7 +60,7 @@ Yes
Username and password are provided by the user.
> ### Note:
-> Depending on the allowed logon identifiers for the user, the username can be the `User ID`, `Login Name`, or `E-Mai`. For more information, see [Configure Allowed Logon Identifiers](../Operation-Guide/configure-allowed-logon-identifiers-3adf1ff.md).
+> Depending on the allowed logon identifiers for the user, the username can be the `User ID`, `Login Name`, or `Email`. For more information, see [Configure Allowed Logon Identifiers](../Operation-Guide/configure-allowed-logon-identifiers-3adf1ff.md).
> ### Caution:
> If the user provides wrong password, then each verification counts as a failed logon attempt. The password locks when the number of the allowed failed logon attempts is reached. The number depends on the password policy applied for the application. For more information, see [Configuring Password Policies](../Operation-Guide/configuring-password-policies-12b3395.md).
diff --git a/docs/Development/single-logout-flows-0584b5f.md b/docs/Development/single-logout-flows-0584b5f.md
index 9117f52..f30ba12 100644
--- a/docs/Development/single-logout-flows-0584b5f.md
+++ b/docs/Development/single-logout-flows-0584b5f.md
@@ -9,7 +9,7 @@ To counter this threat, ensure that your application takes part in single logout
The service supports SAML 2.0 and OIDC logout flows. No matter which protocol your applications and identity providers use, the service forwards the logout requests to any corporate identity providers and applications associated with the user session.
> ### Note:
-> SLO terminate the sessions of all applications under the same domain as Identity Authentication \(`hana.ondemand.com` and `cloud.sap`\) as well as under a custom domain configured for the service. To have applications participate in SLO, ensure that the applications operate under these domains \(recommended\) or allow 3rd-party cookies.
+> SLO terminate the sessions of all applications under the same domain as Identity Authentication \(`ondemand.com` and `cloud.sap`\) as well as under a custom domain configured for the service. To have applications participate in SLO, ensure that the applications operate under these domains \(recommended\) or allow 3rd-party cookies.
- SAML applications: [Service Provider Initiated Logout with Corporate Identity Providers](../Operation-Guide/service-provider-initiated-logout-with-corporate-identity-providers-3841580.md#loio3841580082cb4af6a13289e98a0cce12)
diff --git a/docs/Development/sp-user-information-dc96d56.md b/docs/Development/sp-user-information-dc96d56.md
index 830d42c..f728c91 100644
--- a/docs/Development/sp-user-information-dc96d56.md
+++ b/docs/Development/sp-user-information-dc96d56.md
@@ -205,6 +205,7 @@ The response returns the following attributes. Only the attributes that exist fo
- country
- city
- company\_city
+- spCustomAttributeX
diff --git a/docs/Integrating-the-Service/integrating-the-service-with-sap-business-technology-platform-neo-environment-fe84459.md b/docs/Integrating-the-Service/integrating-the-service-with-sap-business-technology-platform-neo-environment-fe84459.md
index 962a83f..0c702b8 100644
--- a/docs/Integrating-the-Service/integrating-the-service-with-sap-business-technology-platform-neo-environment-fe84459.md
+++ b/docs/Integrating-the-Service/integrating-the-service-with-sap-business-technology-platform-neo-environment-fe84459.md
@@ -266,7 +266,7 @@ You have to specify how the assertion attributes are sent to SAP BTP in the asse
**Related Information**
-[User Attributes Sent to the Application](../Operation-Guide/user-attributes-sent-to-the-application-d361407.md "After configuring the user attributes to be collected by the registration and upgrade forms, you have to specify how these attributes are sent to the application.")
+[Configuring User Attributes from the Identity Directory](../Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md "Specify how the local user attributes, configured to be collected by the registration and upgrade forms, are sent to the application.")
diff --git a/docs/Integrating-the-Service/integrating-the-service-with-sap-document-center-397683c.md b/docs/Integrating-the-Service/integrating-the-service-with-sap-document-center-397683c.md
index c22f6aa..5f31e04 100644
--- a/docs/Integrating-the-Service/integrating-the-service-with-sap-document-center-397683c.md
+++ b/docs/Integrating-the-Service/integrating-the-service-with-sap-document-center-397683c.md
@@ -141,7 +141,7 @@ Assertion-based groups are groups determined by values of attributes in the SAML
For example, you can have a group *EVERYONE* for all the users of Identity Authentication, and a group *DocCenter\_Admins* just for the administrators. In this case, you should assign the group EVERYONE to all the users of Identity Authentication, and just the administrators to the *DocCenter\_Admins* group.
-2. Configure the `groups` attribute that is sent to SAP Document Center in the SAML 2.0 assertion. For more information, see [User Attributes Sent to the Application](../Operation-Guide/user-attributes-sent-to-the-application-d361407.md)
+2. Configure the `groups` attribute that is sent to SAP Document Center in the SAML 2.0 assertion. For more information, see [Configuring User Attributes from the Identity Directory](../Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md)
3. In the cockpit of SAP BTP define the assertion based groups for the group-to-role mapping in the cockpit. For more information, see 4. \(If Using an Identity Provider\) Define the Group-to-Role Mapping.
@@ -196,7 +196,7 @@ You have to specify how the assertion attributes are sent to SAP BTP in the asse
**Related Information**
-[User Attributes Sent to the Application](../Operation-Guide/user-attributes-sent-to-the-application-d361407.md "After configuring the user attributes to be collected by the registration and upgrade forms, you have to specify how these attributes are sent to the application.")
+[Configuring User Attributes from the Identity Directory](../Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md "Specify how the local user attributes, configured to be collected by the registration and upgrade forms, are sent to the application.")
diff --git a/docs/Integrating-the-Service/reference-information-for-the-identity-service-of-sap-btp-9379444.md b/docs/Integrating-the-Service/reference-information-for-the-identity-service-of-sap-btp-9379444.md
index 145644f..5a937fe 100644
--- a/docs/Integrating-the-Service/reference-information-for-the-identity-service-of-sap-btp-9379444.md
+++ b/docs/Integrating-the-Service/reference-information-for-the-identity-service-of-sap-btp-9379444.md
@@ -16,6 +16,7 @@ The syntax of the properties is as follows:
```
{
+ "name": "opportunity-management",
"authorization": {
"enabled": true,
"value_help_url": "https://myapp_namespace.cert.cfapps.eu10.hana.ondemand.com/odata/v4/ValueHelpService/"
@@ -67,6 +68,23 @@ Description
+`name`
+
+
+
+
+Sets the technical name of the application. The admin console shows this name below the display name in the list of applications and as the name of the *OpenID Connect Configuration*.
+
+> ### Restriction:
+> The name must be unique in your tenant.
+
+By default, the Identity Authentication service uses the instance ID generated by the `create-instance` command.
+
+
+
+
+
+
`authorization`
@@ -76,11 +94,11 @@ Integrates the SAP Cloud Identity Services - Authorization Management service, e
For more information about developing applications with Authorization Management, see LINK.
-The `enabled` property is false by default. Set this value to true to create an instance of the service for your SAP Cloud Identity services tenant.
+The `enabled` property is false by default. Set this value to true to create an instance of the service for your SAP Cloud Identity Services tenant.
The `value_help_url` property is an absolute URL that points to an OData service of your application. The OData service serves values for attributes defined in the DCL schema of your application.
-Limitations:
+Limits:
- The format must be `https://host/path`
@@ -120,7 +138,7 @@ For more information, see [OpenID Connect Application Configurations](../Operati
-Is an array of redirect URIs, where users are allowed to be forwarded after logout.
+Is an array of redirect URIs, where users can be forwarded after logout.
This property is empty by default.
@@ -152,7 +170,7 @@ For more information, see [OpenID Connect Application Configurations](../Operati
-Set to `true` to enable OAuth flows with public clients. Use public clients in environments where it’s difficult to protect the client credential, such as mobile and desktop applications or client-side parts of web applications.
+Set to `true` to enable OAuth flows with public clients. Use public clients in environments where it’s difficult to protect client credentials, such as mobile and desktop applications or client-side parts of web applications.
This property is `false` by default.
@@ -239,7 +257,7 @@ Defines the validity of the old refresh token after requesting a new one through
- `online` - The new refresh token is created and the old one is still active for 5 minutes.
-- `mobile` - The new and old refresh token are valid during the configured refresh token life time.
+- `mobile` - The new and old refresh tokens are valid during the configured refresh token life time.
@@ -275,7 +293,7 @@ Set to `true` to add the client ID of the Identity Authentication application cr
> ### Note:
> If the token is retrieved based on a public flow \(`public-client` is true\) without client authentication, Identity Authentication doesn't add the client IDs of the dependent services to the audience claim.
-Default value is `false`.
+The default value is `false`.
@@ -287,7 +305,7 @@ Default value is `false`.
-Sets the name of the application you create with the Identity Authentication service. Enter a maximum of 99 characters.
+Sets the name of the application that you create with the Identity Authentication service. Enter a maximum of 99 characters.
> ### Recommendation:
> Provide a display name, which helps the person who administrates the Identity Authentication service to understand the purpose of the application.
@@ -335,7 +353,7 @@ For more information about attributes for the subject name identifier, see [Conf
An array of API names \(`name`\) and descriptions \(`description`\) which this application makes available for other applications to consume. The name can be any unique string of 32 characters. You can define a maximum of 20 APIs.
-For more information, see [Configure Integration Between Applications](../Operation-Guide/configure-integration-between-applications-9ad7e80.md).
+For more information, see [Consume APIs from Other Applications](../Development/consume-apis-from-other-applications-29e204d.md).
@@ -417,7 +435,7 @@ Generates a client secret. If no properties are provided, `SECRET` is the defaul
-
+
`X509_GENERATED`
@@ -469,6 +487,18 @@ Together with the `validity-type` the range of validity runs from 1 day to 1 yea
Specifies the time unit for `validity`. Supported values are `DAYS`, `MONTHS`, and `YEARS`. The default value is `DAYS`.
+
+
+
+
+
+`app-identifier`
+
+
+
+
+Enables you to generate a certificate with stable subject. The identifier eases the rotation of the certificates for your microservice while keeping the subject stable. The maximum length is 20 characters.
+
@@ -479,7 +509,7 @@ Specifies the time unit for `validity`. Supported values are `DAYS`, `MONTHS`, a
-Creates a binding using certificate you provide from a trusted certificate authority \(CA\). This certificate can be used to request tokens.
+Creates a binding using a certificate that you provide from a trusted certificate authority \(Certification Authority\). This certificate can be used to request tokens.
> ### Restriction:
> Don't forget the new lines \(`\n`\) after `-----BEGIN CERTIFICATE-----` and before `-----END CERTIFICATE-----`. See the previous example.
@@ -612,5 +642,5 @@ To validate tokens, we provide client libraries to support the authentication of
## Token Attributes
-The administrator of the Identity Authentication service determines what attributes are available in tokens. For more information, see [User Attributes Sent to the Application](../Operation-Guide/user-attributes-sent-to-the-application-d361407.md).
+The administrator of the Identity Authentication service determines what attributes are available in tokens. For more information, see [Configuring User Attributes from the Identity Directory](../Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md).
diff --git a/docs/Monitoring-and-Reporting/access-audit-logs-aws-azure-infrastructure-a3e793c.md b/docs/Monitoring-and-Reporting/access-audit-logs-aws-azure-infrastructure-a3e793c.md
index 807edf6..23d11dd 100644
--- a/docs/Monitoring-and-Reporting/access-audit-logs-aws-azure-infrastructure-a3e793c.md
+++ b/docs/Monitoring-and-Reporting/access-audit-logs-aws-azure-infrastructure-a3e793c.md
@@ -120,7 +120,7 @@ To view the audit logs, follow the procedures below:
2. Choose the *Audit and Change Logs* tile.
-3. Choose the *Cloud Foundry* tab.
+3. Choose the *Audit Logs* tab.
4. Choose *Add*.
diff --git a/docs/Monitoring-and-Reporting/download-troubleshooting-logs-2732321.md b/docs/Monitoring-and-Reporting/download-troubleshooting-logs-2732321.md
index 98a0dc7..3b9f4bd 100644
--- a/docs/Monitoring-and-Reporting/download-troubleshooting-logs-2732321.md
+++ b/docs/Monitoring-and-Reporting/download-troubleshooting-logs-2732321.md
@@ -81,9 +81,11 @@ File format
1. Sign in to the administration console for SAP Cloud Identity Services.
-2. Choose *Monitoring & Reporting* \> *Troubleshooting Logs* \> *Download*.
+2. Choose *Monitoring & Reporting* \> *Troubleshooting Logs*.
-3. Define your criteria and download the log entries.
+3. Choose the *Download* button.
+
+4. Define your criteria and download the log entries.
diff --git a/docs/Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md b/docs/Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md
index b16221e..7c589bc 100644
--- a/docs/Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md
+++ b/docs/Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md
@@ -34,7 +34,7 @@ Time period
The time period is in Coordinated Universal Time \(UTC\).
-- You have one hour time period for searching logs. The *Start Period*
+- You have one hour time period for searching logs.
- The date is limited back to 14 days from the current date
> ### Note:
@@ -76,7 +76,7 @@ Once you have the results you can filter them by *Time*, *Severity*, *IP Address
1. Sign in to the administration console for SAP Cloud Identity Services.
-2. Choose *Monitoring & Reporting* \> *Troubleshooting Logs* \> *View*.
+2. Choose *Monitoring & Reporting* \> *Troubleshooting Logs*.
3. Define the criteria and start your search.
diff --git a/docs/Operation-Guide/add-administrators-bbbdbdd.md b/docs/Operation-Guide/add-administrators-bbbdbdd.md
index 59bdc20..db4d6e2 100644
--- a/docs/Operation-Guide/add-administrators-bbbdbdd.md
+++ b/docs/Operation-Guide/add-administrators-bbbdbdd.md
@@ -23,7 +23,9 @@ You can add both a person and a system in the administration console to act as a
[Edit Administrator Authorizations](edit-administrator-authorizations-86ee374.md "As a tenant administrator, you can edit both your own authorizations and other administrators' authorizations in the administration console for SAP Cloud Identity Services. By editing the administrator authorizations you can also delete an administrator.")
-[Configure Authorizations Based on Policies](configure-authorizations-based-on-policies-08fea39.md "Configure a granular access control based on policies for the administrators of SAP Cloud Identity Services.")
+[Configure Authorizations Based on Policies](configure-authorizations-based-on-policies-08fea39.md "Enable admin authorizations based on policies to configure a granular access control for the administrators of SAP Cloud Identity Services.")
+
+[Add Administrators via SAP for Me](https://support.sap.com/content/s4m/help/systems/systems/details/ias.html)
diff --git a/docs/Operation-Guide/add-instructions-section-on-sign-in-screen-c9e717e.md b/docs/Operation-Guide/add-instructions-section-on-sign-in-screen-c9e717e.md
index 8319a71..6512fd7 100644
--- a/docs/Operation-Guide/add-instructions-section-on-sign-in-screen-c9e717e.md
+++ b/docs/Operation-Guide/add-instructions-section-on-sign-in-screen-c9e717e.md
@@ -101,7 +101,7 @@ The default value of the `logon.ui.login.instructions` key is empty and nothing
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-a-logo-for-an-application-778f748.md b/docs/Operation-Guide/add-logo-for-an-application-ef9e5d5.md
similarity index 55%
rename from docs/Operation-Guide/configure-a-logo-for-an-application-778f748.md
rename to docs/Operation-Guide/add-logo-for-an-application-ef9e5d5.md
index 1630b43..0d30b8c 100644
--- a/docs/Operation-Guide/configure-a-logo-for-an-application-778f748.md
+++ b/docs/Operation-Guide/add-logo-for-an-application-ef9e5d5.md
@@ -1,10 +1,24 @@
-
+
-# Configure a Logo for an Application
+# Add Logo for an Application
-You can configure a custom logo for a specific application by uploading an image. Furthermore, you can remove a configured logo and leave the display name only as a title for the application.
+Configure a custom logo for a specific application by choosing it from the list of your uploaded images in the administration console.
-The logo is displayed on the application's logon page and can be included into the Emails sent to users.
+
+
+
+
+## Prerequisites
+
+You have uploaded an image in the administration console. See [Upload Logo in Administration Console](upload-logo-in-administration-console-41e7627.md).
+
+
+
+
+
+## Context
+
+The logo is displayed on the application's logon page and can be included into thee mails sent to users. You can also remove a configured logo and leave the display name only as a title for the application.
@@ -25,17 +39,14 @@ The logo is displayed on the application's logon page and can be included into t
5. Under *BRANDING*, choose *Logo*.
-6. To set a custom logo, upload an image with the required format.
+6. To set a custom logo for the application, choose *Edit*.
- You can use one of the following formats for the image: .png, .gif, and .jpeg.
-
- > ### Note:
- > The image must be smaller than 100 KB and with a maximum size of 300x100.
+7. Choose the *Image* field and select an image from the list that appears.
-7. Save your configuration.
+8. Save your configuration.
> ### Tip:
- > To remove a configured logo, choose the *Delete* button and confirm your choice.
+ > To remove a configured logo, choose the *Remove* button and confirm your choice.
**Related Information**
diff --git a/docs/Operation-Guide/add-new-language-of-a-privacy-policy-document-fa2b0f3.md b/docs/Operation-Guide/add-new-language-of-a-privacy-policy-document-fa2b0f3.md
index 552e508..0cb295c 100644
--- a/docs/Operation-Guide/add-new-language-of-a-privacy-policy-document-fa2b0f3.md
+++ b/docs/Operation-Guide/add-new-language-of-a-privacy-policy-document-fa2b0f3.md
@@ -10,7 +10,7 @@ To add a language version of a privacy policy document, you must upload a UTF-8
## Prerequisites
-You have created a privacy policy document in the administration console. For more information, see[Create a New Privacy Policy Document](create-a-new-privacy-policy-document-e73cf2d.md) .
+You have created a privacy policy document in the administration console. For more information, see [Create a New Privacy Policy Document](create-a-new-privacy-policy-document-e73cf2d.md) .
diff --git a/docs/Operation-Guide/add-users-to-a-group-d2e1a01.md b/docs/Operation-Guide/add-users-to-a-group-d2e1a01.md
index 2f0cad2..fdcc20f 100644
--- a/docs/Operation-Guide/add-users-to-a-group-d2e1a01.md
+++ b/docs/Operation-Guide/add-users-to-a-group-d2e1a01.md
@@ -48,7 +48,7 @@ As a tenant administrator, you can add one or more users created for a specific
## Next Steps
-Configure the attributes that are sent to the application in the assertion. For more information, see [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
+Configure the attributes that are sent to the application in the assertion. For more information, see [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
**Related Information**
diff --git a/docs/Operation-Guide/always-require-password-from-users-dd9f48e.md b/docs/Operation-Guide/always-require-password-from-users-dd9f48e.md
index 012b001..97d4138 100644
--- a/docs/Operation-Guide/always-require-password-from-users-dd9f48e.md
+++ b/docs/Operation-Guide/always-require-password-from-users-dd9f48e.md
@@ -14,6 +14,9 @@ By enabling the *Force Authentication* option users must always provide a passwo
Force authentication can be enabled for both OpenID Connect and SAML 2.0 applications.
+> ### Note:
+> In the context of a corporate identity provider scenario, if an application requires force authentication, users have to authenticate themselves against the corporate identity provider each time they access the application even if single sign-on \(SSO\) is enabled.
+
To enable force authentication for an application, proceed as follows:
diff --git a/docs/Operation-Guide/assign-authorization-policies-eac8e5e.md b/docs/Operation-Guide/assign-authorization-policies-eac8e5e.md
index d083be9..3614e3c 100644
--- a/docs/Operation-Guide/assign-authorization-policies-eac8e5e.md
+++ b/docs/Operation-Guide/assign-authorization-policies-eac8e5e.md
@@ -29,12 +29,6 @@ As an administrator, you can assign authorizations to users.
-
-
-## Context
-
-
-
## Procedure
diff --git a/docs/Operation-Guide/change-a-tenant-s-display-name-a513c91.md b/docs/Operation-Guide/change-a-tenant-s-display-name-a513c91.md
index 370d0c3..71adf02 100644
--- a/docs/Operation-Guide/change-a-tenant-s-display-name-a513c91.md
+++ b/docs/Operation-Guide/change-a-tenant-s-display-name-a513c91.md
@@ -98,7 +98,7 @@ To edit the tenant's display name, proceed as follows:
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/change-tenant-texts-via-administration-console-c24b1d0.md b/docs/Operation-Guide/change-tenant-texts-via-administration-console-c24b1d0.md
index d4b3c58..deacc16 100644
--- a/docs/Operation-Guide/change-tenant-texts-via-administration-console-c24b1d0.md
+++ b/docs/Operation-Guide/change-tenant-texts-via-administration-console-c24b1d0.md
@@ -51,12 +51,14 @@ To change the tenant texts via the administration console, proceed as follows:
You can use the search field, or the filtering and sorting option, or you can expand the page for more results.
-5. Add the new text in the *Custom Value* field next to the text that you want to change.
+5. Choose the *Edit* button.
+
+6. Add the new text in the *Custom Value* field next to the text that you want to change.
> ### Note:
> Repeat the step for all the texts that you want to change.
-6. Save your changes.
+7. Save your changes.
If the operation is successful, you receive the `Tenant Texts updated` message.
@@ -122,7 +124,7 @@ The default tenant texts are changed with the custom ones. It may take up to 2 m
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/choose-default-identity-provider-for-an-application-e9d8274.md b/docs/Operation-Guide/choose-default-identity-provider-for-an-application-e9d8274.md
index 6ba2337..b6c40a3 100644
--- a/docs/Operation-Guide/choose-default-identity-provider-for-an-application-e9d8274.md
+++ b/docs/Operation-Guide/choose-default-identity-provider-for-an-application-e9d8274.md
@@ -65,7 +65,7 @@ To choose a default identity provider for an application, proceed as follows:
If you select the local identity provider, you will able to access the custom configurations for the applications.
- If you select a corporate identity provider, you will not be able to access the custom configurations for the applications. The *Authentication and Access* and *Branding and Layout* tabs will not be visible. The user will be prompted to provide credentials in a single logon page.
+ If you select a corporate identity provider, you will access only some of the custom configurations for the applications. The configurations under the *Authentication and Access* and *Branding and Layout* tabs will be partially visible. The user will be prompted to provide credentials in a single logon page.
8. **Optional:** \(When a corporate identity provider is chosen as default identity provider\) Enable the *Allow Identity Authentication Users Log On* option. For more information see, [Use the Allow Identity Authentication Users Log On Option](use-the-allow-identity-authentication-users-log-on-option-2ec9a7f.md).
diff --git a/docs/Operation-Guide/combine-authorization-policies-1a69414.md b/docs/Operation-Guide/combine-authorization-policies-1a69414.md
index 587a7c0..cf8f379 100644
--- a/docs/Operation-Guide/combine-authorization-policies-1a69414.md
+++ b/docs/Operation-Guide/combine-authorization-policies-1a69414.md
@@ -1,7 +1,5 @@
-
-
# Combine Authorization Policies
You can combine authorization policies to create a new one. This new authorization policy gets the rules of the authorization policies that you combined.
@@ -23,9 +21,9 @@ You can combine authorization policies to create a new one. This new authorizati
3. Choose the *Authorization Policies* tab.
-4. Choose :heavy_plus_sign: \(Create new policy\).
+4. Choose *Create*.
-5. Choose *Combine*.
+5. Choose *Add Combination*.
6. Choose the authorization policies you want to combine and enter a name for the new authorization policy.
@@ -37,6 +35,8 @@ You can combine authorization policies to create a new one. This new authorizati
10. Choose the *Rules* tab and edit the label and description of the authorization policy. The description is an optional comment.
-11. Save your changes.
+11. To change the rules, choose *Edit*. For more information, see [Edit an Authorization Policy](edit-an-authorization-policy-c76aca6.md).
+
+12. Save your changes.
diff --git a/docs/Operation-Guide/configure-allowed-logon-identifiers-3adf1ff.md b/docs/Operation-Guide/configure-allowed-logon-identifiers-3adf1ff.md
index f24b508..64ef01f 100644
--- a/docs/Operation-Guide/configure-allowed-logon-identifiers-3adf1ff.md
+++ b/docs/Operation-Guide/configure-allowed-logon-identifiers-3adf1ff.md
@@ -230,7 +230,7 @@ Users can logon to the applications in the tenant only with the selected logon i
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-application-authorizations-01cff18.md b/docs/Operation-Guide/configure-application-authorizations-01cff18.md
new file mode 100644
index 0000000..ca88659
--- /dev/null
+++ b/docs/Operation-Guide/configure-application-authorizations-01cff18.md
@@ -0,0 +1,56 @@
+
+
+# Configure Application Authorizations
+
+Configure access to the applications in the administration console of SAP Cloud Identity Services.
+
+
+
+
+
+## Prerequisites
+
+You have enabled the authorizations based op policies option in the admin console for SAP Cloud Identity Services. See [Configure Authorizations Based on Policies](configure-authorizations-based-on-policies-08fea39.md).
+
+
+
+## Context
+
+> ### Restriction:
+> This feature is relevant only for the Administration Console application.
+
+Once it's enabled, it may take up to 60 seconds before the administrator can see the *Authorization Policies* tab when accessing the administration console application. Under the "applications" package the following base policies are visible: `CREATE_APPLICATIONS` , `DELETE_APPLICATIONS`, `MANAGE_APPLICATIONS`, `READ_APPLICATIONS`, and `UPDATE_APPLICATIONS`. You can add users to these policies so that they can have the rights these policies give.
+
+> ### Note:
+> The Manage Applications authorization overrides all "applications" package policies, while the Manage Users authorization overrides the `READ_APPLICATIONS` policy only. If you want to configure access to the applications based on policies, you must remove the Manage Applications and Manage Users authorizations. For more information, see [Edit Administrator Authorizations](edit-administrator-authorizations-86ee374.md).
+
+> ### Example:
+> Michael Adams is an administrator at retail company A. He has all the authorizations in the administration console for SAP Cloud Identity Services. Dona Moore the financial manager at company A. She is not an administrator, but she needs to have access to the list of all applications in the tenant. Michael Adams adds her to the `READ_APPLICATIONS` policy. As a result, now, when Dona accesses the administration console she sees only the *Applications* tile, and all the operations in it are read-only.
+
+
+
+## Procedure
+
+1. Sign in to the administration console for SAP Cloud Identity Services.
+
+2. Under *Applications & Resources*, choose *Applications*.
+
+3. Under *System Applications*, choose the list item for the administration console.
+
+4. Under the tab *Authorization Policies*, filter the policies by the "applications" package.
+
+ > ### Note:
+ > This limits the policies to the following: `CREATE_APPLICATIONS` , `DELETE_APPLICATIONS`, `MANAGE_APPLICATIONS`, `READ_APPLICATIONS`, and `UPDATE_APPLICATIONS`.
+
+5. Select a policy from the list
+
+6. Choose *Add* button.
+
+7. Select the user or users and choose *Add*.
+
+
+**Related Information**
+
+
+[Configure User Authorizations](configure-user-authorizations-424b64c.md "Configure a granular access control based on policies for the administrators of SAP Cloud Identity Services.")
+
diff --git a/docs/Operation-Guide/configure-authorizations-based-on-policies-08fea39.md b/docs/Operation-Guide/configure-authorizations-based-on-policies-08fea39.md
index 2ec1403..1caa33f 100644
--- a/docs/Operation-Guide/configure-authorizations-based-on-policies-08fea39.md
+++ b/docs/Operation-Guide/configure-authorizations-based-on-policies-08fea39.md
@@ -2,15 +2,7 @@
# Configure Authorizations Based on Policies
-Configure a granular access control based on policies for the administrators of SAP Cloud Identity Services.
-
-
-
-
-
-## Prerequisites
-
-You have enabled the feature by accessing the admin console for SAP Cloud Identity Services: *access the admin console* \> *Tenant Settings* \> *Policy-Based Authorizations* \> *еnable the option*.
+Enable admin authorizations based on policies to configure a granular access control for the administrators of SAP Cloud Identity Services.
@@ -19,211 +11,7 @@ You have enabled the feature by accessing the admin console for SAP Cloud Identi
> ### Restriction:
> This feature is relevant only for the Administration Console application.
-Sometimes the administrator authorizations that are predefined in the tenant of SAP Cloud Identity Services aren't enough. The predefined administrator authorizations give unlimited data access. However, you may need to define authorization models with more complex instance restrictions for data access, as is the so-called attribute-based access control \(ABAC\). Administrators define authorization policies with user attributes and assign these policies to other administrators. Thus, one administrator can have access to a subset of the users in the tenant or to a subset of the attributes of the user.
-
-The option to configure authorization policies for the administration console is available only upon request via [SAP Support Portal Home](https://support.sap.com/en/index.html) under the component `BC-IAM-IDS`. Once it's granted, it may take up to 60 seconds before the administrator can see the *Authorization Policies* tab when accessing the administration console application. Initially, only the base policies are visible: `CREATE_USERS` , `DELETE_USERS`, `MANAGE_USERS`, `READ_USERS`, `UPDATE_USERS`, `CREATE_SCIM_SCHEMAS`, `DELETE_SCIM_SCHEMAS`, `MANAGE_SCIM_SCHEMAS`, `READ_SCIM_SCHEMAS`, `CREATE_GROUPS`, `DELETE_GROUPS`, `MANAGE_GROUPS`, `READ_GROUPS`, and `UPDATE_GROUPS`. You can create new authorization policies on the base of these policies and assign them to administrators.
-
-> ### Note:
-> The Read Users authorization overrides the READ\_USERS authorization policy, while the Manage Users authorization overrides all user authorization policies.
-
-When you create a new policy, you can restrict the users on the basis of the following attributes: `user.name`, `country`, `costCenter`, `division`, `department`, and `organization`. The subsets of the user attributes are configured via the `user.attributes`.
-
-**User Attributes**
-
-
-
-
-
-
-Attributes
-
-
-
-
-Value
-
-
-
-
-
-
-`user.name`
-
-
-
-
-The *Login Name* of the user as defined in the administration console.
-
-
-
-
-
-
-`user.addresses.country`
-
-
-
-
-The value must match the predefined master data one. See [Countries.properties](../Development/change-master-data-texts-rest-api-b10fc6a.md#loioe4e7e4c52cf04295bf94465eba7ceaaa).
-
-The addresses must be marked as primary via the [Identity Directory SCIM REST API](https://api.sap.com/api/IdDS_SCIM/overview). Users who don't have a primary address are excluded even if the `user.addresses.country` attribute matches the address of the user.
-
-> ### Tip:
-> Use the key from the key-value pair for the value of the `user.country` attribute. For example, you must use `DE` from the key-value pair `DE=Germany`.
-
-
-
-
-
-
-
-
-`user.costCenter`
-
-
-
-
-The *Cost Center* of the user as defined in the administration console.
-
-
-
-
-
-
-`user.division`
-
-
-
-
-The *Division* of the user as defined in the administration console.
-
-
-
-
-
-
-`user.department`
-
-
-
-
-The value must match the predefined master data one. See [Departments.properties](../Development/change-master-data-texts-rest-api-b10fc6a.md#loiod13c638f0d5d4a8889debf278fcb0275)
-
-
-
-
-
-
-`user.organization`
-
-
-
-
-The *Company* of the user as defined in the administration console.
-
-
-
-
-
-
-`user.attributes`
-
-
-
-
-The policy allows you to see the attributes that are defined in the value field. The attributes' value format must be according to SCIM notation.
-
-The supported attributes that can be defined in the policy are listed in the **Supported Attributes** section below this table.
-
-> ### Note:
-> If the `user.аttributes` is used with the "=" operator, it supports only one attribute. For more attributes, use the "IN" operator adding each attribute separately.
-
-> ### Note:
-> If you use the attribute `password`, you must also add the following two attributes: `active` and `urn:ietf:params:scim:schemas:extension:sap:2.0:User:status`. The attributes must be separated with comma, with no space between them.
-
-
-
-
-
-
-
-
-*Deprecated*
-
-`user.excludedAttributes`
-
-
-
-
-> ### Note:
-> The `user.excludedAttributes` attribute is deprecated.
->
-> If you have a policy configured with the `user.excludedAttributes` attribute exchange the `user.excludedAttributes` with the `user.attributes` attribute in combination with the "NOT IN" operator.
->
-> If the policy is configured with the `user.аttributes` attribute used with the "=" operator, it supports only one attribute. For more attributes, use the "IN" operator adding each attribute separately.
-
-
-
-
-
-
-
-Expand the **Supported Attributes** section below to see the user attributes that can be configured in the authorization policy:
-
-
-
-### Supported Attributes
-
-**Core Schema**
-
-- `firstName`
-- `lastName`
-- `loginName`
-- `displayName`
-- `addresses.country`
-- `addresses.streetAddress`
-- `addresses.streetAddress2`
-- `phoneNumbers.value`
-- `phoneNumbers.verified`
-- `emails.value`
-- `emails.verified`
-- `password`
-
-> ### Note:
-> For the attributes defined in the core schema, the Schema URI notation `[urn:ietf:params:scim:schemas:core:2.0:User]` is not needed, for all the other attributes, schema URI and the attribute name is required. For example: `user.attributes IN displayName,addresses.country,emails.value;`
-
-**EnterpriseUuser Resource Schema**
-
-- `costCenter`
-- `organization`
-- `division`
-- `department`
-
-> ### Note:
-> All Enterprise user resource schema attributes require the schema URI urn:ietf:params:scim:schemas:extension:enterprise:2.0:User and the attribute name.
->
-> For example:`user.attributes IN urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization;`
-
-**SAP extension schema**
-
-- `globalUserId`
-- `validFrom`
-- `validTo`
-
-> ### Note:
-> All SAP extension schema attributes require the schema URI urn:ietf:params:scim:schemas:extension:sap:2.0:User and the attribute name. For example: user.excludedAttributes=urn:ietf:params:`scim:schemas:extension:sap:2.0:User:userUuid, urn:ietf:params:scim:schemas:extension:sap:2.0:User:validFrom;`
-
-**Custom Defined Schema**
-
-All custom schema defined attributes require fully qualified attribute name. For example: `user.attributes=urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema:CustomString`
-
-Groups of type `Authorization Policy` with names containing the names of the authorization policies are also created in the administration console. You can't delete these groups via the *Groups* section. The groups are related to the authorization policies, and when you delete a policy, the respective group is also removed.
-
-> ### Restriction:
-> You need both read and update access rights to be able to update a field in the administration console. If you can't see a field because of a a policy restriction, this field remains also disabled for editing even if update rights are granted to you.
-
-> ### Example:
-> Michael Adams is an administrator at retail company A. He is located at the company's head office in Germany and as chief administrator of the company he has all the authorizations in the administration console for SAP Cloud Identity Services. Dona Moore is also an administrator at company A. She is responsible for the branch office in the USA. As such she needs to have access only to the users in the USA. Michael Adams creates an authorization policy for read-users access and assigns Dona Moore to that policy. He also removes the *Read Users* and *Manage Users* authorizations that Dona has as an administrator. As a result, now, when Dona accesses the *User Management* section of the administration console, she sees only the users that are located in the USA. All the other users are hidden.
+To be able to configure authorizations based on policies, you must enable the feature via the admin console for SAP Cloud Identity Services. Once it's enabled, it may take up to 60 seconds before the administrator can see the *Authorization Policies* tab when accessing the administration console application.
@@ -231,25 +19,11 @@ Groups of type `Authorization Policy` with names containing the names of the aut
1. Sign in to the administration console for SAP Cloud Identity Services.
-2. Under *Applications & Resources*, choose *Applications*.
-
-3. Under *System Applications*, choose the list item for the administration console.
-
-4. Under the tab *Authorization Policies*, select a custom authorization policy.
-
- > ### Note:
- > Type the name or package in the search field, filter the names or packages, or choose the policy from the list.
- >
- > If you don’t have a created authorization policy in your list, you can create one. For more information, see [Create an Authorization Policy](create-an-authorization-policy-897fc30.md).
-
-5. Choose the *Edit* button.
-
- 1. To customise the rules of the authorization policy, choose the *Rules*.
-
- 2. To assign administrator or administrators to this policy, choose the *Assignments* tab.
+2. Under *Applications & Resources*, choose *Tenant Settings*.
+3. Under *General*, choose *Policy-Based Authorizations*.
-6. Save your changes.
+4. Enable the policy-based authorizations.
**Related Information**
diff --git a/docs/Operation-Guide/configure-custom-mail-server-56cab62.md b/docs/Operation-Guide/configure-custom-mail-server-56cab62.md
index 4a9f5eb..45d68e8 100644
--- a/docs/Operation-Guide/configure-custom-mail-server-56cab62.md
+++ b/docs/Operation-Guide/configure-custom-mail-server-56cab62.md
@@ -18,6 +18,9 @@ You are assigned the *Manage Tenant Configuration* role. For more information ab
The custom mail server must support SSL \(Secure Sockets Layer\). Identity Authentication trusts all certificates from Java SE Runtime Environment 8, therefore the mail server should use only them as a certificate authority when communicating with Identity Authentication. All certificate authorities from the certificate chain must be trusted by Identity Authentication to be able to communicate with the mail server.
+> ### Note:
+> You can configure rate limits your emails between 30 and 600 per minute. Beware that this will affect all types of emails, including parallel bulk upload of users.
+
> ### Remember:
> You can have only one mail server configuration. Once you configure the custom mail server, all emails will go through this configuration.
>
diff --git a/docs/Operation-Guide/configure-custom-password-policy-67bece2.md b/docs/Operation-Guide/configure-custom-password-policy-67bece2.md
index af0e456..a91cbb9 100644
--- a/docs/Operation-Guide/configure-custom-password-policy-67bece2.md
+++ b/docs/Operation-Guide/configure-custom-password-policy-67bece2.md
@@ -60,24 +60,24 @@ To create and configure a new custom password policy, follow the procedure:
- *Policy Strength*
+ *Policy Name*
- This strength specifies the priority of the password policy. It will define which policy will be enforced for password checks. It's the responsibility of the tenant administrator to configure the custom password policy stronger than the standard and enterprise ones.
+ The name of the password policy that appears in the administration console.
- *Password Policy Name*
+ *Policy Strength*
- The name of the password policy that appears in the administration console.
+ This strength specifies the priority of the password policy. It will define which policy will be enforced for password checks. It's the responsibility of the tenant administrator to configure the custom password policy stronger than the standard and enterprise ones.
@@ -120,7 +120,7 @@ To create and configure a new custom password policy, follow the procedure:
- *Maximum Duration of User Inactivity*
+ *User Inactivity*
@@ -137,7 +137,7 @@ To create and configure a new custom password policy, follow the procedure:
- *Number of Last Used Passwords that Cannot Be Reused*
+ *Password History*
@@ -149,12 +149,12 @@ To create and configure a new custom password policy, follow the procedure:
- *Number of Allowed Failed Logon Attempts*
+ *Failed Sign In Attempts*
- The number of allowed failed logon attempts can be between 1 and 6. The default value is 5.
+ The number of allowed failed sign in attempts can be between 1 and 6. The default value is 5.
@@ -178,13 +178,17 @@ To create and configure a new custom password policy, follow the procedure:
- *Password Behavior*
+ *Required Character Groups*
- - *Reset password* - At logon, the user is forced to reset password, if the current password is not compliant with the new password policy. This is the default choice.
- - *Change password* - At logon, the user is redirected to the change password page if the current password is not compliant with the new password policy.
+ Specifies the number of required character groups for the password. The value can be between 1 and 4. Based on the value, the users are required to include 1, 2, 3 or 4 of the following in their passwords:
+
+ - Uppercase letters
+ - Lowercase letters
+ - Numbers
+ - Symbols
@@ -193,17 +197,13 @@ To create and configure a new custom password policy, follow the procedure:
- *Required character groups count*
+ *Password Behavior*
- Specifies the number of required character groups for the password. The value can be between 1 and 4. Based on the value, the users are required to include 1, 2, 3 or 4 of the following in their passwords:
-
- - Uppercase letters
- - Lowercase letters
- - Numbers
- - Symbols
+ - *Reset password* - At logon, the user is forced to reset password, if the current password is not compliant with the new password policy. This is the default choice.
+ - *Change password* - At logon, the user is redirected to the change password page if the current password is not compliant with the new password policy.
diff --git a/docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-fe6e30c.md b/docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-fe6e30c.md
deleted file mode 100644
index 5feecd6..0000000
--- a/docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-fe6e30c.md
+++ /dev/null
@@ -1,180 +0,0 @@
-
-
-# Configure Customer-Controlled Encryption Keys in Administration Console
-
-
-
-## Context
-
-> ### Note:
-> You can clear the fields by choosing the *Remove Configuration* button at the top of the screen.
-
-To configure the customer controlled encryption keys via the administration console for SAP Cloud Identity Services, follow the procedure:
-
-
-
-## Procedure
-
-1. Sign in to the administration console for SAP Cloud Identity Services.
-
-2. Under *Applications and Resources*, choose the *Tenant Settings* tile.
-
- At the top of the page, you can view the administrative and license relevant information of the tenant.
-
-3. Under *General*, choose the *CCEK Configuration* list item.
-
-4. Fill in the equired information:
-
-
-
-
-
-
- Configuration
-
-
-
-
-
-
- Notes
-
-
-
-
-
-
-
-
- **API URL**
-
-
-
-
-
-
- The base URL of Data Custodian API. You can find it in the API Endpoints.txt document you receive when you generate a new key in the Data Custodian API.
-
- > ### Example:
- > `https://kms-apiaws-datacustodian.cloud.sap`
-
-
-
-
-
-
-
-
- **Key ID**
-
-
-
-
-
-
- Data Custodian Key ID. You can find in it in the *Details* section of the Data Custodian Key Management Service
-
-
-
-
-
-
-
-
- **Client ID**
-
-
-
-
-
-
- The Access Key you receive with the API Endpoints.txt document when you generate a new key in the Data Custodian API
-
-
-
-
-
-
-
-
- **Client Secret**
-
-
-
-
-
-
- The Secret Key you receive with the API Endpoints.txt document when you generate a new key in the Data Custodian API
-
-
-
-
-
-
-
-5. Save your configuration.
-
-6. Activate the configuration.
-
-
-**Related Information**
-
-
-[Tenant SAML 2.0 Configuration](tenant-saml-2-0-configuration-e81a19b.md "You as a tenant administrator can view and download the tenant SAML 2.0 metadata. You can also change the name format and update your certificate used by the identity provider to digitally sign the messages for the applications.")
-
-[Tenant OpenID Connect Configurations](tenant-openid-connect-configurations-3d6abcc.md "You as a tenant administrator can view and configure the tenant OpenID Connect configurations.")
-
-[Change Tenant Texts Via Administration Console](change-tenant-texts-via-administration-console-c24b1d0.md "The change tenant texts option can be used to change the predefined texts and messages for end-user screens available per tenant in Identity Authentication via the administration console.")
-
-[Configure Master Data Texts Via Administration Console](configure-master-data-texts-via-administration-console-c068ac9.md "The master data texts option can be used to configure the predefined master data for each resource in Identity Authentication via the administration console.")
-
-[Configure Links Section on Sign-In Screen](configure-links-section-on-sign-in-screen-060c032.md "You can configure links to appear on the sign-in screen of your applications.")
-
-[Add Instructions Section on Sign-In Screen](add-instructions-section-on-sign-in-screen-c9e717e.md "You can customize the sign-in screen of the Horizon theme with instructions for the user.")
-
-[Configure X.509 Client Certificates for User Authentication](configure-x-509-client-certificates-for-user-authentication-52c7dcb.md "Tenant administrators can configure X.509 client certificates for user authentication as an alternative to authenticating with a user name and a password.")
-
-[Configure Tenant Images](configure-tenant-images-8742046.md "You can configure a custom global logo and, or a background image on the forms for sign-in in, registration, upgrade, password update, and account activation for all applications in a tenant. You can also set a favicon for tenant.")
-
-[Configure Allowed Logon Identifiers](configure-allowed-logon-identifiers-3adf1ff.md "Tenant administrators can choose the allowed logon identifiers for the users.")
-
-[Configure User Identifier Attributes](configure-user-identifier-attributes-8b9fa88.md "Tenant administrators can configure user identifier attributes as required and unique for the tenant.")
-
-[Configure Trust this browser Option](configure-trust-this-browser-option-5b8377e.md "Tenant administrator can set the number of days for which the users won't get prompted for second-factor authentication, if they sign in from the same browser.")
-
-[Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices](enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md "Tenant administrator can configure back-up channels to send TOTP deactivation passcodes to the user.")
-
-[Enable Users to Recover Password with Security Questions](enable-users-to-recover-password-with-security-questions-d9ae898.md "Users can choose to answer security questions to reset their password.")
-
-[Enable Users to Recover Password with PIN Code](enable-users-to-recover-password-with-pin-code-046a235.md "Users can choose to provide PIN code to reset their password.")
-
-[Configure Initial Password and Email Link Validity](configure-initial-password-and-email-link-validity-f8093f4.md "As a tenant administrator, you can configure the validity of the initial password and link sent to a user in the various application processes.")
-
-[Configure Session Timeout](configure-session-timeout-5ca23e4.md "As a tenant administrator, you can configure when the session, created at the Identity Authentication tenant, expires.")
-
-[Configure Trusted Domains](configure-trusted-domains-08fa1fe.md "Service providers that delegate authentication to Identity Authentication can protect their applications when using embedded frames, also called overlays, or when allowing user self-registration.")
-
-[Use Custom Domain in Identity Authentication](use-custom-domain-in-identity-authentication-c4db840.md "Identity Authentication allows you to use a custom domain that is different from the default one (.accounts.ondemand.com) - for example www.mytenant.com.")
-
-[Change a Tenant's Display Name](change-a-tenant-s-display-name-a513c91.md "You can configure the tenant's name from the administration console for SAP Cloud Identity Services.")
-
-[Configure Default Risk-Based Authentication for All Applications in the Tenant](configure-default-risk-based-authentication-for-all-applications-in-the-tenant-1aab51a.md#loio1aab51ae62b94f79b4c6dac7a00857c2 "You can define rules for authentication according to different risk factors and apply actions like Allow, Deny, and Two-Factor Authentication for all applications in a tenant.")
-
-[Configure Sinch Service in Administration Console](configure-sinch-service-in-administration-console-3fdc9e1.md "Configure Sinch Service to enable Phone Verification via SMS or SMS Two-Factor Authentication in the administration console.")
-
-[Configure RADIUS Server Settings \(Beta\)](configure-radius-server-settings-beta-03043ae.md "Configure Remote Authentication Dial-In User Service (RADIUS) server settings in the administration console for SAP Cloud Identity Services.")
-
-[Configure Mail Server for Application Processes](configure-mail-server-for-application-processes-ccc7ba1.md "Configure mail server for the emails sent to the end users in the different application processes.")
-
-[Configure IdP-Initiated SSO](configure-idp-initiated-sso-5d59caa.md)
-
-[Send Security Alert Emails](send-security-alert-emails-c977464.md "Send security alert emails to end-users or administrators when changes in their accounts are made.")
-
-[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-
-[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
-
-[Configure P-User Next Index](configure-p-user-next-index-045bb1c.md "Set the value for the P-user next index.")
-
-[Reuse SAP Cloud Identity Services Tenants for Different Customer IDs](reuse-sap-cloud-identity-services-tenants-for-different-customer-ids-ebd0258.md "You as a tenant administrator can reuse an existing tenant for configurations and automated subscriptions.")
-
diff --git a/docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md b/docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md
similarity index 98%
rename from docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md
rename to docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md
index d1fe1a3..bcf3404 100644
--- a/docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md
+++ b/docs/Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md
@@ -1,6 +1,6 @@
-# Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)
+# Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)
@@ -9,7 +9,7 @@
## Prerequisites
- You have an SAP Data Custodian tenant. For more information, see [SAP Data Custodian Help Guide](https://help.sap.com/docs/sap-data-custodian/help-guide/overview?version=latest) .
-- You have read and accept all Customer-Controlled Encryption Keys \(CCEK\) limitations. For more information, see *Limitations* section in [Customer-Controlled Encryption Keys \(Early Adoption\)](../Security/customer-controlled-encryption-keys-early-adoption-177108a.md).
+- You have read and accept all Customer-Controlled Encryption Keys \(CCEK\) limitations. For more information, see *Limitations* section in [Customer-Controlled Encryption Keys \(Restricted Availability\)](../Security/customer-controlled-encryption-keys-restricted-availability-177108a.md).
- You have tested all your scenarios on a test tenant, before activating CCEK on a productive tenant. For more information, see [Tenant Model and Licensing](../tenant-model-and-licensing-93160eb.md).
diff --git a/docs/Operation-Guide/configure-default-attributes-for-subscribed-applications-621017f.md b/docs/Operation-Guide/configure-default-attributes-for-subscribed-applications-621017f.md
deleted file mode 100644
index c6f5b65..0000000
--- a/docs/Operation-Guide/configure-default-attributes-for-subscribed-applications-621017f.md
+++ /dev/null
@@ -1,15 +0,0 @@
-
-
-# Configure Default Attributes for Subscribed Applications
-
-
-
-
-
-## Context
-
-Moved content.
-
-> ### Note:
-> The content of this document has been moved to [Configuring User Attributes](configuring-user-attributes-ed2797d.md).
-
diff --git a/docs/Operation-Guide/configure-default-language-for-end-user-screens-2cb73c3.md b/docs/Operation-Guide/configure-default-language-for-end-user-screens-2cb73c3.md
index 8ddf74e..c7053ea 100644
--- a/docs/Operation-Guide/configure-default-language-for-end-user-screens-2cb73c3.md
+++ b/docs/Operation-Guide/configure-default-language-for-end-user-screens-2cb73c3.md
@@ -118,7 +118,7 @@ The language for the end user screens is set according to the following order of
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure P-User Next Index](configure-p-user-next-index-045bb1c.md "Set the value for the P-user next index.")
diff --git a/docs/Operation-Guide/configure-default-risk-based-authentication-for-all-applications-in-the-tenant-1aab51a.md b/docs/Operation-Guide/configure-default-risk-based-authentication-for-all-applications-in-the-tenant-1aab51a.md
index 8244dfa..0b3f567 100644
--- a/docs/Operation-Guide/configure-default-risk-based-authentication-for-all-applications-in-the-tenant-1aab51a.md
+++ b/docs/Operation-Guide/configure-default-risk-based-authentication-for-all-applications-in-the-tenant-1aab51a.md
@@ -29,7 +29,8 @@ You can define rules for authentication according to different risk factors and
## Context
-Be careful when you set rules for authentication for the tenant. The rules apply to all applications in the tenant, including the `Administration Console`, if those applications have default risk-based authentication \(no rules created; default action - Allow\). The changes apply immediately when saved, and you may not be able to log in the `Administration Console` again if you don't meet the rules.
+> ### Caution:
+> Be careful when you set rules for authentication for the tenant. The rules apply to all applications in the tenant, including the `Administration Console`, if those applications have default risk-based authentication \(no rules created; default action - Allow\). The changes apply immediately when saved, and you may not be able to log in the `Administration Console` again if you don't meet the rules.
On the other hand, if a specific application has risk-based authentication different from the default one \(no rules created; default action - Allow\), and you apply default risk-based authentication for the tenant, the rules for the tenant won't apply to that specific application.
@@ -200,7 +201,7 @@ The rule is valid for any *IP range*, *Forwarded IP Range*, *Group*, *Authentica
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
@@ -295,7 +296,7 @@ Each rule contains the following information:
- *IP Range*
- Define the range of allowed IP addresses or proxies that the user logs on from. The value has to be specified in Classless Inter-Domain Routing \(CIDR\) notation.
+ Define a range of IP addresses that authentication requests to Identity Authentication can be sent from. The value has to be specified in Classless Inter-Domain Routing \(CIDR\) notation.
> ### Note:
> By default the field is empty, meaning that any IP is allowed.
@@ -307,7 +308,7 @@ Each rule contains the following information:
- *Forwarded IP Range*
- Define the range of allowed IP addresses or proxies for the original IP addresses that the user logs on from. The value has to be specified in Classless Inter-Domain Routing \(CIDR\) notation.
+ Define a range of IP addresses for the original IP addresses that authentication requests to Identity Authentication can be sent from. This range is used in conjunction with IP Range in scenarios where authentication requests to Identity Authentication are made by a proxy on-behalf of the user/client. The value has to be specified in Classless Inter-Domain Routing \(CIDR\) notation.
> ### Example:
> 
diff --git a/docs/Operation-Guide/configure-idp-initiated-sso-5d59caa.md b/docs/Operation-Guide/configure-idp-initiated-sso-5d59caa.md
index c170690..5c2f231 100644
--- a/docs/Operation-Guide/configure-idp-initiated-sso-5d59caa.md
+++ b/docs/Operation-Guide/configure-idp-initiated-sso-5d59caa.md
@@ -55,7 +55,7 @@
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
@@ -194,6 +194,25 @@ The link for IdP-Initiated SSO follows the pattern: `https://.account
>
>
>
+>
+>
+>
+> `idp`
+>
+>
+>
+>
+> No
+>
+>
+>
+>
+> The name of the corporate identity provider as configured in the administration console for SAP Cloud Identity Services.
+>
+> When multiple identity providers are allowed for an application via conditional authentication, this parameter enables the client to determine which corporate identity provider to be used. Identity Authentication uses the `idp` to detect the correct corporate identity provider and redirect the request to it. The user authenticates against the corporate identity provider.
+>
+>
+>
>
diff --git a/docs/Operation-Guide/configure-idp-initiated-sso-with-corporate-identity-providers-d483a52.md b/docs/Operation-Guide/configure-idp-initiated-sso-with-corporate-identity-providers-d483a52.md
index a65171a..87866bf 100644
--- a/docs/Operation-Guide/configure-idp-initiated-sso-with-corporate-identity-providers-d483a52.md
+++ b/docs/Operation-Guide/configure-idp-initiated-sso-with-corporate-identity-providers-d483a52.md
@@ -357,7 +357,7 @@ When the *Use Identity Authentication user store* is enabled, Identity Authentic
This configuration can be used if you want the application to receive assertions and name ID attributes that are different from those sent by the corporate identity provider.
-If you want the application to receive assertions and name ID attributes that are different from those sent by the corporate identity provider, do the following: [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md) and [Configure the Subject Name Identifier Sent to the Application](configure-the-subject-name-identifier-sent-to-the-application-1d020e3.md).
+If you want the application to receive assertions and name ID attributes that are different from those sent by the corporate identity provider, do the following: [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md) and [Configure the Subject Name Identifier Sent to the Application](configure-the-subject-name-identifier-sent-to-the-application-1d020e3.md).
@@ -369,7 +369,7 @@ If you want the application to receive assertions and name ID attributes that ar
2. Configure the user attributes and Name ID attribute sent to the application. For more information, see:
- - [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
+ - [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
- [Configure the Subject Name Identifier Sent to the Application](configure-the-subject-name-identifier-sent-to-the-application-1d020e3.md)
@@ -412,7 +412,7 @@ This configuration allows you to restrict access to the application to users who
Only users that are in the user store of Identity Authentication will be able to access the application. If a user is not part of the user store of Identity Authentication, this user receives the following message: ***Sorry, but you are currently not authorized for access.***
-The settings in the application configuration for assertion attributes and name ID attribute will be used for issuing the assertion. For more information, see [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)and [Configure the Subject Name Identifier Sent to the Application](configure-the-subject-name-identifier-sent-to-the-application-1d020e3.md).
+The settings in the application configuration for assertion attributes and name ID attribute will be used for issuing the assertion. For more information, see [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)and [Configure the Subject Name Identifier Sent to the Application](configure-the-subject-name-identifier-sent-to-the-application-1d020e3.md).
diff --git a/docs/Operation-Guide/configure-initial-password-and-email-link-validity-f8093f4.md b/docs/Operation-Guide/configure-initial-password-and-email-link-validity-f8093f4.md
index dc8a746..023c0d8 100644
--- a/docs/Operation-Guide/configure-initial-password-and-email-link-validity-f8093f4.md
+++ b/docs/Operation-Guide/configure-initial-password-and-email-link-validity-f8093f4.md
@@ -201,7 +201,7 @@ To change the validity period of the initial password and the links, follow the
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-links-section-on-sign-in-screen-060c032.md b/docs/Operation-Guide/configure-links-section-on-sign-in-screen-060c032.md
index 2299ed1..585beb4 100644
--- a/docs/Operation-Guide/configure-links-section-on-sign-in-screen-060c032.md
+++ b/docs/Operation-Guide/configure-links-section-on-sign-in-screen-060c032.md
@@ -109,12 +109,14 @@ To configure your logon links, proceed as follows:
-5. Add the new text in the *Custom Value* field next to the text that you want to change.
+5. Choose *Edit*.
+
+6. Add the new text in the *Custom Value* field next to the text that you want to change.
> ### Note:
> The value must be in the format `Link Text`.
-6. Save your changes.
+7. Save your changes.
If the operation is successful, you receive the `Tenant Texts updated` message.
@@ -172,7 +174,7 @@ To configure your logon links, proceed as follows:
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-logo-778f748.md b/docs/Operation-Guide/configure-logo-778f748.md
new file mode 100644
index 0000000..d6060d4
--- /dev/null
+++ b/docs/Operation-Guide/configure-logo-778f748.md
@@ -0,0 +1,17 @@
+
+
+# Configure Logo
+
+You can upload and configure a custom logo for your applications. Furthermore, you can remove a configured logo and leave the display name only as a title for the application.
+
+The logo is displayed on the application's logon page and can be included into the emails sent to users.
+
+**Related Information**
+
+
+[Create a New Application](create-a-new-application-0d4b255.md "You can create a new application and customize it to comply with your company requirements.")
+
+[Troubleshooting for Administrators](troubleshooting-for-administrators-f80beb5.md "This section is intended to help administrators deal with error messages in the administration console for SAP Cloud Identity Services.")
+
+[Configuring Email Templates](configuring-email-templates-b2afbcd.md "Tenant administrators can use the default or a custom email template set for the application processes.")
+
diff --git a/docs/Operation-Guide/configure-mail-server-for-application-processes-ccc7ba1.md b/docs/Operation-Guide/configure-mail-server-for-application-processes-ccc7ba1.md
index 624f49e..b937453 100644
--- a/docs/Operation-Guide/configure-mail-server-for-application-processes-ccc7ba1.md
+++ b/docs/Operation-Guide/configure-mail-server-for-application-processes-ccc7ba1.md
@@ -91,7 +91,7 @@ To configure the mail server, choose one of the procedures below:
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-master-data-texts-via-administration-console-c068ac9.md b/docs/Operation-Guide/configure-master-data-texts-via-administration-console-c068ac9.md
index de5441d..7997cc9 100644
--- a/docs/Operation-Guide/configure-master-data-texts-via-administration-console-c068ac9.md
+++ b/docs/Operation-Guide/configure-master-data-texts-via-administration-console-c068ac9.md
@@ -200,7 +200,7 @@ To change the master data texts via the administration console, proceed as follo
6. You have the following options:
- - Change existing texts - Find the text that you want to change and replace it in the *Value* field with the new text. You can use the search field, or the sorting option, or you can expand the page for more results.
+ - Change existing texts - Choose the *Edit* button, find the text that you want to change, and replace it in the *Value* field with the new text. You can use the search field, or the sorting option, or you can expand the page for more results.
- Reset to default values- Choose the *Reset to Default* button. This action resets all master data texts from the chosen resource to their key value pairs.
- Add a new key value pair - Choose the *Add* button and provide key and value.
@@ -265,7 +265,7 @@ To change the master data texts via the administration console, proceed as follo
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md b/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md
index 763478a..6c443bf 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-4a94254.md
@@ -72,7 +72,7 @@ To configure an OpenID Connect trusted application in the administration console
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md b/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md
index 63aacf8..57533cc 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-authorization-code-flow-72c478e.md
@@ -72,7 +72,7 @@ To configure an OpenID Connect trusted application in the administration console
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-client-credentials-flow-3e409d8.md b/docs/Operation-Guide/configure-openid-connect-application-for-client-credentials-flow-3e409d8.md
index c73e43e..20ba545 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-client-credentials-flow-3e409d8.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-client-credentials-flow-3e409d8.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-client-credentials-flow-7ea233b.md b/docs/Operation-Guide/configure-openid-connect-application-for-client-credentials-flow-7ea233b.md
index 238e358..d70cd5b 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-client-credentials-flow-7ea233b.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-client-credentials-flow-7ea233b.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-implicit-flow-26090fd.md b/docs/Operation-Guide/configure-openid-connect-application-for-implicit-flow-26090fd.md
index e1ecb4d..d566eb8 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-implicit-flow-26090fd.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-implicit-flow-26090fd.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-implicit-flow-c64180e.md b/docs/Operation-Guide/configure-openid-connect-application-for-implicit-flow-c64180e.md
index 4b65deb..e3db404 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-implicit-flow-c64180e.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-implicit-flow-c64180e.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md b/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md
index 0759b88..64c98cc 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-dd8cd7a.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md b/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md
index 6feac14..ac5a7a1 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-jwt-bearer-flow-e42fb4d.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md b/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md
index ca6d45a..7ad318b 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-9a4b94b.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md b/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md
index 9a0474b..83cf0bb 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-resource-owner-password-credentials-flow-cafba77.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md b/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md
index dfe8f97..a701ace 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-351866e.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md b/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md
index 2d54c5d..919d61e 100644
--- a/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md
+++ b/docs/Operation-Guide/configure-openid-connect-application-for-token-exchange-e6718a3.md
@@ -108,8 +108,6 @@ To configure an OpenID Connect trusted application in the administration console
> ### Tip:
- > The *Redirect URI* and *Post Logout Redirect URI* configuration can be skipped for the Client Credentials Flow, Resource Owner Password Credentials Flow, and JWT Bearer Flow.
- >
> For more information about the format of the redirect URIs and post logout redirect URIs, see [OpenID Connect Application Configurations](openid-connect-application-configurations-1ae324e.md).
7. **Optional:** \(If you added second signing certificate in tenant settings\) Under *Identity Provider Certificate*, choose the certificate to be used.
diff --git a/docs/Operation-Guide/configure-p-user-next-index-045bb1c.md b/docs/Operation-Guide/configure-p-user-next-index-045bb1c.md
index 983f562..db5844c 100644
--- a/docs/Operation-Guide/configure-p-user-next-index-045bb1c.md
+++ b/docs/Operation-Guide/configure-p-user-next-index-045bb1c.md
@@ -87,7 +87,7 @@ Every user in Identity Authentication has a `User ID` which is an automatically
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-radius-server-settings-beta-03043ae.md b/docs/Operation-Guide/configure-radius-server-settings-beta-03043ae.md
index 49254c7..3e1f542 100644
--- a/docs/Operation-Guide/configure-radius-server-settings-beta-03043ae.md
+++ b/docs/Operation-Guide/configure-radius-server-settings-beta-03043ae.md
@@ -225,7 +225,7 @@ Configure an application to require RADIUS PIN code as a second factor apart fro
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-registration-and-upgrade-forms-93a9e18.md b/docs/Operation-Guide/configure-registration-and-upgrade-forms-93a9e18.md
index 6dcc51f..38d2e52 100644
--- a/docs/Operation-Guide/configure-registration-and-upgrade-forms-93a9e18.md
+++ b/docs/Operation-Guide/configure-registration-and-upgrade-forms-93a9e18.md
@@ -179,7 +179,7 @@ Configure terms of use and privacy policy documents. For more information, see [
**Related Information**
-[User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md "After configuring the user attributes to be collected by the registration and upgrade forms, you have to specify how these attributes are sent to the application.")
+[Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md "Specify how the local user attributes, configured to be collected by the registration and upgrade forms, are sent to the application.")
[Configuring Privacy Policies](configuring-privacy-policies-ed48466.md "You can configure a custom privacy policy document by creating a new document, adding and editing its language versions, and defining the document for an application.")
diff --git a/docs/Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md b/docs/Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md
index 3e2d619..ae7ec36 100644
--- a/docs/Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md
+++ b/docs/Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md
@@ -82,7 +82,7 @@ The rule is valid for any *IP range*, *Forwarded IP Range*, *Group*, *Authentica
- See [Create a New Rule](configure-risk-based-authentication-for-an-application-bc52fbf.md#loio18d02ab9cc7d4caf83d8654c8c51a175)
+ See [Create a New Rule](create-a-new-rule-18d02ab.md)
@@ -129,7 +129,7 @@ The rule is valid for any *IP range*, *Forwarded IP Range*, *Group*, *Authentica
7. **Optional:** Configure the *Default Action*:
- - *Allow* - Any user can log on from any IP. This is te default choice.
+ - *Allow* - Any user can log on from any IP. This is the default choice.
- *Deny* - Nobody can log on.
- *Two-Factor Authentication* - A drop-down appears when this choice is selected. You must specify the two-factor authentication method or methods for the end user.
@@ -138,434 +138,12 @@ The rule is valid for any *IP range*, *Forwarded IP Range*, *Group*, *Authentica
Once the application has been updated, the system displays the message ***Authentication rules updated***.
-
-
-
-
-## Examples
-
-
-
-## Example 1 \(Setting TOTP Two-Factor Authentication\)
-
-Donna Moore is an administrator of company A. She wants to configure Identity Authentication to always ask the company employees for a password and a TOTP passcode \(two-factor authentication\) to log on to a *Leave Request* application. For this purpose, Donna sets only a *Default Action*:
-
-**Default Authentication Rule**
-
-Default Action: [Two-Factor Authentication\]
-
-Two-Factor Methods: [TOTP\]
-
-Michael Adams is an employee of company A and as such he wants to create a leave request. To log on to the *Leave Request* application he provides his password. After that he is prompted to activate a mobile device and to provide a second factor for authentication \(a passcode generated by an authenticator app on his mobile device\). Two factors are required regardless of whether Michael is in the corporate network or on a business trip. Michael's manager, Julie Armstrong, receives a notification that Michael has created a leave request. She approves it by logging on to the application with two factors \(password and passcode generated by her mobile device\).
-
-
-
-
-
-## Example 2 \(Setting SMS Two-Factor Authentication\)
-
-Donna Moore is an administrator of company A. She wants to configure Identity Authentication to always ask the company employees for a password and a SMS code \(two-factor authentication\) to log on to the *Corporate Page*. For this purpose, Donna first configures Sinch Service in the administration console for SAP Cloud Identity Services. Then in the *Risk-Based Authentication* section in the administration console, he sets only a *Default Action*:
-
-**Default Authentication Rule**
-
-Default Action: [Two-Factor Authentication\]
-
-Two-Factor Methods: [SMS\]
-
-John Miller is an employee of company A and as such he wants to access the corporate page of the company. He is prompted to provide two factors \(password and the SMS code sent to his mobile device\) to log on to the corporate page. John Miller has his mobile phone verified, so he can receive SMS codes. Two factors are required regardless of whether Miller is in the corporate network or at home.
-
-
-
-## Example 3 \(SPNEGO\)
-
-Donna Moore is an administrator of company A. She wants to configure Identity Authentication to allow employees to access the *Leave Request* application from the corporate network with SPNEGO, and from any other network with passcode. All IPs in the company start with 189.101. She would also like to create a rule for the managers to access the application with two authentication factors. In addition she wants to restrict the access to all the users with type *Customer*. For this purpose, Donna creates the following rules:
-
-**Authentication Rules**
-
-
-
-
-
-
-Action
-
-
-
-
-IP Range
-
-
-
-
-Group
-
-
-
-
-Authentication Method
-
-
-
-
-User Type
-
-
-
-
-
-
-Deny
-
-
-
-
-Any
-
-
-
-
-Any
-
-
-
-
-Any
-
-
-
-
-Customer
-
-
-
-
-
-
-Allow
-
-
-
-
-189.101.112.1/16
-
-
-
-
-Employees
-
-
-
-
-SPNEGO
-
-
-
-
-Any
-
-
-
-
-
-
-TOTP Two-Factor Authentication
-
-
-
-
-Any
-
-
-
-
-Employees
-
-
-
-
-Any
-
-
-
-
-Any
-
-
-
-
-
-
-TOTP Two-Factor Authentication
-
-
-
-
-Any
-
-
-
-
-Managers
-
-
-
-
-Any
-
-
-
-
-Any
-
-
-
-
-
-**Default Authentication Rule**
-
-Default Action: [Deny\]
-
-Michael Adams, as an employee of company A, accesses the application in his office and logs on with SPNEGO. When he is on a business trip, he can create leave requests by providing two factors. The two factors are SPNEGO and а passcode generated by an authenticator app on his iPhone. Michael's manager, Julie Armstrong, receives a notification that Michael has created a leave request. She approves it by logging on to the application with TOTP Two-Factor Authentication \(a password and a passcode generated by her Android phone\). Donna Moore, a customer of company A, tries to access the corporate portal, and receives a message that she is not authorized for access.
-
-
-
-
-
-## Example 4 \(Setting Web Two-Factor Authentication\)
-
-Donna Moore is an administrator of company A. She wants to configure Identity Authentication to always ask the company managers for a password and a web two-factor authentication to log on to an *Leave Request Approval* application. For this purpose, Donna sets only a *Default Action*:
-
-**Default Authentication Rule**
-
-Default Action: [Two-Factor Authentication\]
-
-Two-Factor Methods: [Web Authentication\]
-
-Michael Adams is an employee of company A and he creates a leave request. Michael's manager, Julie Armstrong, receives a notification that Michael has created a leave request. To log on to the *Leave Request Approval* application she provides her password. After that Julie is prompted to activate a security key as a second factor for authentication. Two factors are required regardless of whether Julie is in the corporate network or on a business trip.
-
-Julie he approves the leave request by logging on to the application with two factors \(password and fingerprint\).
-
-
-
-
-
-## Example 5 \(Setting more than one Two-Factor Authentication method\)
-
-Donna Moore is an administrator of company A. She wants to configure Identity Authentication to always ask the company managers for a second factor in addition to their password. She wants to allow the managers to choose between a TOTP and a web two-factor authentication to log on to an *Leave Request Approval* application. For this purpose, Donna sets the *Default Action* to *Two-Factor Authentication* and configures the *Two-Factor Methods*:
-
-**Default Authentication Rule**
-
-Default Action: [Two-Factor Authentication\]
-
-Two-Factor Methods: [TOTP\]; [Web Authentication\]
-
-Michael Adams is an employee of company A and he creates a leave request. Michael's manager, Julie Armstrong, receives a notification that Michael has created a leave request. To log on to the application *Leave Request Approval* she provides her password. After that she is prompted to choose the two-factor authentication method. She chooses a security key as a second factor for authentication.
-
-Julie approves the leave request by logging on to the application with two factors \(password and fingerprint\).
-
-In addition to Julie's approval, the leave request must also be approved by the HR Manager of the company, John Miller. To log on to the *Leave Request Approval* application John provides his password. After that he is also prompted to choose the two-factor authentication method. John chooses TOTP. Now, he is prompted to provide a TOTP code from his device. After providing it, he is granted access to the app and approves the leave request.
-
-Two factors are required regardless of whether Julie and John are in the corporate network or on a business trip.
-
-
-
-
-
-## Example 6 \(Setting Fowarded IP Range\)
-
-Donna Moore is an administrator of company A. She wants to configure Identity Authentication to apply an additional IP range in risk-based authentication rules for system-to-system calls from SAP BTP. SAP BTP makes a system-to-system calls to Identity Authentication on customer's behalf and provides their original IP address with the request. Donna can configure the IP range for customer IPs, but it's mandatory that she configures the IP range for SAP BTP IP addresses, first.
-
**Related Information**
-[Create a New Rule](configure-risk-based-authentication-for-an-application-bc52fbf.md#loio18d02ab9cc7d4caf83d8654c8c51a175 "You can create rules for authentication according to different risk factors.")
-
-[Create a New Application](create-a-new-application-0d4b255.md "You can create a new application and customize it to comply with your company requirements.")
-
-[Unlock User TOTP Passcode](unlock-user-totp-passcode-cb6615d.md "You can unlock a user passcode when the user must log on to the application before the automatic unlock time of 60 minutes has passed.")
-
-[Multi-Factor Authentication](../User-Guide/multi-factor-authentication-0d41cd4.md "This document provides information about the second factor for authentication or how to log on if you are asked to provide a second factor to your primary credentials.")
-
-
-
-
-
-## Create a New Rule
-
-You can create rules for authentication according to different risk factors.
-
-
-
-## Context
-
-Each rule contains the following information:
-
-- **Action**
-
- This action is performed if the rule conditions meet the defined criteria.
-
- You can choose one of the following actions:
-
- - *Allow*
-
- Identity Authentication allows the authentication of the user in accordance with the rule conditions.
-
- - *Deny*
-
- Identity Authentication denies the authentication of the user in accordance with the rule conditions. You can set this action for a test application for example, or before an application goes live.
-
- As long as this rule is valid, when users try to log on to the application, they get the following message: *Sorry, but you are currently not authorized for access*.
-
- - *Two-Factor Authentication*
-
- > ### Note:
- > If *Two-Factor Authentication* is selected, additionally, you must specify the two-factor method or methods for the user:
- >
- > - *TOTP Two-Factor Authentication*
- >
- > Identity Authentication asks two factors to authenticate the user.
- >
- > If you set TOTP two-factor authentication, users are required to provide a time-based one-time password \(TOTP\) called a passcode in addition to their primary credentials. Users also have to install an authenticator application on their mobile devices to generate TOTP passcodes.
- >
- > TOTP passcodes are time-based and valid for one logon attempt only.
- >
- > - *SMS Two-Factor Authentication*
- >
- > Identity Authentication asks two factors to authenticate the user.
- >
- > If you set SMS two-factor authentication, users are required to provide an SMS code sent to their mobile devices in addition to their primary credentials.
- >
- > > ### Remember:
- > > To use *SMS Two-Factor Authentication*, you must have configured Sinch Verification in the administration console for SAP Cloud Identity Services. For more information, see [Configure Sinch Service in Administration Console](configure-sinch-service-in-administration-console-f4a04ed.md).
- > >
- > > Users must have their mobile phone numbers verified. The tenant administrator can verify phone numbers manually in the administration console or via the SCIM API. For more information, see [List and Edit User Details](list-and-edit-user-details-045cb01.md) and [Update User Resource \(Deprecated\)](../Development/update-user-resource-deprecated-9e36479.md).
- > >
- > > If the user does not have a verified phone number, the number is verified during the first log on when SMS code is required. After the user provides user name and credentials, he or she should provide the phone number in the field and request a code. Then provide the received code in the respective field and choose *Continue*. If the submitted code is correct, the user is allowed access, and the telephone number is verified.
- >
- > - *Web Two-Factor Authentication*
- >
- > Identity Authentication asks two factors to authenticate the user.
- >
- > If you set web two-factor authentication, users are required to authenticate with a device such as the built in biometric scanners or USB, Bluetooth or Near-Field Communication \(NFC\) devices in addition to their primary credentials.
- >
- > - *Email OTP Code*
- >
- > > ### Caution:
- > > For security reasons, the Email OTP code is not a recommended two-factor authentication method. You may consider using some of the other methods instead.
- >
- > Identity Authentication asks two factors to authenticate the user.
- >
- > If you set *Email OTP Code*, users are required to provide the code sent to their email in addition to their primary credentials.
- >
- > > ### Remember:
- > > An Email OTP Code template for the respective languages must exist in the tenant to apply the email OTP code method. If the template does not exist, the user will see the option but when choosing it, the following message will appear: "Sorry, but you are currently not authorized for access".
- > >
- > > For more information how to add email templates, see [Edit or Add an Email Template Set](edit-or-add-an-email-template-set-3c4f397.md).
- >
- > - *RADIUS Server Two Factor Authentication*
- >
- > If you set *RADIUS Server Two Factor Authentication*, users are required to provide a RADIUS passcode in addition to their primary credentials. Users must have a RADIUS token \(hard or soft\) configured for them to generate passcodes. For more information about how to configure RADIUS server in Identity Authentication, see [Configure RADIUS Server Settings \(Beta\)](configure-radius-server-settings-beta-03043ae.md).
-
-
- The *Action* filed is mandatory.
-
-- *IP Range*
-
- Define a range of allowed IP addresses or proxies that the user logs on from. The value has to be specified in Classless Inter-Domain Routing \(CIDR\) notation.
-
- > ### Note:
- > By default the field is empty, meaning that any IP is allowed.
-
- > ### Example:
- > Enter 123.45.67.1/24 to allow users to log on from any IP starting with 123.45.67.
-
- If no IP range is defined, the rule is valid for all IP ranges.
-
-- *Forwarded IP Range*
-
- Define a range of allowed IP addresses or proxies for the original IP addresses that the user logs on from. The value has to be specified in Classless Inter-Domain Routing \(CIDR\) notation.
-
- > ### Example:
- > 
-
- > ### Remember:
- > To specify the *Forwarded IP Range*, the *IP Range* must be defined first.
-
-- *Group*
-
- Specify a cloud or on-premise group, which the authenticating user has to be a member of. If no group is selected, the rule is valid for all users.
-
- If the rule is valid for an on-premise group, type in the name of the corporate user store group, for which this rule should be valid.
-
- The cloud groups have to be configured in the administration console for SAP Cloud Identity Services. For more information, see [Groups](groups-ddd067c.md).
-
-- *Authentication Method*
-
- Specify the authenticating method, which the authenticating user has to use. If no method is selected, the rule is valid for any of the methods.
-
- You can choose from the following:
-
- - *Client Certificate*
- - *SPNEGO*
- - *User Name and Password*
- - *Token*
- - *Social Identity Provider*
- - *Trusted IdP SAML Assertion*
-
- > ### Note:
- > If the user has an active session with any of the methods, and that method is included in the rule, they can access the application without the need for additional authentication.
-
-- *User Type*
-
- Specify the type, which the authenticating user must have. If no user type is selected, the rule is valid for any of the types.
-
-- *Corporate Attribute*
-
- Specify an attribute from the corporate identity provider \(IdP\) assertion, based on which the rule action will be applied.
-
- The rule must include the attribute name and value. It is valid only when the specified name and value are found in the assertion from the corporate IdP.
-
- > ### Note:
- > For this rule, the *Apply Application Configurations* option of *Identity Federation* must be enabled. For more information, see [Configure Identity Federation](configure-identity-federation-c029bbb.md).
-
-
-The fields *IP Range*, *Group*, *Authentication Method*, and *User Type* are not mandatory, but at least one of them has to be specified.
-
-
-
-
-
-## Procedure
-
-1. Sign in to the administration console for SAP Cloud Identity Services.
-
-2. Under *Applications and Resources*, choose the *Applications* tile.
-
-3. Choose the list item of the application that you want to edit.
-
- > ### Note:
- > If you do not have a created application in your list, you can create one. For more details, see Related Information.
-
- > ### Caution:
- > The list also includes the `Administration Console` application. If you enable risk-based authentication for that application, make sure that you, as a tenant administrator, meet the authentication rules and the default authentication rule. Otherwise when you log out of the administration console you will not be able to log in it again if you don't meet the rules.
- >
- > If `Administration Console` is not in the list of the applications you may request it. To do this, you need to report an incident with a subject on [SAP Support Portal Home](https://support.sap.com/en/index.html) under the component `BC-IAM-IDS`.
-
-4. Choose the *Authentication and Access* tab.
-
-5. Under *AUTHENTICATION*, choose *Risk-Based Authentication*.
-
-6. Choose *Create Rule*.
-
-7. Fill in the fields on the *New Risk-Based Authentication Rule* window.
-
-8. Choose *Create*.
-
-9. Save your changes.
-
-
-**Related Information**
+[Create a New Rule](create-a-new-rule-18d02ab.md "You can create rules for authentication according to different risk factors.")
+[Examples for Risk-Based Authentication Scenarios](examples-for-risk-based-authentication-scenarios-fedc77c.md "Example scenarios for configuring risk-based authentication for an application.")
-[Create a New Application](create-a-new-application-0d4b255.md "You can create a new application and customize it to comply with your company requirements.")
+[SAP Cloud Identity Services Application Directory](https://api.sap.com/api/SCI_Application_Directory/overview)
diff --git a/docs/Operation-Guide/configure-session-timeout-5ca23e4.md b/docs/Operation-Guide/configure-session-timeout-5ca23e4.md
index b6918ab..63dc911 100644
--- a/docs/Operation-Guide/configure-session-timeout-5ca23e4.md
+++ b/docs/Operation-Guide/configure-session-timeout-5ca23e4.md
@@ -120,7 +120,7 @@ To configure the session timeout period via the administration console for SAP C
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-sinch-service-in-administration-console-3fdc9e1.md b/docs/Operation-Guide/configure-sinch-service-in-administration-console-3fdc9e1.md
index f3bafe0..694a7db 100644
--- a/docs/Operation-Guide/configure-sinch-service-in-administration-console-3fdc9e1.md
+++ b/docs/Operation-Guide/configure-sinch-service-in-administration-console-3fdc9e1.md
@@ -186,7 +186,7 @@ To configure the administration console, follow the procedure below:
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-fieldglass-to-identity-authent-b0c7ec8.md b/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-fieldglass-to-identity-authent-b0c7ec8.md
index c1b1c82..ec28100 100644
--- a/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-fieldglass-to-identity-authent-b0c7ec8.md
+++ b/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-fieldglass-to-identity-authent-b0c7ec8.md
@@ -1,5 +1,7 @@
+
+
# Configure Source System To Migrate User Passwords from SAP Fieldglass to Identity Authentication
@@ -187,6 +189,18 @@ To configure a source system, follow the steps below:
6. **Optional:** Choose *Test Connection* to test the source system configuration.
+
+
+
+
+## Next Steps
+
+> ### Note:
+> If an application requires force authentication \(ForceAuthn="true"\), users have to authenticate themselves against the corporate identity provider each time they access the application even if single sign-on \(SSO\) is enabled.
+
+- \(Optional\) To edit an existing source system configuration, select *system you want to edit* \> *Edit button* \> *make the necessary changes* \> *Save*.
+- \(Optional\) To change the display name of an existing source system, select the source system whose name you want to change, choose the :pencil2:, provide the new name, and save your changes.
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-learning-management-system-to-0d85eb7.md b/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-learning-management-system-to-0d85eb7.md
index 2131606..1465a2c 100644
--- a/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-learning-management-system-to-0d85eb7.md
+++ b/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-learning-management-system-to-0d85eb7.md
@@ -1,5 +1,7 @@
+
+
# Configure Source System To Migrate User Passwords from SAP Learning Management System to Identity Authentication
@@ -192,6 +194,18 @@ To configure a source system, follow the steps below:
6. **Optional:** Choose *Test Connection* to test the source system configuration.
+
+
+
+
+## Next Steps
+
+> ### Note:
+> If an application requires force authentication \(ForceAuthn="true"\), users have to authenticate themselves against the corporate identity provider each time they access the application even if single sign-on \(SSO\) is enabled.
+
+- \(Optional\) To edit an existing source system configuration, select *system you want to edit* \> *Edit button* \> *make the necessary changes* \> *Save*.
+- \(Optional\) To change the display name of an existing source system, select the source system whose name you want to change, choose the :pencil2:, provide the new name, and save your changes.
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-successfactors-systems-to-iden-671d2e6.md b/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-successfactors-systems-to-iden-671d2e6.md
index 98facdd..cdf1c97 100644
--- a/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-successfactors-systems-to-iden-671d2e6.md
+++ b/docs/Operation-Guide/configure-source-system-to-migrate-user-passwords-from-sap-successfactors-systems-to-iden-671d2e6.md
@@ -1,5 +1,7 @@
+
+
# Configure Source System To Migrate User Passwords from SAP SuccessFactors Systems to Identity Authentication
@@ -18,7 +20,7 @@
## Context
-In this scenario, you have an SAP SuccessFactors instance integrated with Identity Authentication. In the SAP SuccessFactors instance there are users that log on with username and password \(also known as password or non-sso users\). The source system opportunity gives the possibility these users to be migrated and to use Identity Authentication without the need to change the passwords that they already have. The password of each SAP SuccessFactors user is migrated once only during his or her first successful logon after the configuration of the source system scenario in Identity Authentication. After that the user passwords are managed by Identity Authentication.
+In this scenario, you have an SAP SuccessFactors instance integrated with Identity Authentication. In the SAP SuccessFactors instance, there are users that log on with username and password \(also known as password or non-sso users\). The source system opportunity gives the possibility these users to be migrated and to use Identity Authentication without the need to change the passwords that they already have. The password of each SAP SuccessFactors user is migrated once only during his or her first successful logon after the configuration of the source system scenario in Identity Authentication. After that the user passwords are managed by Identity Authentication.
The first logon after the migration must be with a username and password. After this first successful logon, the user can use any other allowed logon identifier.
@@ -169,7 +171,7 @@ To configure a source system, follow the steps below:
Enter CN for the certificate in the provided field.
- Once the certificate is generated, you can view its details. The validity of the certificate is one year.
+ Once the certificate is generated, you can view its details. The validity of the certificate is 1 year.
> ### Note:
> You can choose the option for automatic regeneration of the certificate by selecting the *Automatic Renewal* checkbox. Two weeks before the expiry of the certificate, it is regenerated. The renewed certificate will have the same DN.
@@ -214,6 +216,18 @@ To configure a source system, follow the steps below:
6. **Optional:** Choose *Test Connection* to test the source system configuration.
+
+
+
+
+## Next Steps
+
+> ### Note:
+> If an application requires force authentication \(ForceAuthn="true"\), users have to authenticate themselves against the corporate identity provider each time they access the application even if single sign-on \(SSO\) is enabled.
+
+- \(Optional\) To edit an existing source system configuration, select *system you want to edit* \> *Edit button* \> *make the necessary changes* \> *Save*.
+- \(Optional\) To change the display name of an existing source system, select the source system whose name you want to change, choose the :pencil2:, provide the new name, and save your changes.
+
**Related Information**
diff --git a/docs/Operation-Guide/configure-tenant-images-8742046.md b/docs/Operation-Guide/configure-tenant-images-8742046.md
index 6f62d05..205b1d7 100644
--- a/docs/Operation-Guide/configure-tenant-images-8742046.md
+++ b/docs/Operation-Guide/configure-tenant-images-8742046.md
@@ -159,7 +159,7 @@ To configure a custom tenant logo a background image, and or a favicon, follow p
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md b/docs/Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md
index b2626ea..8b542a2 100644
--- a/docs/Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md
+++ b/docs/Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md
@@ -334,7 +334,7 @@ Path
-No
+Yes
@@ -409,7 +409,7 @@ No
-String
+string
@@ -421,6 +421,35 @@ Reserved.
Path
+
+
+
+
+
+`idp`
+
+
+
+
+No
+
+
+
+
+string
+
+
+
+
+The name of the corporate identity provider as configured in the administration console for SAP Cloud Identity Services.
+
+When multiple identity providers are allowed for an application via conditional authentication, this parameter enables the client to determine which corporate identity provider to be used. Identity Authentication uses the `idp` to detect the correct corporate identity provider and redirect the request to it. The user authenticates against the corporate identity provider.
+
+
+
+
+Path
+
diff --git a/docs/Operation-Guide/configure-the-client-to-call-identity-authentication-token-exchange-632df37.md b/docs/Operation-Guide/configure-the-client-to-call-identity-authentication-token-exchange-632df37.md
index 3ab65d5..657ea0f 100644
--- a/docs/Operation-Guide/configure-the-client-to-call-identity-authentication-token-exchange-632df37.md
+++ b/docs/Operation-Guide/configure-the-client-to-call-identity-authentication-token-exchange-632df37.md
@@ -291,7 +291,7 @@ Allowed values for `requested_token_type` parameter:
> ### Note:
> The exchange of an OpenID Connect token with SAML 2.0 is possible in two scenarios, depending on the requested token type string:
>
-> - `urn:sap:identity:oauth:token-type:saml2-header` - [SAP Note 2043039 - SAML 2.0 Authentication via HTTP Request Header](https://me.sap.com/notes/SAP Note 2043039 - SAML 2.0 Authentication via HTTP Request Header)
+> - `urn:sap:identity:oauth:token-type:saml2-header` - [2043039](https://me.sap.com/notes/2043039)
> - `urn:ietf:params:oauth:token-type:saml2` - [SAML 2.0 Bearer Assertion Flow for OAuth 2.0 Client](https://help.sap.com/docs/SAP_NETWEAVER_750/e815bb97839a4d83be6c4fca48ee5777/01043cc6765b48cfbc1564a9839a29ee.html)
@@ -323,6 +323,65 @@ string
Use provided API names. For more information, see [Consume APIs from Other Applications](../Development/consume-apis-from-other-applications-29e204d.md).
+> ### Note:
+> If `resource` parameter is used to consume APIs from other applications, then the returned token is always of type `urn:ietf:params:oauth:token-type:access_token` even if `requested_token_type` is requested for type `id_token`.
+
+
+
+
+
+
+Request body
+
+
+
+
+
+
+`refresh_expiry`
+
+
+
+
+No
+
+
+
+
+string
+
+
+
+
+Reduces the expiry of a refresh token. It is useful if your application is called from mobile and web applications, and both have different session requirements. If you set the token lifetime to 0 or less, you won't receive a `refresh_token` in response.
+
+
+
+
+Request body
+
+
+
+
+
+
+`token_format`
+
+
+
+
+No
+
+
+
+
+string
+
+
+
+
+The `token_format` can be set to `opaque` to retrieve an opaque access token or to `jwt` to retrieve a JWT based access token. If not set, the current defaults per grant type are used.
+
@@ -374,8 +433,7 @@ Path
> client_id=a90ca226sbc34-soc5-dcf6-6k8a6b9f2469&
> client_secret=OWSu0/0sSUeUCG1LAYmSQ10Ut0yrfPz&
> subject_token=Zjk1YTI3YERzNGZlZmTlNzZjNzk4YTY2ZjdlZjYwMacw
-> subject_token_type=urn:ietf:params:oauth:token-type:access_tokenShould you have any questions regarding this template, or need
-> individual support for your API documentation, please contact Anne Tarnoruder or Frederic Moitel, or open an
+> subject_token_type=urn:ietf:params:oauth:token-type:access_token
> ```
>
> *Response*
@@ -406,7 +464,7 @@ Path
> *Request*
>
> ```
-> Should you have any questions regarding this template, or need
+>
> https://my-tenant.ondemand.com/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
> client_id=a90ca226sbc34-soc5-dcf6-6k8a6b9f2469&
> client_secret=OWSu0/0sSUeUCG1LAYmSQ10Ut0yrfPz&
diff --git a/docs/Operation-Guide/configure-the-default-attributes-sent-to-the-application-a2f1e46.md b/docs/Operation-Guide/configure-the-default-attributes-sent-to-the-application-a2f1e46.md
deleted file mode 100644
index 78422a9..0000000
--- a/docs/Operation-Guide/configure-the-default-attributes-sent-to-the-application-a2f1e46.md
+++ /dev/null
@@ -1,1498 +0,0 @@
-
-
-# Configure the Default Attributes Sent to the Application
-
-In addition to the user attributes, you can also configure attributes with default values for the application.
-
-
-
-
-
-## Context
-
-The attributes are sent from Identity Authentication to the application in the assertion. You can set default attributes `location` and `company` with values *Europe* and *Company A* for example, so that the application displays Europe and Company A on its main page.
-
-The attributes are also put in the `id_token` if the application is OpenID connect. For more information, see [OpenID Connect](openid-connect-a789c9c.md).
-
-For both, the SAML 2.0 and OpenID Connect applications, you can configure attributes with dynamic values to be added into the assertions in the following pattern: ` ${attribute_technical_name>} `
-
-> ### Restriction:
-> \(For OpenID Connect applications\) The following claims can't be set via the default attribute configuration: `iss`, `sub`, `zone_uuid`, `exp`, `nbf`, `iat`, `auth_time`, `nonce`, `acr`, `amr`, `cnf`, `azp`, `at_hash`, `c_hash`, `sub_jwk`, and `ias_iss`.
-
-Expand the **Supported Attributes** table below to see the attributes that can take dynamic values:
-
-**Supported Attributes**
-
-
-
-
-
-
-Attribute Display Name
-
-
-
-
-
-
-Attribute Technical Name
-
-
-
-
-
-
-
-
-Salutation
-
-
-
-
-
-
-title
-
-
-
-
-
-
-
-
-First Name
-
-
-
-
-
-
-firstName
-
-
-
-
-
-
-
-
-Middle Name
-
-
-
-
-
-
-middleName
-
-
-
-
-
-
-
-
-Last Name
-
-
-
-
-
-
-lastName
-
-
-
-
-
-
-
-
-Email
-
-
-
-
-
-
-mail
-
-
-
-
-
-
-
-
-Telephone Number
-
-
-
-
-
-
-telephone
-
-
-
-
-
-
-
-
-Language
-
-
-
-
-
-
-language
-
-
-
-
-
-
-
-
-Logon Name
-
-
-
-
-
-
-loginName
-
-
-
-
-
-
-
-
-Display Name
-
-
-
-
-
-
-displayName
-
-
-
-
-
-
-
-
-User ID
-
-
-
-
-
-
-uid
-
-
-
-
-
-
-
-
-User UUID
-
-
-
-
-
-
-userUuid
-
-
-
-
-
-
-
-
-User Type
-
-
-
-
-
-
-type
-
-
-
-
-
-
-
-
-Street Address
-
-
-
-
-
-
-street
-
-
-
-
-
-
-
-
-Street Address 2
-
-
-
-
-
-
-street2
-
-
-
-
-
-
-
-
-City
-
-
-
-
-
-
-city
-
-
-
-
-
-
-
-
-ZIP/Postal Code
-
-
-
-
-
-
-zip
-
-
-
-
-
-
-
-
-Country
-
-
-
-
-
-
-country
-
-
-
-
-
-
-
-
-State/Province
-
-
-
-
-
-
-state
-
-
-
-
-
-
-
-
-Cost Center
-
-
-
-
-
-
-costCenter
-
-
-
-
-
-
-
-
-Department
-
-
-
-
-
-
-department
-
-
-
-
-
-
-
-
-Division
-
-
-
-
-
-
-division
-
-
-
-
-
-
-
-
-Employee Number
-
-
-
-
-
-
-personnelNumber
-
-
-
-
-
-
-
-
-Company
-
-
-
-
-
-
-company
-
-
-
-
-
-
-
-
-Company Street Address
-
-
-
-
-
-
-companyStreet
-
-
-
-
-
-
-
-
-Company Street Address 2
-
-
-
-
-
-
-companyStreet2
-
-
-
-
-
-
-
-
-Company City
-
-
-
-
-
-
-companyCity
-
-
-
-
-
-
-
-
-Company ZIP/Postal Code
-
-
-
-
-
-
-companyZip
-
-
-
-
-
-
-
-
-Company Country
-
-
-
-
-
-
-companyCountry
-
-
-
-
-
-
-
-
-Company State/Province
-
-
-
-
-
-
-companyRegion
-
-
-
-
-
-
-
-
-Company Industry
-
-
-
-
-
-
-industry
-
-
-
-
-
-
-
-
-Job Function
-
-
-
-
-
-
-jobFunction
-
-
-
-
-
-
-
-
-Groups
-
-
-
-
-
-
-companyGroups
-
-> ### Tip:
-> The attributes `companyGroups` and `corporateGroups` support regular expressions, so that they can be filtered.
-
-
-
-
-
-
-
-
-Corporate Groups
-
-> ### Note:
-> This attribute is applicable for the corporate user store scenarios and contains the groups the user in the corporate user store is assigned to.
-
-
-
-
-
-
-corporateGroups
-
-> ### Tip:
-> The attributes `companyGroups` and `corporateGroups` support regular expressions, so that they can be filtered.
-
-
-
-
-
-
-
-
-Contact by Email
-
-
-
-
-
-
-contactPreferenceEmail
-
-
-
-
-
-
-
-
-Contact by Telephone
-
-
-
-
-
-
-contactPreferenceTelephone
-
-
-
-
-
-
-
-
-Application Activation Time
-
-
-
-
-
-
-activation\_time
-
-
-
-
-
-
-
-
-Custom Attribute 1
-
-
-
-
-
-
-customAttribute1
-
-
-
-
-
-
-
-
-Custom Attribute 2
-
-
-
-
-
-
-customAttribute2
-
-
-
-
-
-
-
-
-Custom Attribute 3
-
-
-
-
-
-
-customAttribute3
-
-
-
-
-
-
-
-
-Custom Attribute 4
-
-
-
-
-
-
-customAttribute4
-
-
-
-
-
-
-
-
-Custom Attribute 5
-
-
-
-
-
-
-customAttribute5
-
-
-
-
-
-
-
-
-Custom Attribute 6
-
-
-
-
-
-
-customAttribute6
-
-
-
-
-
-
-
-
-Custom Attribute 7
-
-
-
-
-
-
-customAttribute7
-
-
-
-
-
-
-
-
-Custom Attribute 8
-
-
-
-
-
-
-customAttribute8
-
-
-
-
-
-
-
-
-Custom Attribute 9
-
-
-
-
-
-
-customAttribute9
-
-
-
-
-
-
-
-
-Custom Attribute 10
-
-
-
-
-
-
-customAttribute10
-
-
-
-
-
-
-
-
-
-### Examples for attributes with dynamic values:
-
-If you set `${uid}` as a value, the response returns the ID of the user to the application:
-
-> ### Example:
-> ```
->
-> SAML 2.0
->
->
-> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-> xsi:type="xs:string"
-> >P123456
->
->
-> OpenID Connect
->
-> "User ID": "P123456"
->
-> ```
-
-If you set `${customAttribute1}` as a value, the response returns the first custom attribute of the user to the application, if there is such. If the user does not have a custom attribute, the response contains an empty attribute:
-
-> ### Example:
-> ```
->
-> SAML 2.0
->
->
-> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-> xsi:type="xs:string"
-> >{customAttribute1}
->
->
-> OpenID Connect
->
-> "Custom Attribute": "{customAttribute1}"
->
->
-> ```
-
-If you set `${companyGroups:regex[Admin]}` as a value, the response returns the groups, that contain "Admin" in the name:
-
-> ### Example:
-> ```
->
-> SAML 2.0
->
->
-> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-> xsi:type="xs:string"
-> >Admins
-> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-> xsi:type="xs:string"
-> >Administrators
->
-> OpenID Connect
->
-> "Groups": [
-> "Admins"
-> "Administrators",
-> ]
->
-> ```
-
-
-
-### Merge Assertion Attributes
-
-For both, the SAML 2.0 and OpenID Connect applications, you can define default attributes with the same name, but with different values, or you can define an assertion attribute and a default attribute with the same name. In the response, the attributes are merged into multivalue attributes. Thus, depending on the configuration, several values may appear for a single value attribute.
-
-The order of the attribute's values in the assertion is arbitrary.
-
-For example, you have defined the `mail` assertion attribute and at the same time the `mail` default attribute with `example@example.com`.
-
-> ### Example:
-> When the user Dona Moore logs on, the response returns `mail` as a multivalue attribute with the two values.
->
-> ```
->
-> SAML 2.0
->
->
-> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-> xsi:type="xs:string"
-> >example@example.com
-> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-> xsi:type="xs:string"
-> >dona.moore@example.com
->
->
-> OpenID Connect
->
-> "mail": [
-> "dona.moore@example.com",
-> "example@example.com"
-> ]
->
-> ```
-
-
-
-### Identity Federation
-
-- *Identity Federation* not configured
-
- When the application uses corporate IdP for authentication, and the *Use Identity Authentication user store* option under *Identity Federation* is disabled, the default attributes configurations in the administration console for SAP Cloud Identity Services are not relevant. For more information about the corporate identity provider scenario, see [Corporate Identity Providers](corporate-identity-providers-19f3eca.md) and [Configure Identity Federation](configure-identity-federation-c029bbb.md).
-
- The configuration of the default attributes for the system applications is disabled.
-
-- *Identity Federation* configured
-
- When the application uses a corporate IdP for authentication, and the *Use Identity Authentication user store* under *Identity Federation* option is enabled, the default attributes in the administration console for SAP Cloud Identity Services can be configured to reference attributes coming from the assertion of the corporate IdP for the user and merge them with the attributes coming from Identity Authentication, and thus be sent to the application.
-
- To configure Identity Authentication to reference attributes coming from the assertion of the corporate IdP, you must use the following format for the attribute:
-
- ` = ${corporateIdP.<:regex[filter]><:function[]>} `
-
- ****
-
-
-
-
-
-
- Parameter
-
-
-
-
-
-
- Required
-
-
-
-
-
-
- Notes
-
-
-
-
-
-
-
-
- `attribute_name`
-
-
-
-
-
-
- Yes
-
-
-
-
-
-
- The name of the attribute as defined in the administration console. Free text.
-
-
-
-
-
-
-
-
- `prefix`
-
-
-
-
-
-
- No
-
-
-
-
-
-
- Free text.
-
-
-
-
-
-
-
-
- `corporateIdP`
-
-
-
-
-
-
- Yes
-
-
-
-
-
-
- Fixed string, indicating that the value is taken from the assertion coming from the corporate IdP.
-
-
-
-
-
-
-
-
- `corporateIdP_attribute_name`
-
-
-
-
-
-
- Yes
-
-
-
-
-
-
- The specific attribute from the corporate IdP, whose value is taken.
-
-
-
-
-
-
-
-
- `:regex[]`
-
-
-
-
-
-
- No
-
-
-
-
-
-
- Filter the attributes from the corporate IdP.
-
-
-
-
-
-
-
-
- `:function[]`
-
-
-
-
-
-
- No
-
-
-
-
-
-
- Methods to convert the attributes. Currently the supported methods are:
-
- - uppercase - the attribute is converted to uppercase letters.
-
- - lowercase - the attribute is converted to lowercase letters.
-
-
-
-
-
-
-
-
-
- `suffix`
-
-
-
-
-
-
- No
-
-
-
-
-
-
- Free text.
-
-
-
-
-
-
-
- > ### Example:
- > For example, you have set up a scenario where Identity Authentication acts as a proxy. The default authenticating identity provider is the corporate IdP, and the *Identity Federation* option is configured for that corporate IdP.
- >
- > The corporate IdP is configured to send the groups with the `group` assertion attribute.
- >
- > You want to send the groups coming from the corporate IdP to the application so you have defined the following default attribute in the administration console for SAP Cloud Identity Services:
- >
- > **Default Attributes Configuration in Administration Console**
- >
- >
- >
- >
- >
- >
- > Attribute
- >
- >
- >
- >
- >
- >
- > Value
- >
- >
- >
- >
- >
- >
- >
- >
- > groups
- >
- >
- >
- >
- >
- >
- > Group $\{corporateIdP.groups\} Member
- >
- >
- >
- >
- >
- >
- >
- > Dona Moore is assigned to the groups *Management* and *Development* in the corporate IdP. When she logs on to the corporate portal of the company, Identity Authentication sends the `groups` coming from the corporate IdP in the following way:
- >
- > ```
- >
- > SAML 2.0
- >
- >
- > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- > xsi:type="xs:string"
- > >Group Development Member
- > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- > xsi:type="xs:string"
- > >Group Management Member
- >
- >
- > OpenID Connect
- >
- > "groups": [
- > "Group Development Member",
- > "Group Management Member"
- > ]
- >
- > ```
-
- The example can be expanded with the filtering option.
-
- > ### Example:
- > Again, you have a scenario where Identity Authentication is a proxy. The default authenticating identity provider is the corporate IdP, and the *Identity Federation* option is configured for that corporate IdP.
- >
- > The corporate IdP is configured to send the groups with the `group` assertion attribute.
- >
- > You don't want to send all the groups coming from the corporate IdP to the application so you have defined the following default attribute in the administration console for SAP Cloud Identity Services:
- >
- > **Default Attributes Configuration in Administration Console**
- >
- >
- >
- >
- > Michael Adams is assigned to the groups *ABC-Management*, *Development* , and *ABC-Everyone* in the corporate IdP. When he logs on to the corporate portal of the company, Identity Authentication sends just those `groups` coming from the corporate IdP, that matches *ABC-*, in the following way:
- >
- > ```
- >
- > SAML 2.0
- >
- >
- > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- > xsi:type="xs:string"
- > >ABC-Everyone xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- > xsi:type="xs:string"
- > >ABC-Management
- >
- > OpenID Connect
- >
- > "groups": [
- > "ABC-Everyone",
- > "ABC-Management"
- > ]
- >
- > ```
-
- > ### Example:
- > Another scenario is where Identity Authentication is again a proxy. The default authenticating identity provider is the corporate IdP, and the *Identity Federation* option is configured for that corporate IdP.
- >
- > The corporate IdP is configured to send the email with the `mail` assertion attribute. The incoming mail attribute from corporate IdP is in mixed case and it is converted to lower case. For example, Michael Adams' email in the corporate IdP is in mixed case Michael.Adams@example.com, and it is converted into lower case michael.adams@example.com.
- >
- > **Default Attributes Configuration in Administration Console**
- >
- >
- >
-
- > ### Remember:
- > When Identity Authentication is configured to reference an attribute from the corporate IdP, but this attribute isn't sent in the corporate IdP assertion, the attribute isn't sent to the application either.
- >
- > If the definition of the attribute includes prefix and/or suffix, only the prefix and/or suffix is sent.
- >
- > However, if the corporate IdP is not configured to send the `phone` attribute, the response includes only the prefix and suffix, defined in the administration console for SAP Cloud Identity Services:
- >
- > > ### Example:
- > > For example, you want to send the `phone` attribute coming from the corporate IdP to the application. You have defined the following default attribute in the administration console for SAP Cloud Identity Services:
- > >
- > > **Default Attributes Configuration in Administration Console**
- > >
- > >
- > >
- > >
- > > ```
- > >
- > > SAML 2.0
- > >
- > >
- > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- > > xsi:type="xs:string"
- > > >+49 Corporate Phone
- > >
- > >
- > > OpenID Connect
- > >
- > > "Phone": "+49 Corporate Phone"
- > > ```
-
-
-
-
-### Send Identity Directory Custom Schema Attributes
-
-You can configure Identity Authentication to send the Identity Directory custom schema attributes as default attributes into authentication tokens to applications.
-
-You can define complex custom schema attributes with single-value child attributes.
-
-> ### Example:
-> For example, you have set up a scenario where Identity Authentication acts as a proxy. The default authenticating identity provider is the corporate IdP, and the *Identity Federation* option is configured for that corporate IdP.
->
-> Michael Adams is a user from the corporate identity provider. He is created on the proxy IdP with the custom schema `urn:sap:cloud:scim:schemas:extension:custom:2.0:Profile` with two single-valued attributes, `birthday` and `hobby`, and the complex attribute `name` with its child attribute `firstName`. He logs on to the company's portal with the corporate identity provider.
->
-> The default attributes for the application are configured in the administration console as follows:
->
-> **Default Attributes Configuration in Administration Console**
->
->
->
->
-> When Michael logs on the application, the values "Michael", "cycling", and "2000-01-02T0:00:00Z" are added to application token during authentication, and received by the application.
->
-> The attributes are added both to SAML 2.0 and OIDC tokens.
-
-To configure default attributes, proceed as follows:
-
-
-
-## Procedure
-
-1. Sign in to the administration console for SAP Cloud Identity Services.
-
-2. Under *Applications and Resources*, choose the *Applications* tile.
-
-3. Choose the application that you want to edit.
-
- > ### Note:
- > Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
- >
- > If you don’t have a created application in your list, you can create one. For more information, see [Create a New Application](create-a-new-application-0d4b255.md).
-
-4. Choose the *Trust* tab.
-
-5. Under *SINGLE SIGN-ON*, choose *Default Attributes*.
-
-6. Add the default attributes with their values to be sent to the application.
-
- > ### Remember:
- > Always use the *Attribute Technical Name* to configure attributes with dynamic values.
-
-7. Save your configuration.
-
- If the operation is successful, you receive the message ***Default attributes updated***.
-
-
-**Related Information**
-
-
-[Configure the User Attributes Sent to the Application](configure-the-user-attributes-sent-to-the-application-d361407.md "After configuring the user attributes to be collected by the registration and upgrade forms, you have to specify how these attributes are sent to the application.")
-
-[Troubleshooting for Administrators](troubleshooting-for-administrators-f80beb5.md "This section is intended to help administrators deal with error messages in the administration console for SAP Cloud Identity Services.")
-
-[Create a New Application](create-a-new-application-0d4b255.md "You can create a new application and customize it to comply with your company requirements.")
-
-[SAML 2.0](saml-2-0-0708833.md "")
-
-[Configure Identity Federation](configure-identity-federation-c029bbb.md "Tenant administrators can configure whether the attributes are taken from the assertion of the corporate identity provider or from the user store of Identity Authentication, and can restrict access based on the user profile.")
-
-[OpenID Connect](openid-connect-a789c9c.md "You can use Identity Authentication for authentication in OpenID Connect protected applications.")
-
-[Identity Directory Service SCIM API](https://api.sap.com/api/IdDS_SCIM/resource)
-
diff --git a/docs/Operation-Guide/configure-the-user-attributes-sent-to-the-application-d361407.md b/docs/Operation-Guide/configure-the-user-attributes-sent-to-the-application-d361407.md
deleted file mode 100644
index dc783f1..0000000
--- a/docs/Operation-Guide/configure-the-user-attributes-sent-to-the-application-d361407.md
+++ /dev/null
@@ -1,767 +0,0 @@
-
-
-# Configure the User Attributes Sent to the Application
-
-After configuring the user attributes to be collected by the registration and upgrade forms, you have to specify how these attributes are sent to the application.
-
-
-
-## Context
-
-Identity Authentication defines default names for these assertion attributes, but you can change them in accordance with your requirements.
-
-You configure the attributes by defining which assertion attribute corresponds to the user attribute that you set for the registration and upgrade forms. You can also specify multiple assertion attributes for each user attribute. You perform this mapping to help the application use the same user attribute for different scenarios that require several assertion attributes.
-
-> ### Note:
-> The assertion attribute name must match the name that the application is expecting.
-
-The attributes are also put in the `id_token` if the application is OpenID connect. For more information, see [OpenID Connect](openid-connect-a789c9c.md).
-
-By default, Identity Authentication sets the following assertion attribute names:
-
-
-
-
-
-
-User Attribute
-
-
-
-
-
-
-Assertion Attribute Name
-
-
-
-
-
-
-
-
-Salutation
-
-
-
-
-
-
-title
-
-
-
-
-
-
-
-
-First Name
-
-
-
-
-
-
-first\_name
-
-
-
-
-
-
-
-
-Middle Name
-
-
-
-
-
-
-middle\_name
-
-
-
-
-
-
-
-
-Last Name
-
-
-
-
-
-
-last\_name
-
-
-
-
-
-
-
-
-Email
-
-
-
-
-
-
-mail
-
-
-
-
-
-
-
-
-Telephone Number
-
-
-
-
-
-
-telephone
-
-
-
-
-
-
-
-
-Language
-
-
-
-
-
-
-locale/language
-
-> ### Note:
-> `locale` is added at the creation of the application. It takes as value the language of the user.
->
-> You can view the configured user language in the administration console for SAP Cloud Identity Services. For more information, see [Configure the User Attributes Sent to the Application](configure-the-user-attributes-sent-to-the-application-d361407.md).
-
-
-
-
-
-
-
-
-Login Name
-
-
-
-
-
-
-login\_name
-
-
-
-
-
-
-
-
-Display Name
-
-
-
-
-
-
-display\_name
-
-
-
-
-
-
-
-
-User ID
-
-
-
-
-
-
-uid
-
-
-
-
-
-
-
-
-Global User ID
-
-
-
-
-
-
-user\_uuid
-
-
-
-
-
-
-
-
-User Type
-
-> ### Note:
-> For example, consumer, partner, or employee.
-
-
-
-
-
-
-type
-
-
-
-
-
-
-
-
-Street Address
-
-
-
-
-
-
-street
-
-
-
-
-
-
-
-
-Street Address 2
-
-
-
-
-
-
-street2
-
-
-
-
-
-
-
-
-City
-
-
-
-
-
-
-city
-
-
-
-
-
-
-
-
-ZIP/Postal Code
-
-
-
-
-
-
-zip
-
-
-
-
-
-
-
-
-Country
-
-
-
-
-
-
-country
-
-
-
-
-
-
-
-
-State/Province
-
-
-
-
-
-
-state
-
-
-
-
-
-
-
-
-Cost Center
-
-
-
-
-
-
-cost\_center
-
-
-
-
-
-
-
-
-Department
-
-
-
-
-
-
-department
-
-
-
-
-
-
-
-
-Division
-
-
-
-
-
-
-division
-
-
-
-
-
-
-
-
-Employee Number
-
-
-
-
-
-
-employee\_number
-
-
-
-
-
-
-
-
-Company
-
-
-
-
-
-
-company
-
-
-
-
-
-
-
-
-Company Street Address
-
-
-
-
-
-
-company\_street
-
-
-
-
-
-
-
-
-Company Street Address 2
-
-
-
-
-
-
-company\_street\_2
-
-
-
-
-
-
-
-
-Company City
-
-
-
-
-
-
-company\_city
-
-
-
-
-
-
-
-
-Company ZIP/Postal Code
-
-
-
-
-
-
-company\_zip
-
-
-
-
-
-
-
-
-Company Country
-
-
-
-
-
-
-company\_country
-
-
-
-
-
-
-
-
-Company State/Province
-
-
-
-
-
-
-company\_region
-
-
-
-
-
-
-
-
-Company Industry
-
-
-
-
-
-
-industry
-
-
-
-
-
-
-
-
-Company Relationship
-
-
-
-
-
-
-relationship
-
-
-
-
-
-
-
-
-Job Function
-
-
-
-
-
-
-job\_function
-
-
-
-
-
-
-
-
-Groups
-
-
-
-
-
-
-groups
-
-> ### Note:
-> Use `Groups` as assertion attribute name for application on the SAP BTP, Cloud Foundry Environment.
-
-
-
-
-
-
-
-
-Corporate Groups
-
-> ### Note:
-> This attribute is applicable for the corporate user store scenarios and contains the groups the user in the corporate user store is assigned to.
-
-
-
-
-
-
-corporate\_groups
-
-
-
-
-
-
-
-
-Contact by Email
-
-
-
-
-
-
-contact\_preference\_mail
-
-
-
-
-
-
-
-
-Contact by Telephone
-
-
-
-
-
-
-contact\_preference\_telephone
-
-
-
-
-
-
-
-
-Application Custom Attribute 1
-
-
-
-
-
-
-app\_custom\_attribute\_1
-
-
-
-
-
-
-
-
-Application Custom Attribute 2
-
-
-
-
-
-
-app\_custom\_attribute\_2
-
-
-
-
-
-
-
-
-Application Custom Attribute 3
-
-
-
-
-
-
-app\_custom\_attribute\_3
-
-
-
-
-
-
-
-
-Application Custom Attribute 4
-
-
-
-
-
-
-app\_custom\_attribute\_4
-
-
-
-
-
-
-
-
-Application Custom Attribute 5
-
-
-
-
-
-
-app\_custom\_attribute\_5
-
-
-
-
-
-
-
-> ### Remember:
-> The application custom attributes are configured by the application \(service provider\). They cannot be defined for the user.
->
-> Custom attributes must not be used to store sensitive personal data.
-
-> ### Note:
-> The **User Attribute** column lists the attributes that can be shown on the registration and upgrade forms. The **Assertion Attribute Name** lists the attributes that are sent in the assertion.
->
-> The configured custom attributes are also put in the `id_token` if the application is OpenID connect. For more information, see [OpenID Connect](openid-connect-a789c9c.md).
->
-> The configured custom attributes can be seen at the user profile page after choosing *View My Data*.
->
-> The configuration of the user attributes for the system applications is disabled. The default settings for these applications are `First Name`, `Company`, `Last Name`, and `Email`.
-
-> ### Remember:
-> When the application uses a corporate IdP for authentication, and *Identity Federation* is disabled, the user attributes configurations in the administration console for SAP Cloud Identity Services are not relevant. In such scenarios Identity Authentication sends to the application the user attributes that come from the corporate identity provider without changing them. For more information about the corporate identity provider scenario, see [Corporate Identity Providers](corporate-identity-providers-19f3eca.md) and [Configure Identity Federation](configure-identity-federation-c029bbb.md).
-
-To configure the assertion attributes, proceed as follows:
-
-
-
-## Procedure
-
-1. Sign in to the administration console for SAP Cloud Identity Services.
-
-2. Under *Applications and Resources*, choose the *Applications* tile.
-
-3. Choose the application that you want to edit.
-
- > ### Note:
- > Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
- >
- > If you don’t have a created application in your list, you can create one. For more information, see [Create a New Application](create-a-new-application-0d4b255.md).
-
-4. Choose the *Trust* tab.
-
-5. Under *SINGLE SIGN-ON*, choose *Assertion Attributes*.
-
-6. Add and modify the names of the assertion attributes that you want to customize.
-
-7. Save your configuration.
-
- If the operation is successful, you receive the message ***Assertion attributes updated***.
-
-
-**Related Information**
-
-
-[Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md "In the administration console, you can configure which user attributes Identity Authentication sends to the service provider or client (relying party) to be displayed on application's registration and upgrade forms.")
-
-[Troubleshooting for Administrators](troubleshooting-for-administrators-f80beb5.md "This section is intended to help administrators deal with error messages in the administration console for SAP Cloud Identity Services.")
-
-[Create a New Application](create-a-new-application-0d4b255.md "You can create a new application and customize it to comply with your company requirements.")
-
-[SAML 2.0](saml-2-0-0708833.md "")
-
diff --git a/docs/Operation-Guide/configure-trust-this-browser-option-5b8377e.md b/docs/Operation-Guide/configure-trust-this-browser-option-5b8377e.md
index 8c312e7..b1935c4 100644
--- a/docs/Operation-Guide/configure-trust-this-browser-option-5b8377e.md
+++ b/docs/Operation-Guide/configure-trust-this-browser-option-5b8377e.md
@@ -95,7 +95,7 @@ The *Trust this browser* checkbox appears at sign-in when a second factor is req
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-trusted-domains-08fa1fe.md b/docs/Operation-Guide/configure-trusted-domains-08fa1fe.md
index b0b2564..ea9af4a 100644
--- a/docs/Operation-Guide/configure-trusted-domains-08fa1fe.md
+++ b/docs/Operation-Guide/configure-trusted-domains-08fa1fe.md
@@ -108,7 +108,7 @@ You also have to add as trusted the domains for those applications that allow se
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/beta-configure-authorizations-based-on-policies-08fea39.md b/docs/Operation-Guide/configure-user-authorizations-424b64c.md
similarity index 78%
rename from docs/Operation-Guide/beta-configure-authorizations-based-on-policies-08fea39.md
rename to docs/Operation-Guide/configure-user-authorizations-424b64c.md
index 7eb0f22..b089e7c 100644
--- a/docs/Operation-Guide/beta-configure-authorizations-based-on-policies-08fea39.md
+++ b/docs/Operation-Guide/configure-user-authorizations-424b64c.md
@@ -1,22 +1,27 @@
-
+
-# \(Beta\) Configure Authorizations Based on Policies
+# Configure User Authorizations
Configure a granular access control based on policies for the administrators of SAP Cloud Identity Services.
-## Context
+
+
+## Prerequisites
+
+You have enabled the authorizations based on policies option in the admin console for SAP Cloud Identity Services. See [Configure Authorizations Based on Policies](configure-authorizations-based-on-policies-08fea39.md).
+
-> ### Note:
-> This is a beta feature available on Identity Authentication. You can enable it by accessing the admin console *accessing the admin console* \> *Tenant Settings* \> *Policy-Based Authorizations* \> *еnable the option*.
+
+## Context
> ### Restriction:
> This feature is relevant only for the Administration Console application.
Sometimes the administrator authorizations that are predefined in the tenant of SAP Cloud Identity Services aren't enough. The predefined administrator authorizations give unlimited data access. However, you may need to define authorization models with more complex instance restrictions for data access, as is the so-called attribute-based access control \(ABAC\). Administrators define authorization policies with user attributes and assign these policies to other administrators. Thus, one administrator can have access to a subset of the users in the tenant or to a subset of the attributes of the user.
-The option to configure authorization policies for the administration console is available only upon request via [SAP Support Portal Home](https://support.sap.com/en/index.html) under the component `BC-IAM-IDS`. Once it's granted, it may take up to 60 seconds before the administrator can see the *Authorization Policies* tab when accessing the administration console application. Initially, only the base policies are visible: `CREATE_USERS` , `DELETE_USERS`, `MANAGE_USERS`, `READ_USERS`, `UPDATE_USERS`, `CREATE_SCIM_SCHEMAS`, `DELETE_SCIM_SCHEMAS`, `MANAGE_SCIM_SCHEMAS`, `READ_SCIM_SCHEMAS`, `CREATE_GROUPS`, `DELETE_GROUPS`, `MANAGE_GROUPS`, `READ_GROUPS`, and `UPDATE_GROUPS`. You can create new authorization policies on the base of these policies and assign them to administrators.
+Once it's enabled, it may take up to 60 seconds before the administrator can see the *Authorization Policies* tab when accessing the administration console application. Initially, only the base policies are visible: `CREATE_USERS` , `DELETE_USERS`, `MANAGE_USERS`, `READ_USERS`, `UPDATE_USERS`, `CREATE_SCIM_SCHEMAS`, `DELETE_SCIM_SCHEMAS`, `MANAGE_SCIM_SCHEMAS`, `READ_SCIM_SCHEMAS`, `CREATE_GROUPS`, `DELETE_GROUPS`, `MANAGE_GROUPS`, `READ_GROUPS`, and `UPDATE_GROUPS`. You can create new authorization policies on the base of these policies and assign them to administrators.
> ### Note:
> The Read Users authorization overrides the READ\_USERS authorization policy, while the Manage Users authorization overrides all user authorization policies.
@@ -210,12 +215,12 @@ Expand the **Supported Attributes** section below to see the user attributes tha
**Custom Defined Schema**
-All custom schema defined attributes require fully qualified attribute name. For example: `user.attributes=urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema:CustomString`
+All custom schema defined attributes require a fully qualified attribute name. For example: `user.attributes=urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema:CustomString`
Groups of type `Authorization Policy` with names containing the names of the authorization policies are also created in the administration console. You can't delete these groups via the *Groups* section. The groups are related to the authorization policies, and when you delete a policy, the respective group is also removed.
> ### Restriction:
-> You need both read and update access rights to be able to update a field in the administration console. If you can't see a field because of a a policy restriction, this field remains also disabled for editing even if update rights are granted to you.
+> You need both read and update access rights to be able to update a field in the administration console. If you can't see a field because of a policy restriction, this field remains also disabled for editing even if update rights are granted to you.
> ### Example:
> Michael Adams is an administrator at retail company A. He is located at the company's head office in Germany and as chief administrator of the company he has all the authorizations in the administration console for SAP Cloud Identity Services. Dona Moore is also an administrator at company A. She is responsible for the branch office in the USA. As such she needs to have access only to the users in the USA. Michael Adams creates an authorization policy for read-users access and assigns Dona Moore to that policy. He also removes the *Read Users* and *Manage Users* authorizations that Dona has as an administrator. As a result, now, when Dona accesses the *User Management* section of the administration console, she sees only the users that are located in the USA. All the other users are hidden.
@@ -239,7 +244,7 @@ Groups of type `Authorization Policy` with names containing the names of the aut
5. Choose the *Edit* button.
- 1. To customise the rules of the authorization policy, choose the *Rules*.
+ 1. To customize the rules of the authorization policy, choose the *Rules*.
2. To assign administrator or administrators to this policy, choose the *Assignments* tab.
@@ -250,9 +255,5 @@ Groups of type `Authorization Policy` with names containing the names of the aut
**Related Information**
-[List Administrators](list-administrators-c79a5c6.md "As a tenant administrator, you can list the administrators and their authorizations in the administration console for SAP Cloud Identity Services.")
-
-[Add Administrators](add-administrators-bbbdbdd.md#loiobbbdbdd3899942ce874f3aae9ba9e21d "As a tenant administrator, you can add new administrators in the administration console for SAP Cloud Identity Services.")
-
-[Edit Administrator Authorizations](edit-administrator-authorizations-86ee374.md "As a tenant administrator, you can edit both your own authorizations and other administrators' authorizations in the administration console for SAP Cloud Identity Services. By editing the administrator authorizations you can also delete an administrator.")
+[Configure Application Authorizations](configure-application-authorizations-01cff18.md "Configure access to the applications in the administration console of SAP Cloud Identity Services.")
diff --git a/docs/Operation-Guide/configure-user-identifier-attributes-8b9fa88.md b/docs/Operation-Guide/configure-user-identifier-attributes-8b9fa88.md
index 5a345de..9a1b93d 100644
--- a/docs/Operation-Guide/configure-user-identifier-attributes-8b9fa88.md
+++ b/docs/Operation-Guide/configure-user-identifier-attributes-8b9fa88.md
@@ -128,12 +128,15 @@ No/Configurable
-The `User ID` and `Login Name` identifiers of a user can't have values that are equal to the `User ID`, `Email`, `Login Name`, and `Phone` identifiers of another user.
+> ### Caution:
+> The `User ID` and `Login Name` identifiers of a user can't have values that are equal to the `User ID`, `Email`, `Login Name`, `Display Name`, and `Phone` identifiers of another user.
+>
+> When `Email`, `Display Name`, or `Phone` identifiers of a user are set as unique they can't have values that are equal to the `User ID`, `Email`, `Login Name`, `Display Name`, and `Phone` identifiers of another user.
> ### Note:
> The `Display Name` user identifier for the tenants created before the system upgrade on May 13, 2020 is configured as required and unique.
>
-> The *Phone* user attribute is configured as non-unique by default. If you configure it as unique, all users that are created or updated after this configuration won't be able to have phone numbers taken by someone else.
+> The `Phone` user attribute is configured as non-unique by default. If you configure it as unique, all users that are created or updated after this configuration won't be able to have phone numbers taken by someone else.
> ### Remember:
> If `Email` is marked as not-required on tenant level, it becomes configurable on application level, and must also be changed there, too. For more information, see [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md).
@@ -320,7 +323,7 @@ Choose the allowed logon identifiers for the users. For more information, see [C
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configure-x-509-client-certificates-for-user-authentication-52c7dcb.md b/docs/Operation-Guide/configure-x-509-client-certificates-for-user-authentication-52c7dcb.md
index adab778..9d5d37a 100644
--- a/docs/Operation-Guide/configure-x-509-client-certificates-for-user-authentication-52c7dcb.md
+++ b/docs/Operation-Guide/configure-x-509-client-certificates-for-user-authentication-52c7dcb.md
@@ -108,7 +108,7 @@ To configure a trusted X.509 certificate, proceed as follows:
9. Save your configuration.
-10. To add the certificate to your tenant, report an incident on [SAP Support Portal Home](https://support.sap.com/en/index.html) with a component `BC-IAM-IDS`. The SAP Root CA certificates are trusted by default.
+10. To add the certificate to your tenant, report an incident on [SAP Support Portal Home](https://support.sap.com/en/index.html) with a component `BC-IAM-IDS`. The SAP Cloud Root CA certificates are trusted by default.
1. Attach to the incident the root and intermediate certificates.
@@ -116,7 +116,7 @@ To configure a trusted X.509 certificate, proceed as follows:
> ### Remember:
- > The SAP Root CA, SAP Passport CA G2, DigiCert Global Root CA, and DigiCert TLS RSA SHA256 2020 CA1 certificates are trusted by default.
+ > The SAP Cloud Root CA, DigiCert Global Root CA, DigiCert Global Root G2, DigiCert TLS RSA SHA256 2020 CA1, and Baltimore CyberTrust Root certificates are trusted by default.
**Related Information**
@@ -172,7 +172,7 @@ To configure a trusted X.509 certificate, proceed as follows:
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/configuring-applications-61ad3b0.md b/docs/Operation-Guide/configuring-applications-61ad3b0.md
index 01bf5e3..934ac57 100644
--- a/docs/Operation-Guide/configuring-applications-61ad3b0.md
+++ b/docs/Operation-Guide/configuring-applications-61ad3b0.md
@@ -69,8 +69,8 @@ How to configure trust
- [Configure Trust](configure-trust-f96e4c5.md)
- [Configure the Subject Name Identifier Sent to the Application](configure-the-subject-name-identifier-sent-to-the-application-1d020e3.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
@@ -142,7 +142,7 @@ On a tenant level
Specific for the application
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Define an Email Template Set for an Application](define-an-email-template-set-for-an-application-bb2c79b.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
diff --git a/docs/Operation-Guide/attributes-with-default-values-a2f1e46.md b/docs/Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md
similarity index 89%
rename from docs/Operation-Guide/attributes-with-default-values-a2f1e46.md
rename to docs/Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md
index d222cac..5cd81f5 100644
--- a/docs/Operation-Guide/attributes-with-default-values-a2f1e46.md
+++ b/docs/Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md
@@ -1,8 +1,8 @@
-# Attributes with Default Values
+# Configuring Attributes Based on Flexible Expressions
-In addition to the user attributes, you can also configure attributes with default values for the application.
+You can configure attributes based on flexible expressions for the application.
@@ -10,14 +10,14 @@ In addition to the user attributes, you can also configure attributes with defau
## Context
-The attributes are sent from Identity Authentication to the application in the assertion. You can set default attributes `location` and `company` with values *Europe* and *Company A* for example, so that the application displays Europe and Company A on its main page.
+The attributes are sent from Identity Authentication to the application in the assertion. You can set attributes like `location` and `company` with values *Europe* and *Company A* for example, so that the application displays Europe and Company A on its main page.
The attributes are also put in the `id_token` if the application is OpenID connect. For more information, see [OpenID Connect](openid-connect-a789c9c.md).
For both, the SAML 2.0 and OpenID Connect applications, you can configure attributes with dynamic values to be added into the assertions in the following pattern: ` ${attribute_technical_name>} `
> ### Restriction:
-> \(For OpenID Connect applications\) The following claims can't be set via the configuration of attributes with default: `iss`, `sub`, `zone_uuid`, `exp`, `nbf`, `iat`, `auth_time`, `nonce`, `acr`, `amr`, `cnf`, `azp`, `at_hash`, `c_hash`, `sub_jwk`, and `ias_iss`.
+> \(For OpenID Connect applications\) The following claims can't be set via the configuration of attributes with default values: `iss`, `sub`, `zone_uuid`, `exp`, `nbf`, `iat`, `auth_time`, `nonce`, `acr`, `amr`, `cnf`, `azp`, `at_hash`, `c_hash`, `sub_jwk`, and `ias_iss`.
Expand the **Supported Attributes** table below to see the attributes that can take dynamic values:
@@ -888,7 +888,7 @@ For example, you have defined the `mail` user attribute and at the same time the
>
> You want to send the groups coming from the corporate IdP to the application so you have defined the following attribute in the administration console for SAP Cloud Identity Services:
>
- > **Default Attributes Configuration in Administration Console**
+ > **Configuration of Attributes with Default Values in Administration Console**
>
>
>
@@ -951,7 +951,7 @@ For example, you have defined the `mail` user attribute and at the same time the
>
> The corporate IdP is configured to send the groups with the `group` user attribute.
>
- > You don't want to send all the groups coming from the corporate IdP to the application so you have defined the following default attribute in the administration console for SAP Cloud Identity Services:
+ > You don't want to send all the groups coming from the corporate IdP to the application so you have defined the following attribute in the administration console for SAP Cloud Identity Services:
>
> **Configuration of Attributes with Default Values in Administration Console**
>
@@ -1050,7 +1050,7 @@ For example, you have defined the `mail` user attribute and at the same time the
> However, if the corporate IdP is not configured to send the `phone` attribute, the response includes only the prefix and suffix, defined in the administration console for SAP Cloud Identity Services:
>
> > ### Example:
- > > For example, you want to send the `phone` attribute coming from the corporate IdP to the application. You have defined the following default attribute in the administration console for SAP Cloud Identity Services:
+ > > For example, you want to send the `phone` attribute coming from the corporate IdP to the application. You have defined the following attribute in the administration console for SAP Cloud Identity Services:
> >
> > **Configuration of Attributes with Default Values in Administration Console**
> >
@@ -1103,7 +1103,7 @@ For example, you have defined the `mail` user attribute and at the same time the
### Send Identity Directory Custom Schema Attributes
-You can configure Identity Authentication to send the Identity Directory custom schema attributes as default attributes into authentication tokens to applications.
+You can configure Identity Authentication to send the Identity Directory custom schema attributes as attributes into authentication tokens to applications.
You can define complex custom schema attributes with single-value child attributes.
@@ -1172,5 +1172,41 @@ You can define complex custom schema attributes with single-value child attribut
>
> The attributes are added both to SAML 2.0 and OIDC tokens.
-To configure attributes with default values, follow the procedure in [Configuring User Attributes](configuring-user-attributes-ed2797d.md)
+
+
+
+
+## Procedure
+
+1. Sign in to the administration console for SAP Cloud Identity Services.
+
+2. Under *Applications and Resources*, choose the *Applications* tile.
+
+3. Choose the application that you want to edit.
+
+ > ### Note:
+ > Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
+ >
+ > If you don’t have a created application in your list, you can create one. For more information, see [Create a New Application](create-a-new-application-0d4b255.md).
+
+4. Choose the *Trust* tab.
+
+5. Under *SINGLE SIGN-ON*, choose *Attributes*.
+
+6. Depending on the type of your application go to:
+
+ - *Application Attributes* - for subscribed multitenant applications.
+ 1. Choose the plus button next to an attribute to set multiple values for the attribute.
+ 2. Choose *Corporate Identity Provider* source.
+ 3. Provide the new value.
+
+ - *Self-defined Attributes* - self-created applications or automatically created single-tenant applications.
+ 1. Choose *Add button to add new attribute for the application* \> *provide the name* \> *Expression* \> *provide the value*.
+
+ 2. Choose *plus button next to an attribute to set multiple values for the attribute* \> *Expression* \> *provide the new value*.
+
+
+
+7. Save your configuration.
+
diff --git a/docs/Operation-Guide/configuring-authorization-policies-982ac5f.md b/docs/Operation-Guide/configuring-authorization-policies-982ac5f.md
index b9de1a4..076a694 100644
--- a/docs/Operation-Guide/configuring-authorization-policies-982ac5f.md
+++ b/docs/Operation-Guide/configuring-authorization-policies-982ac5f.md
@@ -37,7 +37,7 @@ For more information, see [Subscribe to Multitenant Applications Using the Cockp
## Authorization Management
-Authorization management in Identity Authentication allows applications to define authorization models with complex instance restrictions for data access. Developers define and deploy authorization policies with functional checks, instance-based authorizations, and user attributes. They're available in the Identity Authentication administration console. If necessary, developers can update existing authorization policies.
+Authorization management allows SAP Cloud Identity Services - Identity Authentication administrators to refine authorization policies based on application policy templates with complex instance restrictions for data access. Developers define and deploy authorization policies with functional checks, instance-based authorizations, and user attributes. They're available in the Identity Authentication administration console. If necessary, developers can update existing authorization policies.
For more information, see [Developing Authorizations](../Development/developing-authorizations-22928a2.md).
@@ -157,7 +157,7 @@ Administration console
-We distinguish between different types of authorization policies. You recognize the diffent types in the *Package* column.
+We distinguish between different types of authorization policies. You recognize the different types in the *Package* column.
- The package name of the base policies is defined by the application.
@@ -217,6 +217,8 @@ Authorization policy created by administrators. You can change and delete this a
Authorization policy administrators can configure the following in custom authorization policies:
-- Combine authorization policies \(either base or custom authorization policies\). See [Combine Authorization Policies](combine-authorization-policies-1a69414.md).
+- Combine authorization policies. See [Combine Authorization Policies](combine-authorization-policies-1a69414.md).
+
- Add or delete rules and restrictions and their attribute values. See [Edit an Authorization Policy](edit-an-authorization-policy-c76aca6.md).
+
diff --git a/docs/Operation-Guide/configuring-email-templates-b2afbcd.md b/docs/Operation-Guide/configuring-email-templates-b2afbcd.md
index 3a6e44e..ef9889a 100644
--- a/docs/Operation-Guide/configuring-email-templates-b2afbcd.md
+++ b/docs/Operation-Guide/configuring-email-templates-b2afbcd.md
@@ -74,7 +74,13 @@ Forgot Password
-This email template is used when a user wants to change his or her password by going through the Forgot Password page. In this case, the user receives an email with instructions about how to change his or her password. The name of the email template used for this process is *Forgot Password*.
+This email template is used when:
+
+- a user wants to change his or her password by going through the Forgot Password page. In this case, the user receives an email with instructions about how to change his or her password. The name of the email template used for this process is *Forgot Password*.
+
+- an administrator sends a reset password email via the administration console. For more information, see [Send Reset Password Email](send-reset-password-email-da55abf.md).
+
+
@@ -98,7 +104,7 @@ Reset Password
-This email template is used when a user has to reset his or her password. In this case, the user receives an email with instructions about how to reset his or her password.
+This email template is used when: a user has to reset his or her password. In this case, the user receives an email with instructions about how to reset his or her password.
The name of the email template used for this process is *Reset Password*.
@@ -126,7 +132,7 @@ Email OTP Code
-This email-template is used when a user has requested to receive an 8-digit code via email. The user needs the code for two-factor authentecation.
+This email-template is used when a user has requested to receive an 8-digit code via email. The user needs the code for two-factor authentication.
@@ -151,6 +157,9 @@ This email-template is used when the user's password is set, changed, or reset,
To activate a user registration or to reset a password, users choose links sent to them in the emails. For these cases, you can use placeholders. For more information about which placeholders can be used, see [Edit or Add an Email Template Set](edit-or-add-an-email-template-set-3c4f397.md).
+> ### Restriction:
+> If you select a corporate identity provider, the option to configure email templates is not possible. In this case you can access only some of the custom configurations for the applications. The configurations under the *Authentication and Access* and *Branding and Layout* tabs are partially visible. For more information, see [Choose Default Identity Provider for an Application](choose-default-identity-provider-for-an-application-e9d8274.md).
+
You can also define which languages each email template uses, and you can set custom versions for each language. You can set the following languages:
Arabic, Azerbaijani, Bulgarian, Catalan, Chinese \(PRC\), Chinese \(Taiwan\), Croatian, Czech, Danish, Dutch, English \(United Kingdom\), English \(United States\), Estonian, Finnish, French \(Standard\), French \(Canada\), German \(Standard\), Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Malay, Norwegian, Polish, Portuguese \(Portugal\), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish \(Spain\), Spanish \(Mexico\), Swedish, Thai, Turkish, Ukrainian, Vietnamese, Welsh.
@@ -159,38 +168,20 @@ Arabic, Azerbaijani, Bulgarian, Catalan, Chinese \(PRC\), Chinese \(Taiwan\), Cr
The language for the email template sets is set according to the following order of priorities:
-1. If the locale is set, the emails use the language set there, if there is a template in that language. If there is no template in that language, the emails use the English language template.
-
-
-
- Setting the locale, sets an Identity Authentication cookie. This cookie is used for all the applications in this session that are configured to use Identity Authentication as identity provider.
-
- > ### Note:
- > The locale can be set in either of the following ways:
- >
- > - The locale is communicated to Identity Authentication by adding a locale parameter to *SAP\_IDS.js*.
- >
- > > ### Source Code:
- >
- > ``
- >
- > - The locale is communicated to Identity Authentication by a direct `GET` request.
- >
- > > ### Source Code:
- >
- > `https://.accounts.ondemand.com/ui/public/setLocale?locale=DE`
+**User request flow** - when the user requests a process, for example Forgot Password, the emails use the language that the user's browser is set to.
-2. If the locale is not set, the emails use the language that the user's browser is set to.
+- If the language isn't in the list of supported languages, the emails use *English*.
- - If the language is not in the list of supported languages, the emails use *English* instead.
+- If the language is in the list of supported languages, but there isn't a template for that language, the emails use English.
- - If the language is in the list of supported languages, the emails use this language.
+- If the language is in the list of supported languages, and there is a template for that language, the emails use this language.
+**System request flow** - for example when the administrator chooses the Reset Password option in the administration console, the emails use the language set in the profile of the user. If there isn't a template for that language, the emails use *English* instead.
-If you want to use a custom email template you should create one if it does not exist. Add or edit the email template set, if necessary, and then define that email template set for the application. To add or edit the email template, first you must open the uploaded email templates, and then save a copy. Optionally you can delete an email template set or a language version for a specific application process.
+If you want to use a custom email template you should create one if it doesn't exist. Add or edit the email template set, if necessary, and then define that email template set for the application. To add or edit the email template, first you must open the uploaded email templates, and then save a copy. Optionally you can delete an email template set or a language version for a specific application process.
diff --git a/docs/Operation-Guide/configuring-user-attributes-ed2797d.md b/docs/Operation-Guide/configuring-user-attributes-ed2797d.md
deleted file mode 100644
index ac3515e..0000000
--- a/docs/Operation-Guide/configuring-user-attributes-ed2797d.md
+++ /dev/null
@@ -1,213 +0,0 @@
-
-
-# Configuring User Attributes
-
-Tenant administrator can specify how, after configuring the user attributes that are collected by the registration and upgrade forms, these attributes are sent to the application. They can also configure attributes with default values for the application, including the values of attributes defined by the multitenant application.
-
-
-
-
-
-## Context
-
-**Attributes**
-
-
-
-
-
-
-Name
-
-
-
-
-Source
-
-
-
-
-Value
-
-
-
-
-More Information
-
-
-
-
-
-
-The names of the user attributes that are sent in the assertion/added in the token.
-
-
-
-
-*Identity Directory* - specify how the user attributes, configured to be collected by the registration and upgrade forms attributes, are sent to the application.
-
-
-
-
-The attribute display name. Choose a value from the drop-down.
-
-> ### Note:
-> The drop-down lists the attributes that can be shown on the registration and upgrade forms.
-
-
-
-
-
-
-[User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-
-
-
-
-
-
-*Corporate Identity Provider* - configure Identity Authentication to reference attributes coming from the assertion of the corporate identity provider.
-
-
-
-
-The specific attribute from the corporate IdP, whose value is taken.
-
-add and modify the names of the attributes that you want to customize
-
-
-
-
-[Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
-
-
-
-
-
-
-*Expression* - configure attributes with dynamic values to be added into the assertions.
-
-
-
-
-The static or dynamic value of the attribute.
-
-Configure attributes with dynamic values to be added into the assertions in the following pattern: ` ${attribute_technical_name>} `
-
-> ### Note:
-> Always use the *Attribute Technical Name* to configure attributes with dynamic values.
-
-
-
-
-
-
-[Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
-
-
-
-
-
-Based on the type of your application, choose one of the following:
-
-- Choose the Configure Self-Defined Attributes section for applications that are not subscribed, and for subscribed applications for which the provider application has not defined an attribute yet.
-
-- Choose the Configure Application Attributes section for applications that are subscribed, and the provider application has already defined an attribute.
-
-
-For more information, see [Application Types](../application-types-8f61880.md).
-
-
-
-
-
-## Configure Self-Defined Attributes
-
-
-
-
-
-## Procedure
-
-1. Sign in to the administration console for SAP Cloud Identity Services.
-
-2. Under *Applications and Resources*, choose the *Applications* tile.
-
-3. Choose the application that you want to edit.
-
- > ### Note:
- > Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
- >
- > If you don’t have a created application in your list, you can create one. For more information, see [Create a New Application](create-a-new-application-0d4b255.md).
-
-4. Choose the *Trust* tab.
-
-5. Under *SINGLE SIGN-ON*, choose *Attributes*.
-
-6. Under the *Self-defined Attributes* section, choose *Expand All* to view all the information about the user attributes.
-
-7. Choose the *Add* button:
-
- - Choose *Identity Directory* source to add and modify the names of the attributes that you want to customize.
- - Choose *Corporate Identity Provider* or *Expression* to add the default attributes with their values to be sent to the application.
- - Choose the plus button next to the attribute to set the new value for the attribute.
-
-8. Save your configuration.
-
-
-
-
-
-
-## Configure Application Attributes \(for Subscribed Applications\)
-
-
-
-
-
-## Context
-
-You can configure the value of existing application-defined attributes, like email, first name, last name, for example to values coming from the corporate identity provider \(IdP\), and add new attributes.
-
-
-
-
-
-## Procedure
-
-1. Sign in to the administration console for SAP Cloud Identity Services.
-
-2. Under *Applications and Resources*, choose the *Applications* tile.
-
-3. Choose the application that you want to edit.
-
- > ### Note:
- > Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
- >
- > If you don’t have a created application in your list, you can create one. For more information, see [Create a New Application](create-a-new-application-0d4b255.md).
-
-4. Choose the *Trust* tab.
-
-5. Under *SINGLE SIGN-ON*, choose *Attributes*.
-
-6. Under the *Application Attributes* section:
-
- 1. Choose *Expand All* to view all the information about the user attributes that are inherited.
-
- 2. Choose the plus button next to the attribute to set the new value for the attribute defined by the multitenant application.
-
-
-7. Under the *Self-defined Attributes* section:
-
- 1. Choose *Expand All* to view all the information about the user attributes.
-
- 2. Choose the *Add* button to add attributes with default values for the application created from the multitenant application.
-
-
- - Choose *Identity Directory* source to add and modify the names of the attributes that you want to customize.
- - Choose *Corporate Identity Provider* or *Expression* to add the default attributes with their values to be sent to the application.
- - Choose the plus button next to the attribute to set the new value for the attribute.
-
-8. Save your configuration.
-
-
diff --git a/docs/Operation-Guide/configuring-user-attributes-from-a-corporate-identity-provider-621017f.md b/docs/Operation-Guide/configuring-user-attributes-from-a-corporate-identity-provider-621017f.md
new file mode 100644
index 0000000..4bc72e4
--- /dev/null
+++ b/docs/Operation-Guide/configuring-user-attributes-from-a-corporate-identity-provider-621017f.md
@@ -0,0 +1,61 @@
+
+
+
+
+# Configuring User Attributes from a Corporate Identity Provider
+
+You can configure the value of existing application-defined attributes, like email, first name, last name, for example to values coming from the corporate identity provider \(IdP\), and add new attributes.
+
+
+
+
+
+## Context
+
+Configure the user attributes as they come from the corporate identity provider \(IdP\).
+
+
+
+
+
+## Procedure
+
+1. Sign in to the administration console for SAP Cloud Identity Services.
+
+2. Under *Applications and Resources*, choose the *Applications* tile.
+
+3. Choose the application that you want to edit.
+
+ > ### Note:
+ > Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
+ >
+ > If you don’t have a created application in your list, you can create one. For more information, see [Create a New Application](create-a-new-application-0d4b255.md).
+
+4. Choose the *Trust* tab.
+
+5. Under *SINGLE SIGN-ON*, choose *Attributes*.
+
+6. Depending on the type of your application go to:
+
+ - *Application Attributes* - for subscribed multitenant applications.
+
+ 1. Choose the plus button next to an attribute to set multiple values for the attribute.
+ 2. Choose *Corporate Identity Provider* source.
+ 3. Provide the new value.
+
+ > ### Tip:
+ > You can enable or disable the attribute mappings inherited from the subscribed multitenant applications:
+ >
+ > - To disable the attribute mappings, choose the disable button on the right of the inherited attribute.
+ >
+ > - To enable the attribute, choose :heavy_check_mark: button on the right of the inherited attribute.
+
+ - *Self-defined Attributes* - for self-created applications or automatically created single-tenant applications.
+ 1. Choose *Add button to add new attribute for the application* \> *provide the name* \> *Corporate Identity Provider* \> *provide the value*.
+
+ 2. Choose *plus button next to an attribute to set multiple values for the attribute* \> *Corporate Identity Provider* \> *provide the new value* \> **.
+
+
+7. Save your configuration.
+
+
diff --git a/docs/Operation-Guide/user-attributes-sent-to-the-application-d361407.md b/docs/Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md
similarity index 79%
rename from docs/Operation-Guide/user-attributes-sent-to-the-application-d361407.md
rename to docs/Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md
index 0f59da9..126c91f 100644
--- a/docs/Operation-Guide/user-attributes-sent-to-the-application-d361407.md
+++ b/docs/Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md
@@ -1,14 +1,14 @@
-# User Attributes Sent to the Application
+# Configuring User Attributes from the Identity Directory
-After configuring the user attributes to be collected by the registration and upgrade forms, you have to specify how these attributes are sent to the application.
+Specify how the local user attributes, configured to be collected by the registration and upgrade forms, are sent to the application.
## Context
-Identity Authentication defines default names for these user attributes, but you can change them in accordance with your requirements.
+Identity Authentication defines default names for the user attributes, but you can change them in accordance with your requirements.
You configure the attributes by defining which user attribute corresponds to the user attribute that you set for the registration and upgrade forms. You can also specify multiple user attributes for each user attribute. You perform this mapping to help the application use the same user attribute for different scenarios that require several user attributes.
@@ -118,7 +118,7 @@ locale/language
> ### Note:
> `locale` is added at the creation of the application. It takes as value the language of the user.
>
-> You can view the configured user language in the administration console for SAP Cloud Identity Services. For more information, see [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md).
+> You can view the configured user language in the administration console for SAP Cloud Identity Services. For more information, see [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md).
@@ -555,18 +555,53 @@ app\_custom\_attribute\_5
> Custom attributes must not be used to store sensitive personal data.
> ### Note:
-> The **User Attribute** column lists the attributes that can be shown on the registration and upgrade forms. The **User Attribute Name** lists the attributes that are sent in the assertion.
+> The **Value** column lists the attributes that can be shown on the registration and upgrade forms. The **Name** lists the attributes that are sent in the assertion.
>
> The configured custom attributes are also put in the `id_token` if the application is OpenID connect. For more information, see [OpenID Connect](openid-connect-a789c9c.md).
>
> The configured custom attributes can be seen at the user profile page after choosing *View My Data*.
>
-> The configuration of the user attributes for the system applications is disabled. The default settings for these applications are `First Name`, `Company`, `Last Name`, and `Email`.
+> The configuration of the user attributes for the system applications is disabled. The default values for these applications are `First Name`, `Company`, `Last Name`, and `Email`.
> ### Remember:
> When the application uses a corporate IdP for authentication, and *Identity Federation* is disabled, the user attributes configurations in the administration console for SAP Cloud Identity Services aren't relevant. In such scenarios Identity Authentication sends to the application the user attributes that come from the corporate identity provider without changing them. For more information about the corporate identity provider scenario, see [Corporate Identity Providers](corporate-identity-providers-19f3eca.md) and [Configure Identity Federation](configure-identity-federation-c029bbb.md).
-To configure the user attributes, follow the procedure in [Configuring User Attributes](configuring-user-attributes-ed2797d.md):
+
+
+
+
+## Procedure
+
+1. Sign in to the administration console for SAP Cloud Identity Services.
+
+2. Under *Applications and Resources*, choose the *Applications* tile.
+
+3. Choose the application that you want to edit.
+
+ > ### Note:
+ > Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.
+ >
+ > If you don’t have a created application in your list, you can create one. For more information, see [Create a New Application](create-a-new-application-0d4b255.md).
+
+4. Choose the *Trust* tab.
+
+5. Under *SINGLE SIGN-ON*, choose *Attributes*.
+
+6. Under the *Self-defined Attributes* section, choose *Expand All* to view all the information about the user attributes.
+
+7. **Optional:** Choose the *Add* button:
+
+ 1. Provide a name for the attribute.
+
+ 2. Choose *Identity Directory* source.
+
+ 3. Choose a value from the drop-down list.
+
+
+8. **Optional:** Choose the plus button next to the attribute to set a new value for the attribute.
+
+9. Save your configuration.
+
**Related Information**
diff --git a/docs/Operation-Guide/corporate-user-store-cloud-foundry-environment-9942ede.md b/docs/Operation-Guide/corporate-user-store-cloud-foundry-environment-9942ede.md
index 608f2dc..b690be4 100644
--- a/docs/Operation-Guide/corporate-user-store-cloud-foundry-environment-9942ede.md
+++ b/docs/Operation-Guide/corporate-user-store-cloud-foundry-environment-9942ede.md
@@ -52,7 +52,7 @@ For all users from the corporate user store, a second factor for authentication
In the scope of the *Corporate User Store* scenario, you can manage access to applications and their resources based on the groups available in the corporate user store.
-The corporate user groups are sent to an application in the SAML 2.0 assertion. `corporate_groups` is the attribute that contains the groups that the user in the corporate user store is assigned to. For more details about how the groups are sent to the application in the SAML 2.0 assertion, see [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md).
+The corporate user groups are sent to an application in the SAML 2.0 assertion. `corporate_groups` is the attribute that contains the groups that the user in the corporate user store is assigned to. For more details about how the groups are sent to the application in the SAML 2.0 assertion, see [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md).
> ### Note:
> If your application is deployed on the SAP BTP, the corporate user store groups, relevant for the application, and contained in the `corporate_groups` attribute in the SAML 2.0 assertion, can be mapped to assertion-based groups created in SAP BTP cockpit. For more information, see [Map Role Collections to User Attributes](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/b3fbb1a9232d4cf99967a0b29dd85d4c.html).
diff --git a/docs/Operation-Guide/corporate-user-store-neo-environment-461d71c.md b/docs/Operation-Guide/corporate-user-store-neo-environment-461d71c.md
index 077eadf..2224ca1 100644
--- a/docs/Operation-Guide/corporate-user-store-neo-environment-461d71c.md
+++ b/docs/Operation-Guide/corporate-user-store-neo-environment-461d71c.md
@@ -63,7 +63,7 @@ For all users from the corporate user store, a second factor for authentication
In the scope of the *Corporate User Store* scenario, you can manage access to applications and their resources based on the groups available in the corporate user store.
-The corporate user groups are sent to an application in the SAML 2.0 assertion. `corporate_groups` is the attribute that contains the groups that the user in the corporate user store is assigned to. For more details about how the groups are sent to the application in the SAML 2.0 assertion, see [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md).
+The corporate user groups are sent to an application in the SAML 2.0 assertion. `corporate_groups` is the attribute that contains the groups that the user in the corporate user store is assigned to. For more details about how the groups are sent to the application in the SAML 2.0 assertion, see [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md).
> ### Note:
> If your application is deployed on the SAP BTP, the corporate user store groups, relevant for the application, and contained in the `corporate_groups` attribute in the SAML 2.0 assertion, can be mapped to assertion-based groups created in SAP BTP cockpit. For more information, see the *4. \(If Using an Identity Provider\) Define the Group-to-Role Mapping* section in [Managing Roles](https://help.hana.ondemand.com/help/frameset.htm?db8175b9d976101484e6fa303b108acd.html).
diff --git a/docs/Operation-Guide/create-a-new-rule-18d02ab.md b/docs/Operation-Guide/create-a-new-rule-18d02ab.md
new file mode 100644
index 0000000..c6fb112
--- /dev/null
+++ b/docs/Operation-Guide/create-a-new-rule-18d02ab.md
@@ -0,0 +1,189 @@
+
+
+# Create a New Rule
+
+You can create rules for authentication according to different risk factors.
+
+
+
+## Context
+
+Each rule contains the following information:
+
+- **Action**
+
+ This action is performed if the rule conditions meet the defined criteria.
+
+ You can choose one of the following actions:
+
+ - *Allow*
+
+ Identity Authentication allows the authentication of the user in accordance with the rule conditions.
+
+ - *Deny*
+
+ Identity Authentication denies the authentication of the user in accordance with the rule conditions. You can set this action for a test application for example, or before an application goes live.
+
+ As long as this rule is valid, when users try to log on to the application, they get the following message: *Sorry, but you are currently not authorized for access*.
+
+ - *Two-Factor Authentication*
+
+ > ### Note:
+ > If *Two-Factor Authentication* is selected, additionally, you must specify the two-factor method or methods for the user:
+ >
+ > - *TOTP Two-Factor Authentication*
+ >
+ > Identity Authentication asks two factors to authenticate the user.
+ >
+ > If you set TOTP two-factor authentication, users are required to provide a time-based one-time password \(TOTP\) called a passcode in addition to their primary credentials. Users also have to install an authenticator application on their mobile devices to generate TOTP passcodes.
+ >
+ > TOTP passcodes are time-based and valid for one logon attempt only.
+ >
+ > - *SMS Two-Factor Authentication*
+ >
+ > Identity Authentication asks two factors to authenticate the user.
+ >
+ > If you set SMS two-factor authentication, users are required to provide an SMS code sent to their mobile devices in addition to their primary credentials.
+ >
+ > > ### Remember:
+ > > To use *SMS Two-Factor Authentication*, you must have configured Sinch Verification in the administration console for SAP Cloud Identity Services. For more information, see [Configure Sinch Service in Administration Console](configure-sinch-service-in-administration-console-f4a04ed.md).
+ > >
+ > > Users must have their mobile phone numbers verified. The tenant administrator can verify phone numbers manually in the administration console or via the SCIM API. For more information, see [List and Edit User Details](list-and-edit-user-details-045cb01.md) and [Update User Resource \(Deprecated\)](../Development/update-user-resource-deprecated-9e36479.md).
+ > >
+ > > If the user does not have a verified phone number, the number is verified during the first log on when SMS code is required. After the user provides user name and credentials, he or she should provide the phone number in the field and request a code. Then provide the received code in the respective field and choose *Continue*. If the submitted code is correct, the user is allowed access, and the telephone number is verified.
+ >
+ > - *Web Two-Factor Authentication*
+ >
+ > Identity Authentication asks two factors to authenticate the user.
+ >
+ > If you set web two-factor authentication, users are required to authenticate with a device such as the built in biometric scanners or USB, Bluetooth or Near-Field Communication \(NFC\) devices in addition to their primary credentials.
+ >
+ > - *Email OTP Code*
+ >
+ > > ### Caution:
+ > > For security reasons, the Email OTP code is not a recommended two-factor authentication method. You may consider using some of the other methods instead.
+ >
+ > Identity Authentication asks two factors to authenticate the user.
+ >
+ > If you set *Email OTP Code*, users are required to provide the code sent to their email in addition to their primary credentials.
+ >
+ > > ### Remember:
+ > > An Email OTP Code template for the respective languages must exist in the tenant to apply the email OTP code method. If the template does not exist, the user will see the option but when choosing it, the following message will appear: "Sorry, but you are currently not authorized for access".
+ > >
+ > > For more information how to add email templates, see [Edit or Add an Email Template Set](edit-or-add-an-email-template-set-3c4f397.md).
+ >
+ > - *RADIUS Server Two Factor Authentication*
+ >
+ > If you set *RADIUS Server Two Factor Authentication*, users are required to provide a RADIUS passcode in addition to their primary credentials. Users must have a RADIUS token \(hard or soft\) configured for them to generate passcodes. For more information about how to configure RADIUS server in Identity Authentication, see [Configure RADIUS Server Settings \(Beta\)](configure-radius-server-settings-beta-03043ae.md).
+
+
+ The *Action* filed is mandatory.
+
+- *IP Range*
+
+ Define a range of IP addresses that authentication requests to Identity Authentication can be sent from. The value has to be specified in Classless Inter-Domain Routing \(CIDR\) notation.
+
+ > ### Note:
+ > By default the field is empty, meaning that any IP is allowed.
+
+ > ### Example:
+ > Enter 123.45.67.1/24 to allow users to log on from any IP starting with 123.45.67.
+
+ If no IP range is defined, the rule is valid for all IP ranges.
+
+- *Forwarded IP Range*
+
+ Define a range of IP addresses for the original IP addresses that authentication requests to Identity Authentication can be sent from. The value has to be specified in Classless Inter-Domain Routing \(CIDR\) notation.
+
+ > ### Caution:
+ > This range configuration is used in scenarios where authentication requests to Identity Authentication are made by a proxy server on-behalf of the user/client.
+ >
+ > Configuring the *Forwarded IP Range* for the client/user IPs requires configuring the IP Range for the proxy server IP address\(es\), that directly communicates with Identity Authentication, first.
+ >
+ > Identity Authentication expects the client IP to be sent by the proxy server in the **X-Forwarded-For** header of the authentication request.
+
+ > ### Remember:
+ > Identity Authentication does not have control over the involved proxies and their number, participating in the request between the client/user and Identity Authentication and wether these proxies behave according to the scenario. Therefore it is not guaranteed that the client IP address is sent in the abovementioned header alongside the IP addresses of the proxies \(if any\) to Identity Authentication.
+
+- *Group*
+
+ Specify a cloud or on-premise group, which the authenticating user has to be a member of. If no group is selected, the rule is valid for all users.
+
+ If the rule is valid for an on-premise group, type in the name of the corporate user store group, for which this rule should be valid.
+
+ The cloud groups have to be configured in the administration console for SAP Cloud Identity Services. For more information, see [Groups](groups-ddd067c.md).
+
+- *Authentication Method*
+
+ Specify the authenticating method, which the authenticating user has to use. If no method is selected, the rule is valid for any of the methods.
+
+ You can choose from the following:
+
+ - *Client Certificate*
+ - *SPNEGO*
+ - *User Name and Password*
+ - *Token*
+ - *Social Identity Provider*
+ - *Trusted IdP SAML Assertion*
+
+ > ### Note:
+ > If the user has an active session with any of the methods, and that method is included in the rule, they can access the application without the need for additional authentication.
+
+- *User Type*
+
+ Specify the type, which the authenticating user must have. If no user type is selected, the rule is valid for any of the types.
+
+- *Corporate Attribute*
+
+ Specify an attribute from the corporate identity provider \(IdP\) assertion, based on which the rule action will be applied.
+
+ The rule must include the attribute name and value. It is valid only when the specified name and value are found in the assertion from the corporate IdP.
+
+ > ### Note:
+ > For this rule, the *Apply Application Configurations* option of *Identity Federation* must be enabled. For more information, see [Configure Identity Federation](configure-identity-federation-c029bbb.md).
+
+
+The fields *IP Range*, *Group*, *Authentication Method*, and *User Type* are not mandatory, but at least one of them has to be specified.
+
+
+
+
+
+## Procedure
+
+1. Sign in to the administration console for SAP Cloud Identity Services.
+
+2. Under *Applications and Resources*, choose the *Applications* tile.
+
+3. Choose the list item of the application that you want to edit.
+
+ > ### Note:
+ > If you do not have a created application in your list, you can create one. For more details, see Related Information.
+
+ > ### Caution:
+ > The list also includes the `Administration Console` application. If you enable risk-based authentication for that application, make sure that you, as a tenant administrator, meet the authentication rules and the default authentication rule. Otherwise when you log out of the administration console you will not be able to log in it again if you don't meet the rules.
+ >
+ > If `Administration Console` is not in the list of the applications you may request it. To do this, you need to report an incident with a subject on [SAP Support Portal Home](https://support.sap.com/en/index.html) under the component `BC-IAM-IDS`.
+
+4. Choose the *Authentication and Access* tab.
+
+5. Under *AUTHENTICATION*, choose *Risk-Based Authentication*.
+
+6. Choose *Create Rule*.
+
+7. Fill in the fields on the *New Risk-Based Authentication Rule* window.
+
+8. Choose *Create*.
+
+9. Save your changes.
+
+
+**Related Information**
+
+
+[Configure Risk-Based Authentication for an Application](configure-risk-based-authentication-for-an-application-bc52fbf.md#loiobc52fbf3d59447bbb6aa22f80d8b6056 "You can define rules for authentication according to different risk factors and apply actions like Allow, Deny, and Two-Factor Authentication.")
+
+[Examples for Risk-Based Authentication Scenarios](examples-for-risk-based-authentication-scenarios-fedc77c.md "Example scenarios for configuring risk-based authentication for an application.")
+
+[Create a New Application](create-a-new-application-0d4b255.md "You can create a new application and customize it to comply with your company requirements.")
+
diff --git a/docs/Operation-Guide/create-a-new-user-348deef.md b/docs/Operation-Guide/create-a-new-user-348deef.md
index 74781bc..d1c088e 100644
--- a/docs/Operation-Guide/create-a-new-user-348deef.md
+++ b/docs/Operation-Guide/create-a-new-user-348deef.md
@@ -66,7 +66,7 @@ The tenant administrator creates the new user with a minimum set of attributes a
## Results
-If the operation is successful, the system displays the message: `User "" created`. Identity Authentication creates the new user and assigns `User ID` \(P user\) and `Global User ID` \(universally unique identifier \(UUID\) format\). The `User ID` field is unique and not editable. The `Global User ID`, on the other hand, is unique, but editable. You can change it via the the user management field in the administration console.
+If the operation is successful, the system displays the message: `User added`. Identity Authentication creates the new user and assigns `User ID` \(P user\) and `Global User ID` \(universally unique identifier \(UUID\) format\). The `User ID` field is unique and not editable. The `Global User ID`, on the other hand, is unique, but editable. You can change it via the the user management field in the administration console.
**Related Information**
diff --git a/docs/Operation-Guide/create-an-authorization-policy-897fc30.md b/docs/Operation-Guide/create-an-authorization-policy-897fc30.md
index 51227a9..aa5f6cb 100644
--- a/docs/Operation-Guide/create-an-authorization-policy-897fc30.md
+++ b/docs/Operation-Guide/create-an-authorization-policy-897fc30.md
@@ -1,10 +1,8 @@
-
-
# Create an Authorization Policy
-Identity Authentication administrators can use existing base authorization policies to create an authorization policy, configure rules, and assign the authorization policies to users.
+Identity Authentication administrators can use existing authorization policies to create an authorization policy, configure rules, and assign the authorization policies to users.
@@ -14,9 +12,9 @@ Identity Authentication administrators can use existing base authorization polic
You have the following options:
-- Create an authorization policy based on the rules of a custom authorization policy, add restrictions, or change the attribute.
+- Create an authorization policy based on the rules of other authorization policies, add restrictions, or change the attribute.
-- Create an authorization policy by combining authorization policies \(either base or custom authorization policies\).
+- Create an authorization policy by combining authorization policies.
@@ -35,13 +33,13 @@ You have the following options:
4. Choose the *Authorization Policies* tab.
-5. Choose :heavy_plus_sign: \(Create new policy\).
+5. Choose *Create*.
6. Choose one of the following options:
- - *Restrict* Add restrictions and attributes or only change attributes. See [Edit an Authorization Policy](edit-an-authorization-policy-c76aca6.md).
+ - *Create Restriction* Create an authorization policy based on base policies, edit rules, add restrictions, statements, and attributes or only change attributes. See [Edit an Authorization Policy](edit-an-authorization-policy-c76aca6.md).
- - *Combine* Create one authorization policy with an OR combination of the rules of two authorization policies. See [Combine Authorization Policies](combine-authorization-policies-1a69414.md).
+ - *Add Combination* Create one authorization policy with an OR combination of the rules of two authorization policies. See [Combine Authorization Policies](combine-authorization-policies-1a69414.md).
You can now continue by giving the authorization policy a name, choosing the base policies, assigning it to a user or changing its rule.
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-411c3c6.md b/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-411c3c6.md
index 907dbd0..6fda221 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-411c3c6.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-411c3c6.md
@@ -94,7 +94,7 @@ To create a new OpenID Connect application follow the procedure below:
- *Protocol Authentication*
+ *Protocol Type*
@@ -128,8 +128,8 @@ To create a new OpenID Connect application follow the procedure below:
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -141,7 +141,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-8445e3f.md b/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-8445e3f.md
index 4a2966e..f030374 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-8445e3f.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-authorization-code-flow-8445e3f.md
@@ -94,7 +94,7 @@ To create a new OpenID Connect application follow the procedure below:
- *Protocol Authentication*
+ *Protocol Type*
@@ -128,8 +128,8 @@ To create a new OpenID Connect application follow the procedure below:
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -141,7 +141,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-98015c8.md b/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-98015c8.md
index bc8ee8a..a599d05 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-98015c8.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-98015c8.md
@@ -96,7 +96,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- *Protocol Authentication*
+ *Protocol Type*
@@ -130,8 +130,8 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -143,7 +143,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-c5b80bf.md b/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-c5b80bf.md
index b2f966f..21e2e13 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-c5b80bf.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-client-credentials-flow-c5b80bf.md
@@ -96,7 +96,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- *Protocol Authentication*
+ *Protocol Type*
@@ -130,8 +130,8 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -143,7 +143,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-3f180e5.md b/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-3f180e5.md
index 7f20c00..5941b0a 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-3f180e5.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-3f180e5.md
@@ -94,7 +94,7 @@ To create a new OpenID Connect application follow the procedure below:
- *Protocol Authentication*
+ *Protocol Type*
@@ -128,8 +128,8 @@ To create a new OpenID Connect application follow the procedure below:
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -141,7 +141,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-b19f5e3.md b/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-b19f5e3.md
index f1678e0..3a3d561 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-b19f5e3.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-implicit-flow-b19f5e3.md
@@ -94,7 +94,7 @@ To create a new OpenID Connect application follow the procedure below:
- *Protocol Authentication*
+ *Protocol Type*
@@ -128,8 +128,8 @@ To create a new OpenID Connect application follow the procedure below:
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -141,7 +141,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-b099d8c.md b/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-b099d8c.md
index 31c04be..540835e 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-b099d8c.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-b099d8c.md
@@ -94,7 +94,7 @@ To create a new OpenID Connect application follow the procedure below:
- *Protocol Authentication*
+ *Protocol Type*
@@ -128,8 +128,8 @@ To create a new OpenID Connect application follow the procedure below:
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -141,7 +141,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-d5a9903.md b/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-d5a9903.md
index 64a91cb..2c8c559 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-d5a9903.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-jwt-bearer-flow-d5a9903.md
@@ -94,7 +94,7 @@ To create a new OpenID Connect application follow the procedure below:
- *Protocol Authentication*
+ *Protocol Type*
@@ -128,8 +128,8 @@ To create a new OpenID Connect application follow the procedure below:
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -141,7 +141,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-43d94a5.md b/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-43d94a5.md
index 9a44349..c0d6e5d 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-43d94a5.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-43d94a5.md
@@ -96,7 +96,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- *Protocol Authentication*
+ *Protocol Type*
@@ -130,8 +130,8 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -143,7 +143,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-e5b761a.md b/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-e5b761a.md
index 75e3462..9e25e7b 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-e5b761a.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-resource-owner-password-credentials-flow-e5b761a.md
@@ -96,7 +96,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- *Protocol Authentication*
+ *Protocol Type*
@@ -130,8 +130,8 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -143,7 +143,7 @@ To create a new OpenID Connect application, choose your scenario and follow the
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-4e1bfa4.md b/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-4e1bfa4.md
index 9d3b61e..750a169 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-4e1bfa4.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-4e1bfa4.md
@@ -94,7 +94,7 @@ To create a new OpenID Connect application follow the procedure below:
- *Protocol Authentication*
+ *Protocol Type*
@@ -128,8 +128,8 @@ To create a new OpenID Connect application follow the procedure below:
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -141,7 +141,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-e3baf39.md b/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-e3baf39.md
index d4b21fc..c7b91da 100644
--- a/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-e3baf39.md
+++ b/docs/Operation-Guide/create-openid-connect-application-for-token-exchange-e3baf39.md
@@ -94,7 +94,7 @@ To create a new OpenID Connect application follow the procedure below:
- *Protocol Authentication*
+ *Protocol Type*
@@ -128,8 +128,8 @@ To create a new OpenID Connect application follow the procedure below:
- [Change an Application's Display Name](change-an-application-s-display-name-83d65d0.md)
- [Configure an Application's Home URL](configure-an-application-s-home-url-be6d6f2.md)
- [Visit an Application's Web Page](visit-an-application-s-web-page-2b67225.md)
-- [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md)
-- [Attributes with Default Values](attributes-with-default-values-a2f1e46.md)
+- [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md)
+- [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure Secrets for API Authentication](configure-secrets-for-api-authentication-5c3c35e.md)
- [Configure Certificates for API Authentication](configure-certificates-for-api-authentication-c408083.md)
- [Enable or Disable Kerberos Authentication for an Application](enable-or-disable-kerberos-authentication-for-an-application-11121c9.md)
@@ -141,7 +141,7 @@ To create a new OpenID Connect application follow the procedure below:
- [Configuring Privacy Policies](configuring-privacy-policies-ed48466.md)
- [Configuring Terms of Use](configuring-terms-of-use-61d3a86.md)
- [Display Application Name on Logon Page](display-application-name-on-logon-page-c02798e.md)
-- [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md)
+- [Configure Logo](configure-logo-778f748.md)
- [Configure a Branding Style for an Application](configure-a-branding-style-for-an-application-32f8d33.md)
- [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md)
- [Protecting Self-Registration with Phone Verification](protecting-self-registration-with-phone-verification-5834b6e.md)
diff --git a/docs/Operation-Guide/create-saml-2-0-application-fe3102a.md b/docs/Operation-Guide/create-saml-2-0-application-fe3102a.md
index 2c13976..fbac638 100644
--- a/docs/Operation-Guide/create-saml-2-0-application-fe3102a.md
+++ b/docs/Operation-Guide/create-saml-2-0-application-fe3102a.md
@@ -96,7 +96,7 @@ To create a new SAML 2.0 application, proceed as follows:
- *Protocol Authentication*
+ *Protocol Type*
diff --git a/docs/Operation-Guide/creating-url-to-access-application-with-specific-identity-provider-118f5f4.md b/docs/Operation-Guide/creating-url-to-access-application-with-specific-identity-provider-118f5f4.md
new file mode 100644
index 0000000..c3981b0
--- /dev/null
+++ b/docs/Operation-Guide/creating-url-to-access-application-with-specific-identity-provider-118f5f4.md
@@ -0,0 +1,56 @@
+
+
+# Creating URL To Access Application with Specific Identity Provider
+
+Create a URL to access specific application in scenarios where Identity Authentication acts as a proxy to delegate authentication to multiple external corporate identity providers.
+
+
+
+
+
+## SAML 2.0 Application
+
+
+
+
+
+## Prerequisites
+
+The application supports IdP-initiated Single Sign-On \(SSO\). For more information, see [Security Assertion Markup Language \(SAML\) V2.0 Technical Overview](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
+
+
+
+
+
+## Context
+
+The link for IdP-Initiated SSO follows the pattern: `https://.accounts.ondemand.com/saml2/idp/sso?sp=&idp=`
+
+> ### Note:
+> - `sp` - Name of the SAML 2 service provider for which SSO is performed. The `sp_name` value of the parameter equals to the `Entity ID` of the service provider. This parameter is needed for Identity Authentication to know which service provider to redirect the user to after successful authentication.
+> - The name of the corporate identity provider as configured in the administration console for SAP Cloud Identity Services.
+>
+> When multiple identity providers are allowed for an application via conditional authentication, this parameter enables the client to determine which corporate identity provider to be used. Identity Authentication uses the `idp` to detect the correct corporate identity provider and redirect the request to it. The user authenticates against the corporate identity provider.
+
+
+
+
+
+## OpenID Connect Application
+
+
+
+
+
+## Prerequisites
+
+The application supports selection of the corporate IdP via the application URL. For more information, see [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md).
+
+
+
+
+
+## Context
+
+The link for IdP-Initiated SSO follows the pattern: `https://.accounts.ondemand.com/oauth2/authorize?idp=`.
+
diff --git a/docs/Operation-Guide/delete-an-authorization-policy-3b78cc4.md b/docs/Operation-Guide/delete-an-authorization-policy-3b78cc4.md
index 870ffd6..909f393 100644
--- a/docs/Operation-Guide/delete-an-authorization-policy-3b78cc4.md
+++ b/docs/Operation-Guide/delete-an-authorization-policy-3b78cc4.md
@@ -1,7 +1,5 @@
-
-
# Delete an Authorization Policy
Identity Authentication administrators can delete an existing custom authorization policy.
@@ -25,7 +23,7 @@ Identity Authentication administrators can delete an existing custom authorizati
2. Under *Applications & Resources*, choose *Applications*.
-3. Choose a application that supports authorization management. For information, see the documentation of the application.
+3. Choose an application that supports authorization management. For information, see the documentation of the application.
The details page of your application has an *Authorization Policies* tab.
@@ -33,6 +31,6 @@ Identity Authentication administrators can delete an existing custom authorizati
5. Choose the custom authorization policy you want to delete.
-6. To delete the authorization policy, choose :wastebasket: and confirm that you want to delete the authorization policy.
+6. To delete the authorization policy, choose *Delete* and confirm that you want to delete the authorization policy.
diff --git a/docs/Operation-Guide/display-application-name-on-logon-page-c02798e.md b/docs/Operation-Guide/display-application-name-on-logon-page-c02798e.md
index 5b64204..5ff12e4 100644
--- a/docs/Operation-Guide/display-application-name-on-logon-page-c02798e.md
+++ b/docs/Operation-Guide/display-application-name-on-logon-page-c02798e.md
@@ -24,7 +24,7 @@ By default, the display name of the application is set to appear on the logon pa
> Be careful when you switch off the display of the application name. The users might not be sure which application they are providing their credentials for.
> ### Tip:
-> Instead of leaving the left side of the logon page blank you can add an application's logo. For more information, see [Configure a Logo for an Application](configure-a-logo-for-an-application-778f748.md).
+> Instead of leaving the left side of the logon page blank you can add an application's logo. For more information, see [Configure Logo](configure-logo-778f748.md).
To configure the appearance of the application's name on the logon page, proceed as follows:
diff --git a/docs/Operation-Guide/edit-administrator-authorizations-86ee374.md b/docs/Operation-Guide/edit-administrator-authorizations-86ee374.md
index f522129..5724738 100644
--- a/docs/Operation-Guide/edit-administrator-authorizations-86ee374.md
+++ b/docs/Operation-Guide/edit-administrator-authorizations-86ee374.md
@@ -160,7 +160,7 @@ To edit an administrator's authorizations, proceed as follows:
[Add Administrators](add-administrators-bbbdbdd.md#loiobbbdbdd3899942ce874f3aae9ba9e21d "As a tenant administrator, you can add new administrators in the administration console for SAP Cloud Identity Services.")
-[Configure Authorizations Based on Policies](configure-authorizations-based-on-policies-08fea39.md "Configure a granular access control based on policies for the administrators of SAP Cloud Identity Services.")
+[Configure Authorizations Based on Policies](configure-authorizations-based-on-policies-08fea39.md "Enable admin authorizations based on policies to configure a granular access control for the administrators of SAP Cloud Identity Services.")
[Identity Authentication Tenant as an Application Identity Provider](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/d3df5b457d0c43fca117da0dc14e2f0d.html)
diff --git a/docs/Operation-Guide/edit-an-authorization-policy-c76aca6.md b/docs/Operation-Guide/edit-an-authorization-policy-c76aca6.md
index 3e4a41f..59b14e3 100644
--- a/docs/Operation-Guide/edit-an-authorization-policy-c76aca6.md
+++ b/docs/Operation-Guide/edit-an-authorization-policy-c76aca6.md
@@ -24,13 +24,13 @@ When you edit an existing custom authorization policy, you can add or delete res
The details page of your application has an *Authorization Policies* tab.
-4. Choose the *Authorization Policies* tab and select a custom authorization policy. Custom authorization policies appear with an :pencil2: \(Editable\) icon in the *Editable* column of the list of authorization policies. If the policy contains editable restrictions, it has an \(Editable Restrictions\) icon.
+4. Choose the *Authorization Policies* tab and select a custom authorization policy. Custom authorization policies appear as *Editable* in the *Editable* column of the list of authorization policies. If the policy contains editable restrictions, it is also marked as *Restricted Editing*.
5. Choose the :pencil2: *Edit* button.
- - \(Optional\) To assign users, choose the *Assignment* tab. See [Assign Authorization Policies](assign-authorization-policies-eac8e5e.md).
+ - \(Optional\) To assign users, choose the *Assignments* tab. See [Assign Authorization Policies](assign-authorization-policies-eac8e5e.md).
- - You display the rule that came with the custom authorization policy in the *Rules* tab.
+ - The rule that came with the custom authorization policy appears in the *Rules* tab.
6. \(Optional\) You can enter a label and a description of the authorization policy or change them. The description is an optional comment.
@@ -41,11 +41,11 @@ When you edit an existing custom authorization policy, you can add or delete res
- Choose :heavy_plus_sign: to see the possible `RESTRICT` options. This button is either directly below `RESTRICT` or in an indented row below `RESTRICT`.
- - Choose *Add USE* to add a `USE` rule to the selected authorization policy. Select a `USE` rule from the available base policies.
+ - Choose *Add USE* to add a `USE` statement to the selected authorization policy. Select a `USE` statement from the available authorization policies.
-9. For a `RESTRICT` rule, choose one of the available attributes, an operation, and enter a value. You can choose a value from the value help or type it in.
+9. For a `RESTRICT` condition, choose one of the available attributes, an operation, and enter a value. You can choose a value from the value help or type it in.
> ### Note:
> All indented rows that appear in a list directly below `RESTRICT` or `USE` have an `AND` conjunction.
diff --git a/docs/Operation-Guide/edit-applications-69d8cad.md b/docs/Operation-Guide/edit-applications-69d8cad.md
index ae2a4e0..a80547c 100644
--- a/docs/Operation-Guide/edit-applications-69d8cad.md
+++ b/docs/Operation-Guide/edit-applications-69d8cad.md
@@ -479,7 +479,7 @@ To edit the application configurations, proceed as follows:
- *Protocol authentication*
+ *Protocol Type*
diff --git a/docs/Operation-Guide/enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md b/docs/Operation-Guide/enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md
index 4ac5cb0..8c8bcd6 100644
--- a/docs/Operation-Guide/enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md
+++ b/docs/Operation-Guide/enable-back-up-channels-to-send-passcode-for-deactivation-of-totp-two-factor-authenticati-782935e.md
@@ -30,7 +30,7 @@ Tenant administrator can configure back-up channels to send TOTP deactivation pa
The primary channel to deactivate a device is the passcode generated by the mobile device. If no other back-up channel is enabled, this option is the only one for the user in the *Two-Factor Authentication* section of the administration console for SAP Cloud Identity Services.
-When the back-up channels, *SMS* and/or *Email* are enabled in the administration console, the user can choose from the options on the profile page: *TOTP Passcode*, *Passcode via SMS*, and *Passcode via Email*.
+When the back-up channels, *SMS* and/or *Email* are enabled in the administration console, the user can choose from the options on the profile page: *Existing Multi-Factor Authentication*, *Passcode by SMS*, and *Passcode by Email*.
> ### Remember:
> It takes 2 minutes for the configuration changes to take place.
@@ -65,8 +65,6 @@ To enable or disable back-up channels for deactivation passcode, follow the proc
Users can choose from the back-up channel options on their profile page if they are enabled via the administration console.
-If no option is enabled, the users do not see the radio buttons on their profile page.
-
**Related Information**
@@ -120,7 +118,7 @@ If no option is enabled, the users do not see the radio buttons on their profile
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/enable-phone-verification-for-an-application-24c9b51.md b/docs/Operation-Guide/enable-phone-verification-for-an-application-24c9b51.md
index eeb551d..9d6d406 100644
--- a/docs/Operation-Guide/enable-phone-verification-for-an-application-24c9b51.md
+++ b/docs/Operation-Guide/enable-phone-verification-for-an-application-24c9b51.md
@@ -27,8 +27,6 @@ After that the user can either contact the system adminstrator or request a code
When this feature is enabled, the `Phone` attribute becomes required and is not configurable for user registration or upgrade. For more information, see [Configure Registration and Upgrade Forms](configure-registration-and-upgrade-forms-93a9e18.md).
-Once the phone number has been verified, the user cannot change it any more on the profile page. This can be done by the administrator via the administration console. For more information, see [List and Edit User Details](list-and-edit-user-details-045cb01.md).
-
## Procedure
diff --git a/docs/Operation-Guide/enable-users-to-recover-password-with-pin-code-046a235.md b/docs/Operation-Guide/enable-users-to-recover-password-with-pin-code-046a235.md
index 6422474..ca53003 100644
--- a/docs/Operation-Guide/enable-users-to-recover-password-with-pin-code-046a235.md
+++ b/docs/Operation-Guide/enable-users-to-recover-password-with-pin-code-046a235.md
@@ -233,7 +233,7 @@ To configure PIN code option in the administration console, follow the procedure
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/enable-users-to-recover-password-with-security-questions-d9ae898.md b/docs/Operation-Guide/enable-users-to-recover-password-with-security-questions-d9ae898.md
index d8439f0..c9d36d0 100644
--- a/docs/Operation-Guide/enable-users-to-recover-password-with-security-questions-d9ae898.md
+++ b/docs/Operation-Guide/enable-users-to-recover-password-with-security-questions-d9ae898.md
@@ -139,7 +139,7 @@ To configure security questions in the administration console, follow the proced
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/enrich-assertion-attributes-coming-from-corporate-idp-7124201.md b/docs/Operation-Guide/enrich-assertion-attributes-coming-from-corporate-idp-7124201.md
index 4134684..8cbb2c1 100644
--- a/docs/Operation-Guide/enrich-assertion-attributes-coming-from-corporate-idp-7124201.md
+++ b/docs/Operation-Guide/enrich-assertion-attributes-coming-from-corporate-idp-7124201.md
@@ -29,7 +29,7 @@ You can add up to 30 attributes per corporate IdP.
When the application uses corporate IdP for authentication, the assertion attributes enriched in the administration console for SAP Cloud Identity Services are taken into consideration and sent to the application in the modified form, if the *Use Identity Authentication user store* option under *Identity Federation* is disabled.
-If *Identity Federation* is configured, use the modified attributes in the *Default Attributes* section for the applications that use the corporate IdP for authentication. For more information, see [Attributes with Default Values](attributes-with-default-values-a2f1e46.md).
+If *Identity Federation* is configured, use the modified attributes in the *Default Attributes* section for the applications that use the corporate IdP for authentication. For more information, see [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
> ### Note:
> You can also overwrite the `Subject Name Identifier` via the Enrich Assertion Attributes option. Identity Authentication sends the modified attribute to the application as `name ID` in the SAML 2.0 assertions, and as `subject` in the OpenID Connect tokens.
diff --git a/docs/Operation-Guide/enrich-token-claims-coming-from-corporate-idp-f19e580.md b/docs/Operation-Guide/enrich-token-claims-coming-from-corporate-idp-f19e580.md
index b75c321..50c242b 100644
--- a/docs/Operation-Guide/enrich-token-claims-coming-from-corporate-idp-f19e580.md
+++ b/docs/Operation-Guide/enrich-token-claims-coming-from-corporate-idp-f19e580.md
@@ -27,7 +27,7 @@ You can add up to 30 claims per corporate IdP.
If *Use Identity Authentication user store* under *Identity Federation* is disabled, modify the token claims received from the corporate identity provider \(IdP\). The claims enriched in the administration console for SAP Cloud Identity Services are thus taken into consideration and sent to the application in the modified form. The application specific settings, the claims in the *Default Attributes* section, are ignored.
-If *Use Identity Authentication user store* under *Identity Federation* is enabled, use the modified claims in the *Default Attributes* section for the applications that use the corporate IdP for authentication. For more information, see [Attributes with Default Values](attributes-with-default-values-a2f1e46.md).
+If *Use Identity Authentication user store* under *Identity Federation* is enabled, use the modified claims in the *Default Attributes* section for the applications that use the corporate IdP for authentication. For more information, see [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
> ### Note:
> You can also overwrite the `Subject Name Identifier` via the Enriched Token Claims option. Identity Authentication sends the modified claim to the application as `subject` in the OpenID Connect tokens.
diff --git a/docs/Operation-Guide/examples-for-risk-based-authentication-scenarios-fedc77c.md b/docs/Operation-Guide/examples-for-risk-based-authentication-scenarios-fedc77c.md
new file mode 100644
index 0000000..ee907a7
--- /dev/null
+++ b/docs/Operation-Guide/examples-for-risk-based-authentication-scenarios-fedc77c.md
@@ -0,0 +1,250 @@
+
+
+# Examples for Risk-Based Authentication Scenarios
+
+Example scenarios for configuring risk-based authentication for an application.
+
+
+
+
+
+## Example 1 \(Setting TOTP Two-Factor Authentication\)
+
+Donna Moore is an administrator of company A. She wants to configure Identity Authentication to always ask the company employees for a password and a TOTP passcode \(two-factor authentication\) to log on to a *Leave Request* application. For this purpose, Donna sets only a *Default Action*:
+
+**Default Authentication Rule**
+
+Default Action: [Two-Factor Authentication\]
+
+Two-Factor Methods: [TOTP\]
+
+Michael Adams is an employee of company A and as such he wants to create a leave request. To log on to the *Leave Request* application he provides his password. After that he is prompted to activate a mobile device and to provide a second factor for authentication \(a passcode generated by an authenticator app on his mobile device\). Two factors are required regardless of whether Michael is in the corporate network or on a business trip. Michael's manager, Julie Armstrong, receives a notification that Michael has created a leave request. She approves it by logging on to the application with two factors \(password and passcode generated by her mobile device\).
+
+
+
+
+
+## Example 2 \(Setting SMS Two-Factor Authentication\)
+
+Donna Moore is an administrator of company A. She wants to configure Identity Authentication to always ask the company employees for a password and a SMS code \(two-factor authentication\) to log on to the *Corporate Page*. For this purpose, Donna first configures Sinch Service in the administration console for SAP Cloud Identity Services. Then in the *Risk-Based Authentication* section in the administration console, he sets only a *Default Action*:
+
+**Default Authentication Rule**
+
+Default Action: [Two-Factor Authentication\]
+
+Two-Factor Methods: [SMS\]
+
+John Miller is an employee of company A and as such he wants to access the corporate page of the company. He is prompted to provide two factors \(password and the SMS code sent to his mobile device\) to log on to the corporate page. John Miller has his mobile phone verified, so he can receive SMS codes. Two factors are required regardless of whether Miller is in the corporate network or at home.
+
+
+
+
+
+## Example 3 \(SPNEGO\)
+
+Donna Moore is an administrator of company A. She wants to configure Identity Authentication to allow employees to access the *Leave Request* application from the corporate network with SPNEGO, and from any other network with passcode. All IPs in the company start with 189.101. She would also like to create a rule for the managers to access the application with two authentication factors. In addition, she wants to restrict the access to all the users with type *Customer*. For this purpose, Donna creates the following rules:
+
+**Authentication Rules**
+
+
+
+
+
+
+Action
+
+
+
+
+IP Range
+
+
+
+
+Group
+
+
+
+
+Authentication Method
+
+
+
+
+User Type
+
+
+
+
+
+
+Deny
+
+
+
+
+Any
+
+
+
+
+Any
+
+
+
+
+Any
+
+
+
+
+Customer
+
+
+
+
+
+
+Allow
+
+
+
+
+189.101.112.1/16
+
+
+
+
+Employees
+
+
+
+
+SPNEGO
+
+
+
+
+Any
+
+
+
+
+
+
+TOTP Two-Factor Authentication
+
+
+
+
+Any
+
+
+
+
+Employees
+
+
+
+
+Any
+
+
+
+
+Any
+
+
+
+
+
+
+TOTP Two-Factor Authentication
+
+
+
+
+Any
+
+
+
+
+Managers
+
+
+
+
+Any
+
+
+
+
+Any
+
+
+
+
+
+**Default Authentication Rule**
+
+Default Action: [Deny\]
+
+Michael Adams, as an employee of company A, accesses the application in his office and logs on with SPNEGO. When he is on a business trip, he can create leave requests by providing two factors. The two factors are SPNEGO and а passcode generated by an authenticator app on his iPhone. Michael's manager, Julie Armstrong, receives a notification that Michael has created a leave request. She approves it by logging on to the application with TOTP Two-Factor Authentication \(a password and a passcode generated by her Android phone\). Donna Moore, a customer of company A, tries to access the corporate portal, and receives a message that she is not authorized for access.
+
+
+
+
+
+## Example 4 \(Setting Web Two-Factor Authentication\)
+
+Donna Moore is an administrator of company A. She wants to configure Identity Authentication to always ask the company managers for a password and a web two-factor authentication to log on to an *Leave Request Approval* application. For this purpose, Donna sets only a *Default Action*:
+
+**Default Authentication Rule**
+
+Default Action: [Two-Factor Authentication\]
+
+Two-Factor Methods: [Web Authentication\]
+
+Michael Adams is an employee of company A and he creates a leave request. Michael's manager, Julie Armstrong, receives a notification that Michael has created a leave request. To log on to the *Leave Request Approval* application she provides her password. After that Julie is prompted to activate a security key as a second factor for authentication. Two factors are required regardless of whether Julie is in the corporate network or on a business trip.
+
+Julie he approves the leave request by logging on to the application with two factors \(password and fingerprint\).
+
+
+
+
+
+## Example 5 \(Setting more than one Two-Factor Authentication method\)
+
+Donna Moore is an administrator of company A. She wants to configure Identity Authentication to always ask the company managers for a second factor in addition to their password. She wants to allow the managers to choose between a TOTP and a web two-factor authentication to log on to an *Leave Request Approval* application. For this purpose, Donna sets the *Default Action* to *Two-Factor Authentication* and configures the *Two-Factor Methods*:
+
+**Default Authentication Rule**
+
+Default Action: [Two-Factor Authentication\]
+
+Two-Factor Methods: [TOTP\]; [Web Authentication\]
+
+Michael Adams is an employee of company A and he creates a leave request. Michael's manager, Julie Armstrong, receives a notification that Michael has created a leave request. To log on to the application *Leave Request Approval* she provides her password. After that she is prompted to choose the two-factor authentication method. She chooses a security key as a second factor for authentication.
+
+Julie approves the leave request by logging on to the application with two factors \(password and fingerprint\).
+
+In addition to Julie's approval, the leave request must also be approved by the HR Manager of the company, John Miller. To log on to the *Leave Request Approval* application John provides his password. After that he is also prompted to choose the two-factor authentication method. John chooses TOTP. Now, he is prompted to provide a TOTP code from his device. After providing it, he is granted access to the app and approves the leave request.
+
+Two factors are required regardless of whether Julie and John are in the corporate network or on a business trip.
+
+
+
+
+
+## Example 6 \(Setting Fowarded IP Range\)
+
+SAP BTP is configured to perform system-to-system calls to Identity Authentication on customer's behalf for authentication and provides the original IP address of the customer with the request. Donna Moore as an administrator of Company A wants to allow certain customer IP addresses from logging in. To achieve this, Donna configures a risk-based authentication rule with an IP range for the customer IPs that should be allowed. To ensure that authentication requests are performed by SAP BTP on customer's behalf, it is mandatory that she configures the IP range for SAP BTP addresses, first.
+
+
+
+**Related Information**
+
+
+[Configure Risk-Based Authentication for an Application](configure-risk-based-authentication-for-an-application-bc52fbf.md#loiobc52fbf3d59447bbb6aa22f80d8b6056 "You can define rules for authentication according to different risk factors and apply actions like Allow, Deny, and Two-Factor Authentication.")
+
+[Create a New Rule](create-a-new-rule-18d02ab.md "You can create rules for authentication according to different risk factors.")
+
diff --git a/docs/Operation-Guide/images/Logon_Links_27346e0.png b/docs/Operation-Guide/images/Logon_Links_27346e0.png
index 24122c7..7fa6dc8 100644
Binary files a/docs/Operation-Guide/images/Logon_Links_27346e0.png and b/docs/Operation-Guide/images/Logon_Links_27346e0.png differ
diff --git a/docs/Operation-Guide/images/Password_Policy_Strength_c8d2c08.png b/docs/Operation-Guide/images/Password_Policy_Strength_c8d2c08.png
index b2d55c6..0dbe7d7 100644
Binary files a/docs/Operation-Guide/images/Password_Policy_Strength_c8d2c08.png and b/docs/Operation-Guide/images/Password_Policy_Strength_c8d2c08.png differ
diff --git a/docs/Operation-Guide/import-or-update-users-for-a-specific-application-33838e0.md b/docs/Operation-Guide/import-or-update-users-for-a-specific-application-33838e0.md
index e118ce7..d1efbe8 100644
--- a/docs/Operation-Guide/import-or-update-users-for-a-specific-application-33838e0.md
+++ b/docs/Operation-Guide/import-or-update-users-for-a-specific-application-33838e0.md
@@ -606,7 +606,7 @@ To import users for an application into Identity Authentication, and to send act
>
> If you don’t have a created application in your list, you can create one. For more information, see [Create a New Application](create-a-new-application-0d4b255.md).
-4. Choose the *Browse...* button and specify the location of the CSV file.
+4. Under *Upload CSV File*, choose the *Browse...* button and specify the location of the CSV file.
> ### Note:
> Use a file smaller than 100 KB and with an extension `.csv`. If your file is 100 KB or larger, you have to import the user information in iterations with smaller size files.
@@ -651,14 +651,14 @@ To import users for an application into Identity Authentication, and to send act
- The users are imported or updated for the selected application, but they will not receive activation emails. The activation emails will be sent when you choose *Send Emails* \> *Send*.
+ The users are imported or updated for the selected application, but they will not receive activation emails. The activation emails will be sent when you choose the *Send* button.
- Choose *Send Emails* \> *Send*
+ Under *Send Emails* choose the *Send* button
diff --git a/docs/Operation-Guide/list-administrators-c79a5c6.md b/docs/Operation-Guide/list-administrators-c79a5c6.md
index 851b128..5811e52 100644
--- a/docs/Operation-Guide/list-administrators-c79a5c6.md
+++ b/docs/Operation-Guide/list-administrators-c79a5c6.md
@@ -41,7 +41,7 @@ To list all administrators, proceed as follows:
[Edit Administrator Authorizations](edit-administrator-authorizations-86ee374.md "As a tenant administrator, you can edit both your own authorizations and other administrators' authorizations in the administration console for SAP Cloud Identity Services. By editing the administrator authorizations you can also delete an administrator.")
-[Configure Authorizations Based on Policies](configure-authorizations-based-on-policies-08fea39.md "Configure a granular access control based on policies for the administrators of SAP Cloud Identity Services.")
+[Configure Authorizations Based on Policies](configure-authorizations-based-on-policies-08fea39.md "Enable admin authorizations based on policies to configure a granular access control for the administrators of SAP Cloud Identity Services.")
[Identity Authentication Tenant as an Application Identity Provider](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/d3df5b457d0c43fca117da0dc14e2f0d.html)
diff --git a/docs/Operation-Guide/manage-custom-schemas-via-administration-console-d492d70.md b/docs/Operation-Guide/manage-custom-schemas-via-administration-console-d492d70.md
index 9be91cf..4bd42fa 100644
--- a/docs/Operation-Guide/manage-custom-schemas-via-administration-console-d492d70.md
+++ b/docs/Operation-Guide/manage-custom-schemas-via-administration-console-d492d70.md
@@ -12,10 +12,10 @@ The administration console shows information about all existing schemas, predefi
If you need your own custom attributes, for users or groups, you can define your own custom schema, and once the schema is defined, the custom attributes that it defines can be used.
-To be used, the custom attributes must be assigned to the user first. For more information, see [Attributes with Default Values](attributes-with-default-values-a2f1e46.md).
+To be used, the custom attributes must be assigned to the user first. For more information, see [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
> ### Note:
-> When the attributes are assigned to a user, they can be sent to the application. For more information, see [User Attributes Sent to the Application](user-attributes-sent-to-the-application-d361407.md).
+> When the attributes are assigned to a user, they can be sent to the application. For more information, see [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md).
You can define a schema either by importing a JSON file, which must comply with the SCIM standard, or by creating it manually via the administration console.
diff --git a/docs/Operation-Guide/provision-users-to-target-systems-af6f78b.md b/docs/Operation-Guide/provision-users-to-target-systems-af6f78b.md
index 10d4265..94068af 100644
--- a/docs/Operation-Guide/provision-users-to-target-systems-af6f78b.md
+++ b/docs/Operation-Guide/provision-users-to-target-systems-af6f78b.md
@@ -485,7 +485,7 @@ The tenant administrator can choose which of the users to be provisioned to the
> ### Note:
> The search is case insensitive. The system searches for entries that begin with the typed string.
>
- > If you place asterix \(\*\) in the beginning or in the middle of your search string the system will treat it as a regular character and will include it in the search. For example, if you type ***\*on*** in the *search* field, the system will look for users whose first three letters in any of the three fields are ***\*on***. If you type ***on*** or ***on\**** in the search field, the system will look for users whose first two letters in any of the three fields are ***on***.
+ > If you place asterisk \(\*\) in the beginning or in the middle of your search string the system will treat it as a regular character and will include it in the search. For example, if you type ***\*on*** in the *search* field, the system will look for users whose first three letters in any of the three fields are ***\*on***. If you type ***on*** or ***on\**** in the search field, the system will look for users whose first two letters in any of the three fields are ***on***.
@@ -506,7 +506,7 @@ The tenant administrator can choose which of the users to be provisioned to the
> ### Note:
> The search is case insensitive. The system searches for entries that begin with the typed string.
>
- > If you place asterix \(\*\) in the beginning or in the middle of your search string the system will treat it as a regular character and will include it in the search. For example, if you type ***\*on*** in the *First Name* field, the system will look for users whose first three letters of the first name are ***\*on***. If you type ***on*** or ***on\**** in the *First Name* field, the system will look for users whose first two letters of the first name are ***on***.
+ > If you place asterisk \(\*\) in the beginning or in the middle of your search string the system will treat it as a regular character and will include it in the search. For example, if you type ***\*on*** in the *First Name* field, the system will look for users whose first three letters of the first name are ***\*on***. If you type ***on*** or ***on\**** in the *First Name* field, the system will look for users whose first two letters of the first name are ***on***.
diff --git a/docs/Operation-Guide/redirect-uris-post-logout-redirect-uri-rules-48fdb9a.md b/docs/Operation-Guide/redirect-uris-post-logout-redirect-uri-rules-48fdb9a.md
index 15e7a5b..63ef284 100644
--- a/docs/Operation-Guide/redirect-uris-post-logout-redirect-uri-rules-48fdb9a.md
+++ b/docs/Operation-Guide/redirect-uris-post-logout-redirect-uri-rules-48fdb9a.md
@@ -68,11 +68,6 @@ Top level domains are allowed. The domain part can't end with a hyphen "-".
## Wildcards
-- You can use asterisk \(`*`\) in the beginning, only for the first subdomain.
-
- > ### Example:
- > https://\*.test.example.com
-
- You can use asterisk \(\*\) as first subdomain for localhost addresses. No other subdomains allowed.
> ### Example:
@@ -80,10 +75,10 @@ Top level domains are allowed. The domain part can't end with a hyphen "-".
>
> https://\*.localhost
-- You can use asterisk \(`*`\) in the domain part, or you can have a subdomain and add an asterisk at the beginning or at the end of it. There must be at least 3 subdomains left after the subdomain with the asterisk, and there can only be one subdomain with an asterisk..
+- You can use asterisk \(`*`\) in the domain part, or you can have a subdomain and add an asterisk at the beginning or at the end of it. There must be at least 3 subdomains left after the subdomain with the asterisk, and there can only be one subdomain with an asterisk.
> ### Example:
- > https://app.\*.test.example.com
+ > https://\*.test.example.com
>
> https://app.\*foo.test.example.com
>
diff --git a/docs/Operation-Guide/reuse-sap-cloud-identity-services-tenants-for-different-customer-ids-ebd0258.md b/docs/Operation-Guide/reuse-sap-cloud-identity-services-tenants-for-different-customer-ids-ebd0258.md
index 79dd68e..6e14359 100644
--- a/docs/Operation-Guide/reuse-sap-cloud-identity-services-tenants-for-different-customer-ids-ebd0258.md
+++ b/docs/Operation-Guide/reuse-sap-cloud-identity-services-tenants-for-different-customer-ids-ebd0258.md
@@ -94,7 +94,7 @@ Customers that have subsidiaries can reuse existing Identity Authentication tena
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/risk-based-authentication-for-an-application-5493367.md b/docs/Operation-Guide/risk-based-authentication-for-an-application-5493367.md
new file mode 100644
index 0000000..944d2f6
--- /dev/null
+++ b/docs/Operation-Guide/risk-based-authentication-for-an-application-5493367.md
@@ -0,0 +1,6 @@
+
+
+# Risk-Based Authentication for an Application
+
+Configure risk-based authentication, define rules, and explore example scenarios.
+
diff --git a/docs/Operation-Guide/search-users-06078a6.md b/docs/Operation-Guide/search-users-06078a6.md
index a701fba..6ec1c82 100644
--- a/docs/Operation-Guide/search-users-06078a6.md
+++ b/docs/Operation-Guide/search-users-06078a6.md
@@ -75,7 +75,7 @@ You can list all users in the tenant for Identity Authentication or filter your
> ### Note:
> The search is case insensitive. The system searches for entries that begin with the typed string.
>
- > If you place asterix \(\*\) in the beginning or in the middle of your search string the system will treat it as a regular character and will include it in the search. For example, if you type ***\*on*** in the *search* field, the system will look for users whose first three letters in any of the three fields are ***\*on***. If you type ***on*** or ***on\**** in the search field, the system will look for users whose first two letters in any of the three fields are ***on***.
+ > If you place asterisk \(\*\) in the beginning or in the middle of your search string the system will treat it as a regular character and will include it in the search. For example, if you type ***\*on*** in the *search* field, the system will look for users whose first three letters in any of the three fields are ***\*on***. If you type ***on*** or ***on\**** in the search field, the system will look for users whose first two letters in any of the three fields are ***on***.
@@ -96,7 +96,7 @@ You can list all users in the tenant for Identity Authentication or filter your
> ### Note:
> The search is case insensitive. The system searches for entries that begin with the typed string.
>
- > If you place asterix \(\*\) in the beginning or in the middle of your search string the system will treat it as a regular character and will include it in the search. For example, if you type ***\*on*** in the *First Name* field, the system will look for users whose first three letters of the first name are ***\*on***. If you type ***on*** or ***on\**** in the *First Name* field, the system will look for users whose first two letters of the first name are ***on***.
+ > If you place asterisk \(\*\) in the beginning or in the middle of your search string the system will treat it as a regular character and will include it in the search. For example, if you type ***\*on*** in the *First Name* field, the system will look for users whose first three letters of the first name are ***\*on***. If you type ***on*** or ***on\**** in the *First Name* field, the system will look for users whose first two letters of the first name are ***on***.
diff --git a/docs/Operation-Guide/send-reset-password-email-da55abf.md b/docs/Operation-Guide/send-reset-password-email-da55abf.md
index e7b15dc..21fa1c7 100644
--- a/docs/Operation-Guide/send-reset-password-email-da55abf.md
+++ b/docs/Operation-Guide/send-reset-password-email-da55abf.md
@@ -10,6 +10,9 @@ You can trigger the sending of an email to the user with reset password informat
Tenant administrator can trigger the sending of an email to the user with reset password information. When the user follows the link provided in the email, the reset password screen appears and the user is prompted to set a new password.
+> ### Note:
+> In this scenario, the email that is sent uses the Forgot Password template set that is defined for the User Prfile application. For more information, see [View Email Template Document](view-email-template-document-148568a.md).
+
Identity Authentication can send to the user up to three emails \(forgot password, reset password, email verification\) per 24 hours. This counter includes also the emails sent with passcode for TOTP deactivation. If you send three emails within 24 hours, the user will not be able to request a passcode for TOTP deactivation via the profile page during these 24 hours.
If the user must receive more than three emails, the administrator must reset the counter for email sending first. For more information, see [Reset Counter for Email Sending](reset-counter-for-email-sending-08f634b.md).
diff --git a/docs/Operation-Guide/send-security-alert-emails-c977464.md b/docs/Operation-Guide/send-security-alert-emails-c977464.md
index fa64ebc..c85d460 100644
--- a/docs/Operation-Guide/send-security-alert-emails-c977464.md
+++ b/docs/Operation-Guide/send-security-alert-emails-c977464.md
@@ -101,7 +101,7 @@ The security alert e-mails are disabled by default. To start sending security al
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/send-system-notifications-via-emails-aa04a8b.md b/docs/Operation-Guide/send-system-notifications-via-emails-aa04a8b.md
index 2b8cab1..05cf81e 100644
--- a/docs/Operation-Guide/send-system-notifications-via-emails-aa04a8b.md
+++ b/docs/Operation-Guide/send-system-notifications-via-emails-aa04a8b.md
@@ -115,7 +115,7 @@ To start sending security alert emails, proceed as follows:
[Send Security Alert Emails](send-security-alert-emails-c977464.md "Send security alert emails to end-users or administrators when changes in their accounts are made.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/tenant-openid-connect-configurations-3d6abcc.md b/docs/Operation-Guide/tenant-openid-connect-configurations-3d6abcc.md
index 8bdbfa8..0a95937 100644
--- a/docs/Operation-Guide/tenant-openid-connect-configurations-3d6abcc.md
+++ b/docs/Operation-Guide/tenant-openid-connect-configurations-3d6abcc.md
@@ -21,7 +21,7 @@ You can change the name format, the certificate used by the identity provider to
> ### Note:
> The signing certificate is one and the same for SAML 2.0 and OpenId Connect. A change in one of the configurations affects the other one.
-The *OpenID Connect Configuration* view in the administration console shows also information about the URLs of the *Authorization endpoint*, *Token endpoint*, *UserInfo endpoint*, and *Logout endpoint*.
+The *OpenID Connect Configuration* view in the administration console shows also information about the URLs of the *Domain for Browser Flows*, *Authorization Endpoint*, *Token Endpoint*, *UserInfo Endpoint*, and *Logout Endpoint*.
The token policy for the tenant is defined by configuring the validity of the refresh token, access and id\_token, and the maximum sessions per user. It’s valid for all the applications in the tenant.
@@ -120,7 +120,10 @@ To view or change the tenant OpenID Connect configurations, proceed as follows:
3. Under *Single Sign-On*, choose the *OpenID Connect Configuration* list item.
- The *OpenID Connect Configuration* page that opens displays the name of the identity provider, its endpoints, signing certificate and token policy.
+ The *OpenID Connect Configuration* page that opens displays the name of the identity provider, its endpoints derived from issuer and domain configurations, signing certificate and token policy.
+
+ > ### Note:
+ > By default, applications use the domain from their trust configuration to access all the endpoints. For browser-based logons and logouts, you can choose another domain. Applications use the chosen domain after reloading the OpenID Connect metadata.
4. **Optional:** To define the token policy, use the slider or provide a number in the input field above the slider. If needed, use the reset button to set to the default value.
@@ -133,7 +136,7 @@ To view or change the tenant OpenID Connect configurations, proceed as follows:
- Name
+ Issuer
@@ -145,24 +148,24 @@ To view or change the tenant OpenID Connect configurations, proceed as follows:
- Default Type name format
+ Default Issuer format
@@ -289,7 +292,7 @@ To change the default certificate for the tenant, choose the new one from the li
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/tenant-saml-2-0-configuration-e81a19b.md b/docs/Operation-Guide/tenant-saml-2-0-configuration-e81a19b.md
index b04ba93..96d24d3 100644
--- a/docs/Operation-Guide/tenant-saml-2-0-configuration-e81a19b.md
+++ b/docs/Operation-Guide/tenant-saml-2-0-configuration-e81a19b.md
@@ -54,7 +54,7 @@ To view and download the tenant SAML 2.0 metadata, or to change the name format,
- Name
+ Issuer
@@ -66,24 +66,24 @@ To view and download the tenant SAML 2.0 metadata, or to change the name format,
- Default Type name format
+ Default Issuer format
@@ -208,7 +208,7 @@ To change the default certificate for the tenant, choose the new one from the li
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/upload-logo-in-administration-console-41e7627.md b/docs/Operation-Guide/upload-logo-in-administration-console-41e7627.md
new file mode 100644
index 0000000..f21d4ad
--- /dev/null
+++ b/docs/Operation-Guide/upload-logo-in-administration-console-41e7627.md
@@ -0,0 +1,38 @@
+
+
+# Upload Logo in Administration Console
+
+You can upload a custom logo in the administration console by uploading an image and use it for your applications.
+
+
+
+## Procedure
+
+1. Sign in to the administration console for SAP Cloud Identity Services.
+
+2. Under *Applications and Resources*, choose the *Logos* tile.
+
+3. Choose *Add*.
+
+4. Provide a name for the logo in the dialog and choose *\+Create*.
+
+5. To upload a logo, choose *Browse* and select an image with the required format.
+
+ You can use one of the following formats for the image: .png, .gif, and .jpeg.
+
+ > ### Note:
+ > The image must be smaller than 100 KB and with a maximum size of 300x100.
+
+6. Save your configuration.
+
+ > ### Tip:
+ > To remove an uploaded logo from the list, choose the *Delete* button and confirm your choice. Only logos that are not assigned to applications can be removed.
+
+
+**Related Information**
+
+
+[Create a New Application](create-a-new-application-0d4b255.md "You can create a new application and customize it to comply with your company requirements.")
+
+[Troubleshooting for Administrators](troubleshooting-for-administrators-f80beb5.md "This section is intended to help administrators deal with error messages in the administration console for SAP Cloud Identity Services.")
+
diff --git a/docs/Operation-Guide/use-a-custom-css-faa2a33.md b/docs/Operation-Guide/use-a-custom-css-faa2a33.md
index 59f6b95..907d27a 100644
--- a/docs/Operation-Guide/use-a-custom-css-faa2a33.md
+++ b/docs/Operation-Guide/use-a-custom-css-faa2a33.md
@@ -56,9 +56,9 @@ Upload a Quartz or Horizon CSS file for custom end-user screens or the profile p
> ### Note:
> Type the name of the CSS style in the search field to filter the list items, or choose the CSS style from the list on the left.
>
- > If you do not have a created CSS style in your list, you can create one by choosing the *Create* button on the left-hand panel.
+ > If you do not have a CSS style in your list, you can create one by choosing the *Add* button on the left-hand panel.
-4. Upload your CSS file for the respective theme \(Quartz or Horizon\).
+4. Browse for a CSS file and upload it for the respective theme.
5. Save your changes.
@@ -66,14 +66,14 @@ Upload a Quartz or Horizon CSS file for custom end-user screens or the profile p
You can update your custom CSS style as many times as you need. Only the last updated version is used.
- You can delete a CSS style. Select the CSS styke and choose the *Delete* button to delete it.
+ You can delete a CSS style. Select the CSS style and choose the *Delete* button to delete it.
> ### Caution:
> You can delete a CSS style, only if it is not assigned to an application. If it is assigned, you must assign a new style, and then delete it.
You can download the CSS file for further reference by choosing the *Download* button.
-6. **Optional:** To preview the implementation of the CSS on the Logon page, right click the preview link with title *CSS\_Test\_View* and open it in a new private or incognito tab.
+6. **Optional:** To preview the implementation of the CSS on the Sign-In page, copy the preview link and open it in a new private or incognito tab.
diff --git a/docs/Operation-Guide/use-custom-domain-in-identity-authentication-c4db840.md b/docs/Operation-Guide/use-custom-domain-in-identity-authentication-c4db840.md
index 0cf2cd7..b2394c3 100644
--- a/docs/Operation-Guide/use-custom-domain-in-identity-authentication-c4db840.md
+++ b/docs/Operation-Guide/use-custom-domain-in-identity-authentication-c4db840.md
@@ -480,7 +480,7 @@ The custom domain configuration is enabled with the upgrade of Identity Authenti
[Send System Notifications via Emails](send-system-notifications-via-emails-aa04a8b.md "You can configure the administration console to send emails with information about expiring certificates, system notifications and new administrators to specific email addresses or to the emails of all administrators.")
-[Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md "")
+[Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md "")
[Configure Default Language for End User Screens](configure-default-language-for-end-user-screens-2cb73c3.md "Select the language that the end user screen uses if the language of the browser isn’t in the list of supported languages.")
diff --git a/docs/Operation-Guide/user-attributes-ed2797d.md b/docs/Operation-Guide/user-attributes-ed2797d.md
new file mode 100644
index 0000000..33fed27
--- /dev/null
+++ b/docs/Operation-Guide/user-attributes-ed2797d.md
@@ -0,0 +1,46 @@
+
+
+# User Attributes
+
+Tenant administrator has an overview of all the attributes provided to the application, regardless of the source of the values, and can provide the attributes needed by the application, specifying the attribute names expected by the application.
+
+
+
+
+
+## Context
+
+> ### Restriction:
+> The attributes configurations in the administration console for SAP Cloud Identity Services are relevant only when the application uses for authentication Identity Authentication, or when it uses a corporate identity provider \(IdP\), and the *Identity Federation* option is enabled.
+>
+> When the application uses a corporate IdP for authentication, and *Identity Federation* is disabled, Identity Authentication sends to the application the attributes that come from the corporate identity provider without changing them, and if configured, some of the same values with additional attribute names, namely configured on the trust to the corporate IdP, enriched assertion attributes or enriched token claims.
+
+The application can get different values for a certain attribute name. The following options for sources are possible:
+
+- *Identity Directory* - The local user attribute. You choose the value from a drop-down. See [Configuring User Attributes from the Identity Directory](configuring-user-attributes-from-the-identity-directory-d361407.md).
+- *Corporate IdP* - The user attribute provided by the corporate IdP. You just enter the attribute name provided by the corporate IdP. See [Configuring User Attributes from a Corporate Identity Provider](configuring-user-attributes-from-a-corporate-identity-provider-621017f.md).
+- *Expression* - A static or dynamic value. It can be a user attribute coming from *Identity Directory* or *Corporate Identity Provider*, or even a combination of all sources. See [Configuring Attributes Based on Flexible Expressions](configuring-attributes-based-on-flexible-expressions-a2f1e46.md).
+
+> ### Tip:
+> The *Identity Directory* source maps to the the *Assertion Attributes* term used before in this documentation.
+>
+> Depending on the scenario, the *Corporate Identity Provider* and *Expression* map to the *Default Attributes* term used before in this documentation.
+
+> ### Note:
+> You can specify multiple user attribute values for each user attribute. Up to 300 attribute values are allowed for self-created customer applications and automatically created single-tenant applications, and up to 50 attribute values for automatically created single-tenant applications.
+
+
+
+### Self-Defined Attributes
+
+If you have self-created applications or automatically created single-tenant applications in your SAP Cloud Identity Services tenant, you configure the attribute mappings under the *Self-Defined Attributes* section in the administration console. You must know the attributes that the application support, and configure the mappings accordingly.
+
+
+
+### Application Attributes
+
+If you have subscribed multi-tenant applications in your SAP Cloud Identity Services tenant, the attributes supported by these applications are predefined and listed under the *Application Attributes* section, with default mappings for source *Identity Directory*. You can see which attributes are supported, and add or remove mappings for the other sources - *Corporate Identity Provider* and *Expression*.
+
+> ### Tip:
+> For some subscribed applications, you might need to add custom attribute mappings \(under the *Self-Defined Attributes* section\). For example, an SAP BTP application connects to another application using a destination that is customer-managed. As *User ID* for principal propagation, the customer decides to use an attribute that is not in the list of predefined application attributes. So, this customer need to add the attribute configured in the destination as a self-defined attribute in the application in the SAP Cloud Identity Services tenant.
+
diff --git a/docs/Security/customer-controlled-encryption-keys-177108a.md b/docs/Security/customer-controlled-encryption-keys-177108a.md
deleted file mode 100644
index 1234578..0000000
--- a/docs/Security/customer-controlled-encryption-keys-177108a.md
+++ /dev/null
@@ -1,84 +0,0 @@
-
-
-# Customer-Controlled Encryption Keys
-
-Your organization can control the encryption keys for data stored in SAP Cloud Identity Services using [SAP Data Custodian Key Management Service](https://help.sap.com/docs/sap-data-custodian/help-guide/overview?version=latest).
-
-Before using the customer-controlled encryption keys, be aware of the following specifics:
-
-
-
-
-
-## Limitations
-
-
-
-
-
-## Identity Authentication
-
-
-
-### Identity Directory SCIM REST API
-
-- SCIM filter operators "`co`" and "`sw`" are not supported. Identity Directory SCIM REST API returns response *Bad Request \(400\)*.
-
-- SCIM filter operators "`gt`" and "`lt`" are supported only for parameters `meta.created` and `meta.lastModified`.
-
-
-For more information, see [Identity Directory SCIM REST API](../Development/identity-directory-scim-rest-api-5be5692.md).
-
-
-
-### Administration Console
-
-- *Users Authorizations* \> *User Management* - \(Filtered and Unfiltered Search\) only exact search is supported for *User ID*, *Global User ID*, *Email*, *Login Name*, *First Name* and *Last Name*.
-
- For more information, see [Search Users](../Operation-Guide/search-users-06078a6.md).
-
-- *Users Authorizations* \> *Groups* - when adding users to a group, only exact search is supported for *First Name*, *Last Name*, *Email*, *Login Name* and *SCIM ID*.
-
- For more information, see [Add Users to a Group](../Operation-Guide/add-users-to-a-group-d2e1a01.md).
-
-
-
-
-
-
-## Identity Provisioning
-
-An encrypted SAP Cloud Identity Services tenant allows you to search for job and real-time logs by providing the complete name of the source system and the entity ID. This means that if you want to search for the job logs of a source system named `IAS_Source`, you must enter its complete name in the search field. The same applies for entity IDs. You must enter the complete ID of the user or group.
-
-For more information, see [Monitor Provisioning Job Logs](https://help.sap.com/docs/identity-provisioning/identity-provisioning/search-and-view-provisioning-job-logs?version=Cloud) and [Monitor Real-Time Logs](https://help.sap.com/docs/identity-provisioning/identity-provisioning/search-and-view-provisioning-job-logs?version=Cloud).
-
-
-
-
-
-## Unencrypted Data
-
-
-
-
-
-## Identity Authentication
-
-
-
-
-
-## Identity Provisioning
-
-`Zip` files containing error logs and logs for skipped entities can't be encrypted.
-
-For more information, see [Monitor Provisioning Job Logs](https://help.sap.com/docs/identity-provisioning/identity-provisioning/search-and-view-provisioning-job-logs?version=Cloud).
-
-
-
-
-
-## Configuration
-
-To configure the customer-controlled encryption keys in the administration console for SAP Cloud Identity Services, follow the procedure described in[Configure Customer-Controlled Encryption Keys in Administration Console](../Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-fe6e30c.md).
-
diff --git a/docs/Security/customer-controlled-encryption-keys-early-adoption-177108a.md b/docs/Security/customer-controlled-encryption-keys-restricted-availability-177108a.md
similarity index 93%
rename from docs/Security/customer-controlled-encryption-keys-early-adoption-177108a.md
rename to docs/Security/customer-controlled-encryption-keys-restricted-availability-177108a.md
index 0e49f92..136c0f2 100644
--- a/docs/Security/customer-controlled-encryption-keys-early-adoption-177108a.md
+++ b/docs/Security/customer-controlled-encryption-keys-restricted-availability-177108a.md
@@ -1,6 +1,6 @@
-# Customer-Controlled Encryption Keys \(Early Adoption\)
+# Customer-Controlled Encryption Keys \(Restricted Availability\)
Your organization can control the encryption keys for data stored in SAP Cloud Identity Services using [SAP Data Custodian Key Management Service](https://help.sap.com/docs/sap-data-custodian/help-guide/overview?version=latest).
@@ -76,5 +76,5 @@ Meta information used in general processing, for example data model Version, ten
## Configuration
-To configure the customer-controlled encryption keys in the administration console for SAP Cloud Identity Services, follow the procedure described in [Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](../Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md).
+To configure the customer-controlled encryption keys in the administration console for SAP Cloud Identity Services, follow the procedure described in [Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](../Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md).
diff --git a/docs/Security/data-protection-and-privacy-7a7f3ae.md b/docs/Security/data-protection-and-privacy-7a7f3ae.md
index 8f25975..d332d6c 100644
--- a/docs/Security/data-protection-and-privacy-7a7f3ae.md
+++ b/docs/Security/data-protection-and-privacy-7a7f3ae.md
@@ -10,5 +10,5 @@ Governments place legal requirements on industry to protect data and privacy. We
Handle personal data with care. You as the data controller are legally responsible when processing personal data. It is not permitted to deal with sensitive personal data in Identity Authentication.
> ### Remember:
-> Custom attributes must not be used to store sensitive personal data. For more information, see [User Attributes Sent to the Application](../Operation-Guide/user-attributes-sent-to-the-application-d361407.md).
+> Custom attributes must not be used to store sensitive personal data. For more information, see [Configuring User Attributes from the Identity Directory](../Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md).
diff --git a/docs/accessibility-features-in-identity-authentication-c7b544b.md b/docs/accessibility-features-in-identity-authentication-c7b544b.md
deleted file mode 100644
index 80ffddb..0000000
--- a/docs/accessibility-features-in-identity-authentication-c7b544b.md
+++ /dev/null
@@ -1,30 +0,0 @@
-
-
-# Accessibility Features in Identity Authentication
-
-To optimize your experience of Identity Authentication, Identity Authentication tools provide features and settings that help you use the software efficiently.
-
-
-
-> ### Note:
-> Identity Authentication is based on SAPUI5. For this reason, accessibility features for SAPUI5 also apply. See the accessibility documentation for SAPUI5 on SAP Help Portal at [Accessibility for End Users](https://help.sap.com/docs/SAPUI5/bc5a64aac808463baa95b4230f221716/f562835d0b4e44129aa24a17551a0baa.html).
-
-For more information on screen reader support and keyboard shortcuts, see [Keyboard Handling for SAPUI5 UI Elements](https://help.sap.com/docs/SAPUI5/bc5a64aac808463baa95b4230f221716/144d377d68784689a9b21565dfa14065.html) and [Screen-Reader Support for SAPUI5 Controls](https://help.sap.com/docs/SAPUI5/bc5a64aac808463baa95b4230f221716/125c19fd121043c0a3ac01c6e9f8132a.html).
-
-**Related Information**
-
-
-[Product Details](product-details-4d404b1.md)
-
-[Tenant Model and Licensing](tenant-model-and-licensing-93160eb.md "This document provides information about the tenant model, tenant licensing, and obtaining a tenant of Identity Authentication.")
-
-[Web-Based Logon Interface](web-based-logon-interface-8e40afc.md "Service providers that delegate authentication to Identity Authentication can use two types of visualization of the web-based user interfaces for the logon pages of their applications.")
-
-[Regional Availability](regional-availability-be600ca.md "Tenants are deployed on the productive domain accounts.ondemand.com.")
-
-[Disaster Recovery/High Availability](disaster-recovery-high-availability-2c1a055.md "Disaster recovery (DR) and high availability (HA) are based on the capabilities of the underlying infrastructure.")
-
-[Browser Support](browser-support-0741076.md "Information on the supported browser version for the administration console, and the end user screens of SAP Cloud Identity Services.")
-
-[Supported Languages](supported-languages-0ea634d.md "Information on the supported languages for the administration console, and the end user screens of Identity Authentication.")
-
diff --git a/docs/css/SAP-icons-V5.woff b/docs/css/SAP-icons-V5.woff
index 4842782..40ce00c 100644
Binary files a/docs/css/SAP-icons-V5.woff and b/docs/css/SAP-icons-V5.woff differ
diff --git a/docs/css/sap-icons.css b/docs/css/sap-icons.css
index 2caab9a..7207b71 100644
--- a/docs/css/sap-icons.css
+++ b/docs/css/sap-icons.css
@@ -5,6 +5,8 @@
@font-face{font-family:'BusinessSuiteInAppSymbols-V2';src: url('./BusinessSuiteInAppSymbols-V2.woff') format('woff');font-weight: normal;font-style: normal;}
@font-face{font-family:'bwicons';src: url('./bwicons.ttf') format('truetype');font-weight: normal;font-style: normal;}
@font-face{font-family:'FPA-icons';src: url('./FPA-icons.woff') format('woff');font-weight: normal;font-style: normal;}
+@font-face{font-family:'FPA-icons-V2';src: url('./FPA-icons-V2.woff') format('woff');font-weight: normal;font-style: normal;}
+@font-face{font-family:'FPA-icons-V3';src: url('./font/FPA-icons-V3.woff') format('woff');font-weight: normal;font-style: normal;}
@font-face{font-family:'ITOA_FontIcon';src: url('./ITOA_FontIcon.eot');src: url('./ITOA_FontIcon.eot?#iefix') format('embedded-opentype'),url('./ITOA_FontIcon.ttf') format('truetype');font-weight: normal;font-style: normal;}
@font-face{font-family:'NS-SAP-icons';src: url('./NS-SAP-icons.woff') format('woff');font-weight: normal;font-style: normal;}
@font-face{font-family:'NS-SAP-icons-extended';src: url('./NS-SAP-icons-extended.woff') format('woff');font-weight: normal;font-style: normal;}
@@ -17,10 +19,14 @@
@font-face{font-family:'SAP-icons-V5';src: url('./SAP-icons-V5.woff') format('woff');font-weight: normal;font-style: normal;}
@font-face{font-family:'SAP-icons-extended';src: url('./SAP-icons-extended.woff') format('woff');font-weight:normal;font-style:normal;}
@font-face{font-family:'SAP-icons-TNT';src: url('./SAP-icons-TNT.woff') format('woff');font-weight: normal;font-style: normal;}
+@font-face{font-family:'SAP-icons-TNT-V2';src: url('./SAP-icons-TNT-V2.woff') format('woff');font-weight: normal;font-style: normal;}
+@font-face{font-family:'SAP-icons-TNT-V3';src: url('./SAP-icons-TNT-V3.woff') format('woff');font-weight: normal;font-style: normal;}
@font-face{font-family:'SAP-icons-watt';src: url('./SAP-icons-watt.ttf') format('truetype');font-weight:normal;font-style:normal;}
@font-face{font-family:'sap-launch-icons';src: url('./sap-launch-icons.ttf') format('truetype');font-weight:normal;font-style:normal;}
@font-face{font-family:'sapsportsone';src: url('./sapsportsone.woff') format('woff');font-weight:normal;font-style:normal;}
@font-face{font-family:'ve-icon-set';src: url('./ve-icon-set.woff') format('woff');font-weight:normal;font-style:normal;}
+@font-face{font-family:'FluentSystemIcons-Filled';src: url('./FluentSystemIcons-Filled.woff') format('woff');font-weight:normal;font-style:normal;}
+@font-face{font-family:'FluentSystemIcons-Regular';src: url('./FluentSystemIcons-Regular.woff') format('woff');font-weight:normal;font-style:normal;}
.Ariba-icons {font-family:Ariba_icon_library;}
.Belize-icons {font-family:SAPGUI-Belize-Icons;}
.BusinessSuiteInAppSymbols {font-family:BusinessSuiteInAppSymbols;}
@@ -28,6 +34,8 @@
.BusinessSuiteInAppSymbols-V2 {font-family:BusinessSuiteInAppSymbols-V2;}
.BW-icons {font-family:bwicons;}
.FPA-icons {font-family:FPA-icons;}
+.FPA-icons-V2 {font-family:FPA-icons-V2;}
+.FPA-icons-V3 {font-family:FPA-icons-V3;}
.ITOA_FontIcon {font-family:ITOA_FontIcon;}
.NS-SAP-icons {font-family:NS-SAP-icons;}
.NS-SAP-icons-extended {font-family:NS-SAP-icons-extended;}
@@ -40,7 +48,11 @@
.SAP-icons-V5 {font-family:SAP-icons-V5;}
.SAP-icons-extended {font-family:SAP-icons-extended;}
.SAP-icons-TNT {font-family:SAP-icons-TNT;}
+.SAP-icons-TNT-V2 {font-family:SAP-icons-TNT-V2;}
+.SAP-icons-TNT-V3 {font-family:SAP-icons-TNT-V3;}
.SAP-icons-watt {font-family:SAP-icons-watt;}
.sap-launch-icons {font-family:sap-launch-icons;}
.sapsportsone {font-family:sapsportsone;}
-.ve-icon-set {font-family:ve-icon-set;}
\ No newline at end of file
+.ve-icon-set {font-family:ve-icon-set;}
+.FluentSystemIcons-Filled {font-family:FluentSystemIcons-Filled;}
+.FluentSystemIcons-Regular {font-family:FluentSystemIcons-Regular;}
\ No newline at end of file
diff --git a/docs/disaster-recovery-high-availability-2c1a055.md b/docs/disaster-recovery-high-availability-2c1a055.md
index 57de5de..5627181 100644
--- a/docs/disaster-recovery-high-availability-2c1a055.md
+++ b/docs/disaster-recovery-high-availability-2c1a055.md
@@ -59,7 +59,5 @@ If a restore is required due to an issue on application level, report an inciden
[Accessibility Features in SAP Cloud Identity Services](accessibility-features-in-sap-cloud-identity-services-c7b544b.md "To optimize your experience of SAP Cloud Identity Services, SAP Cloud Identity Services tools provide features and settings that help you use the software efficiently.")
-[Regional Availability](regional-availability-be600ca.md "Tenants are deployed on the productive domain accounts.ondemand.com.")
-
[Cloud Service Status](https://www.sap.com/about/trust-center/cloud-service-status.html)
diff --git a/docs/index.md b/docs/index.md
index 0678a12..88fa435 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,4 +1,4 @@
-# Identity Authentication \(Early Adoption\)
+# Identity Authentication \(Restricted Availability\)
- [Identity Authentication](identity-authentication-d17a116.md)
- [What Is Identity Authentication?](what-is-identity-authentication-2788271.md)
@@ -12,6 +12,7 @@
- [Supported Languages](supported-languages-0ea634d.md)
- [Accessibility Features in SAP Cloud Identity Services](accessibility-features-in-sap-cloud-identity-services-c7b544b.md)
- [What's New for Identity Authentication](what-s-new-for-identity-authentication-de21efe.md)
+ - [2023 What's New for Identity Authentication \(Archive\)](2023-what-s-new-for-identity-authentication-archive-1c651db.md)
- [2022 What's New for Identity Authentication \(Archive\)](2022-what-s-new-for-identity-authentication-archive-3322427.md)
- [2021 What's New for Identity Authentication \(Archive\)](2021-what-s-new-for-identity-authentication-archive-2df26f0.md)
- [Concepts](concepts-5645ae6.md)
@@ -55,10 +56,10 @@
- [Configure SAML 2.0 Authentication Request to Corporate IdPs](Operation-Guide/configure-saml-2-0-authentication-request-to-corporate-idps-7eac7e8.md)
- [Configure Authentication Context](Operation-Guide/configure-authentication-context-028cee2.md)
- [Configure Different Trust Configurations for the Same Identity Authentication](Operation-Guide/configure-different-trust-configurations-for-the-same-identity-authentication-ba2faa9.md)
- - [Configuring User Attributes](Operation-Guide/configuring-user-attributes-ed2797d.md)
- - [User Attributes Sent to the Application](Operation-Guide/user-attributes-sent-to-the-application-d361407.md)
- - [Attributes with Default Values](Operation-Guide/attributes-with-default-values-a2f1e46.md)
- - [Configure Default Attributes for Subscribed Applications](Operation-Guide/configure-default-attributes-for-subscribed-applications-621017f.md)
+ - [User Attributes](Operation-Guide/user-attributes-ed2797d.md)
+ - [Configuring User Attributes from the Identity Directory](Operation-Guide/configuring-user-attributes-from-the-identity-directory-d361407.md)
+ - [Configuring User Attributes from a Corporate Identity Provider](Operation-Guide/configuring-user-attributes-from-a-corporate-identity-provider-621017f.md)
+ - [Configuring Attributes Based on Flexible Expressions](Operation-Guide/configuring-attributes-based-on-flexible-expressions-a2f1e46.md)
- [Configure the Subject Name Identifier Sent to the Application](Operation-Guide/configure-the-subject-name-identifier-sent-to-the-application-1d020e3.md)
- [Convert Subject Name Identifier to Uppercase or Lowercase](Operation-Guide/convert-subject-name-identifier-to-uppercase-or-lowercase-e281f20.md)
- [Authentication](Operation-Guide/authentication-d3db5fe.md)
@@ -69,8 +70,10 @@
- [Configure Certificates for API Authentication](Operation-Guide/configure-certificates-for-api-authentication-c408083.md)
- [Configure JWT for OAuth Client Authentication](Operation-Guide/configure-jwt-for-oauth-client-authentication-db97a69.md)
- [SCIM REST API Authentication Mechanisms](Operation-Guide/scim-rest-api-authentication-mechanisms-c599c89.md)
- - [Configure Risk-Based Authentication for an Application](Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md#loiobc52fbf3d59447bbb6aa22f80d8b6056)
- - [Create a New Rule](Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md#loio18d02ab9cc7d4caf83d8654c8c51a175)
+ - [Risk-Based Authentication for an Application](Operation-Guide/risk-based-authentication-for-an-application-5493367.md)
+ - [Configure Risk-Based Authentication for an Application](Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md#loiobc52fbf3d59447bbb6aa22f80d8b6056)
+ - [Create a New Rule](Operation-Guide/create-a-new-rule-18d02ab.md)
+ - [Examples for Risk-Based Authentication Scenarios](Operation-Guide/examples-for-risk-based-authentication-scenarios-fedc77c.md)
- [Configure Concurrent User Access to the Application](Operation-Guide/configure-concurrent-user-access-to-the-application-80ead1a.md)
- [Always Require Password from Users](Operation-Guide/always-require-password-from-users-dd9f48e.md)
- [Enable or Disable Social Sign-On for an Application](Operation-Guide/enable-or-disable-social-sign-on-for-an-application-ff12d3d.md)
@@ -79,7 +82,9 @@
- [Configure User Access to the Application](Operation-Guide/configure-user-access-to-the-application-8b147c4.md)
- [Enable Email Verification](Operation-Guide/enable-email-verification-483d26c.md)
- [Configure the Remember Me Option](Operation-Guide/configure-the-remember-me-option-08d41f4.md)
- - [Configure a Logo for an Application](Operation-Guide/configure-a-logo-for-an-application-778f748.md)
+ - [Configure Logo](Operation-Guide/configure-logo-778f748.md)
+ - [Upload Logo in Administration Console](Operation-Guide/upload-logo-in-administration-console-41e7627.md)
+ - [Add Logo for an Application](Operation-Guide/add-logo-for-an-application-ef9e5d5.md)
- [Display Application Name on Logon Page](Operation-Guide/display-application-name-on-logon-page-c02798e.md)
- [Configure a Branding Style for an Application](Operation-Guide/configure-a-branding-style-for-an-application-32f8d33.md)
- [Use a Custom Basic Quartz Theme](Operation-Guide/use-a-custom-basic-quartz-theme-342ae24.md)
@@ -142,7 +147,7 @@
- [Configure IdP-Initiated SSO](Operation-Guide/configure-idp-initiated-sso-5d59caa.md)
- [Send Security Alert Emails](Operation-Guide/send-security-alert-emails-c977464.md)
- [Send System Notifications via Emails](Operation-Guide/send-system-notifications-via-emails-aa04a8b.md)
- - [Configure Customer-Controlled Encryption Keys in Administration Console \(Early Adoption\)](Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-early-adoption-fe6e30c.md)
+ - [Configure Customer-Controlled Encryption Keys in Administration Console \(Restricted Availability\)](Operation-Guide/configure-customer-controlled-encryption-keys-in-administration-console-restricted-availa-fe6e30c.md)
- [Configure Default Language for End User Screens](Operation-Guide/configure-default-language-for-end-user-screens-2cb73c3.md)
- [Configure P-User Next Index](Operation-Guide/configure-p-user-next-index-045bb1c.md)
- [Reuse SAP Cloud Identity Services Tenants for Different Customer IDs](Operation-Guide/reuse-sap-cloud-identity-services-tenants-for-different-customer-ids-ebd0258.md)
@@ -226,6 +231,8 @@
- [Add System as Administrator](Operation-Guide/add-administrators-bbbdbdd.md#loiocefb742a36754b18bbe5c3503ac6d87c)
- [Edit Administrator Authorizations](Operation-Guide/edit-administrator-authorizations-86ee374.md)
- [Configure Authorizations Based on Policies](Operation-Guide/configure-authorizations-based-on-policies-08fea39.md)
+ - [Configure User Authorizations](Operation-Guide/configure-user-authorizations-424b64c.md)
+ - [Configure Application Authorizations](Operation-Guide/configure-application-authorizations-01cff18.md)
- [Social Identity Providers](Operation-Guide/social-identity-providers-17d400d.md)
- [Configure Apple as Identity Provider](Operation-Guide/configure-apple-as-identity-provider-fe6f7f0.md)
- [Configure Facebook as Identity Provider](Operation-Guide/configure-facebook-as-identity-provider-cc16b33.md)
@@ -273,6 +280,7 @@
- [Switch One Application at a Time](Operation-Guide/switch-protocols-for-corporate-identity-providers-f83cefa.md#loio4163c210c5864c069afd1dfee64bc209)
- [Choose Identity Provider Type](Operation-Guide/choose-identity-provider-type-0838379.md)
- [Configure Login Hint Parameter](Operation-Guide/configure-login-hint-parameter-c6dd6a5.md)
+ - [Creating URL To Access Application with Specific Identity Provider](Operation-Guide/creating-url-to-access-application-with-specific-identity-provider-118f5f4.md)
- [Forward All SSO Requests to Corporate IdP](Operation-Guide/forward-all-sso-requests-to-corporate-idp-9940340.md)
- [Configure Identity Federation](Operation-Guide/configure-identity-federation-c029bbb.md)
- [Delete Corporate Identity Providers](Operation-Guide/delete-corporate-identity-providers-25a17de.md)
@@ -410,7 +418,7 @@
- [Erasure](Security/erasure-5ccec0b.md)
- [Consent](Security/consent-8a81798.md)
- [Customer Data](Security/customer-data-918c93c.md)
- - [Customer-Controlled Encryption Keys \(Early Adoption\)](Security/customer-controlled-encryption-keys-early-adoption-177108a.md)
+ - [Customer-Controlled Encryption Keys \(Restricted Availability\)](Security/customer-controlled-encryption-keys-restricted-availability-177108a.md)
- [Auditing and Logging Information](Security/auditing-and-logging-information-ac5537b.md)
- [Integrating the Service](Integrating-the-Service/integrating-the-service-1b607aa.md)
- [Integrating the Service with SAP Business Technology Platform, Neo Environment](Integrating-the-Service/integrating-the-service-with-sap-business-technology-platform-neo-environment-fe84459.md#loiofe84459e688c43698591d3b9e1aac828)
diff --git a/docs/product-details-4d404b1.md b/docs/product-details-4d404b1.md
index c8475ec..e46178c 100644
--- a/docs/product-details-4d404b1.md
+++ b/docs/product-details-4d404b1.md
@@ -92,7 +92,7 @@ Administrators can configure branding styles for UI elements, emails, and error
-[Configure Tenant Images](Operation-Guide/configure-tenant-images-8742046.md), [Configure a Logo for an Application](Operation-Guide/configure-a-logo-for-an-application-778f748.md), [Configure a Branding Style for an Application](Operation-Guide/configure-a-branding-style-for-an-application-32f8d33.md), [Define an Email Template Set for an Application](Operation-Guide/define-an-email-template-set-for-an-application-bb2c79b.md), [Configure Registration and Upgrade Forms](Operation-Guide/configure-registration-and-upgrade-forms-93a9e18.md)
+[Configure Tenant Images](Operation-Guide/configure-tenant-images-8742046.md), [Configure Logo](Operation-Guide/configure-logo-778f748.md), [Configure a Branding Style for an Application](Operation-Guide/configure-a-branding-style-for-an-application-32f8d33.md), [Define an Email Template Set for an Application](Operation-Guide/define-an-email-template-set-for-an-application-bb2c79b.md), [Configure Registration and Upgrade Forms](Operation-Guide/configure-registration-and-upgrade-forms-93a9e18.md)
diff --git a/docs/updates-and-notifications-8e44a7a.md b/docs/updates-and-notifications-8e44a7a.md
index 1b133e1..ece7ac0 100644
--- a/docs/updates-and-notifications-8e44a7a.md
+++ b/docs/updates-and-notifications-8e44a7a.md
@@ -2,7 +2,7 @@
# Updates and Notifications
-Identity Authentication service has production releases \(updates\) every second Wednesday, 10:00 UTC.For more information about the features delivered every takt, see the [What's New for Identity Authentication](what-s-new-for-identity-authentication-de21efe.md) published regularly.
+SAP Cloud Identity Services have production releases \(updates\) every second Tuesday, 14:00 UTC.For more information about the features delivered every takt, see the [What's New for Identity Authentication](what-s-new-for-identity-authentication-de21efe.md) published regularly.
@@ -10,15 +10,17 @@ Identity Authentication service has production releases \(updates\) every second
## Subscription for Notifications
-To get notifications, subscribe for the Identity Authentication selection in the [What's New Viewer for SAP Business Technology Platform](https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Identity%2520Authentication&locale=en-US&version=Cloud). For more information, see [Subscribing to What's New Notifications](https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Identity%20Authentication&locale=en-US&version=Cloud).
+To get notifications, subscribe for the What's New sections of [Identity Authentication](https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Identity%2520Authentication&locale=en-US&version=Cloud) and [Identity Provisioning](https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?version=Cloud&Component=Identity%2520Provisioning&locale=en-US). For more information, see [Subscribing to What's New Notifications](https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Identity%20Authentication&locale=en-US&version=Cloud).
## Reasons for Updates
-- **Bi-weekly updates** \(standard\) - planned each second Wednesday at 10:00 UTC.
+- **Bi-weekly updates** \(standard\) - planned each second Tuesday at 14:00 UTC.
- **Immediate updates** - in case of fixes required for bugs that affect productive application operations, or due to urgent security fixes.
+You can find the planned schedule for upcoming releases at [3409744](https://me.sap.com/notes/3409744).
+
diff --git a/docs/what-is-identity-authentication-2788271.md b/docs/what-is-identity-authentication-2788271.md
index a8977de..dbf5162 100644
--- a/docs/what-is-identity-authentication-2788271.md
+++ b/docs/what-is-identity-authentication-2788271.md
@@ -64,6 +64,12 @@ SAP Cloud Identity Services run on several underlying Infrastructure-as-a-Servic
Identity Authentication tenants run on the infrastructure of SAP Cloud Identity Services. You can find out more details about your tenant in the administration console for SAP Cloud Identity Services.
+SAP Cloud Identity Services are available for consumption with the following SAP BTP environments:
+
+- Cloud Foundry
+- Kyma
+- Neo
+
## Features
diff --git a/docs/what-s-new-for-identity-authentication-de21efe.md b/docs/what-s-new-for-identity-authentication-de21efe.md
index 809f752..55dad58 100644
--- a/docs/what-s-new-for-identity-authentication-de21efe.md
+++ b/docs/what-s-new-for-identity-authentication-de21efe.md
@@ -1,12 +1,10 @@
-
-
# What's New for Identity Authentication
-This page lists the release notes of SAP Cloud Identity Services - Identity Authentication for 2023. To see the release notes for the previous year, visit [2022 What's New for Identity Authentication \(Archive\)](2022-what-s-new-for-identity-authentication-archive-3322427.md).
+This page lists the release notes of SAP Cloud Identity Services - Identity Authentication for 2024. To see the release notes for the previous year, visit [2023 What's New for Identity Authentication \(Archive\)](2023-what-s-new-for-identity-authentication-archive-1c651db.md).
To get notifications, subscribe for the Identity Authentication selection in the [What's New Viewer for SAP Business Technology Platform](https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Identity%2520Authentication&locale=en-US&version=Cloud). For more information, see [Subscribing to What's New Notifications](https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Identity%20Authentication&locale=en-US&version=Cloud).
@@ -137,12 +135,12 @@ Identity Authentication
-2023-11-02
+2024-02-06
-2023-11-02
+2024-02-06
@@ -163,12 +161,12 @@ Identity Authentication
-Application Development in Authorization Management
+Regular Upgrade
-Developers can use the developer tools of administration management. They build their own applications with authorization policies. Administrators assign authorization policies to users, change the rules and attribute values of existing policies, and create new authorization policies. See [Configuring Authorization Policies](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/982ac5f91d2346fda8dd8096e861fc36.html?version=Cloud).
+Identity Authentication has been upgraded.
@@ -203,88 +201,12 @@ Identity Authentication
-2023-11-02
-
-
-
-
-2023-11-02
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
--
-
-
-
-
-
-Root Certificate Replacement
-
-
-
-
-DigiCert has deprecated their DigiCert Global Root CA and will stop issuing certificates for SAP under any of its Intermediate CAs \(ICA\) at the end of 2023. For more information, see DigiCert root and intermediate CA certificate updates 2023.
-
-SAP Cloud Identity Services switches to the G2 ICA and will deploy certificates signed by the new CA for the domains listed below starting in mid-November 2023. This means that the DigiCert Root CA domain certificate will be signed by DigiCert Global Root G2 instead of DigiCert Global Root CA. The following domains are affected:
-
-- \*.accounts.ondemand.com
-
-- \*.accounts.cloud.sap
-
-- \*.accounts.sapcloud.cn
-
-- \*.trial-accounts.ondemand.com
-
-
-Action: If your SAP Cloud Identity Services tenants are running on any of the affected domains, ensure that you trust the new root CA: DigiCert Global Root G2.
-
-
-
-
-Required
-
-
-
-
-Deprecated
-
-
-
-
-Announcement
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-11-02
+2024-01-30
-2023-11-02
+2024-01-30
@@ -305,12 +227,12 @@ Identity Authentication
-End User Screens
+Manage Administrators
-Added Thai, Malay and Vietnamese to the supported languages for end user screens. See [Supported Languages](supported-languages-0ea634d.md).
+You can add tenant administrators in SAP Cloud Identity Services via the [SAP for Me](https://me.sap.com/home) portal. See [Cloud Identity Services Administrators Card](https://support.sap.com/content/s4m/help/systems/systems/details/ias.html).
@@ -345,12 +267,12 @@ Identity Authentication
-2023-11-02
+2024-01-30
-2023-11-02
+2024-01-30
@@ -371,12 +293,12 @@ Identity Authentication
-Customer Documents
+Application Authorizations Based on Policies
-Tenant administrator can upload terms of use and privacy policy documents, and e-mail templates in Thai, Malay and Vietnamese. See [Configuring Terms of Use](Operation-Guide/configuring-terms-of-use-61d3a86.md), [Configuring Privacy Policies](Operation-Guide/configuring-privacy-policies-ed48466.md), and [Configuring Email Templates](Operation-Guide/configuring-email-templates-b2afbcd.md).
+Tenant administrators can configure access to applications in the administration console of SAP Cloud Identity Services via authorizations based on policies. See [Configure Authorizations Based on Policies](Operation-Guide/configure-authorizations-based-on-policies-08fea39.md).
@@ -411,12 +333,12 @@ Identity Authentication
-2023-11-02
+2024-01-30
-2023-11-02
+2024-01-30
@@ -437,12 +359,12 @@ Identity Authentication
-Integration of *Default Attributes* and *Assertion Attributes* in Applications
+Off-Cycle Upgrade
-In the configuration of applications, we have combined the *Default Attributes* and *Assertion Attributes* into a single screen named *Attributes.* This change gives administrators a complete overview of the user attributes configured for an application. See [Configuring User Attributes](Operation-Guide/configuring-user-attributes-ed2797d.md).
+Identity Authentication has been upgraded.
@@ -457,7 +379,7 @@ General Availability
-Changed
+New
@@ -477,12 +399,12 @@ Identity Authentication
-2023-11-02
+2024-01-24
-2023-11-02
+2024-01-24
@@ -543,12 +465,12 @@ Identity Authentication
-2023-10-11
+2024-01-17
-2023-10-11
+2024-01-16
@@ -569,12 +491,12 @@ Identity Authentication
-Groups
+Branding and Layout
-Tenant administrator can add users to a group by filtering them with the `starts with` or `contains` operator. See [Add Users to a Group](Operation-Guide/add-users-to-a-group-d2e1a01.md).
+Tenant administrator can upload an image in the administration console and use it as a logo for the applications in the tenant. See [Configure Logo](Operation-Guide/configure-logo-778f748.md).
@@ -609,84 +531,12 @@ Identity Authentication
-2023-10-11
-
-
-
-
-2023-10-11
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Authorizations Based on Policies
-
-
-
-
-The `user.excludedAttributes` attribute is deprecated. See [Configure Authorizations Based on Policies](Operation-Guide/configure-authorizations-based-on-policies-08fea39.md).
-
-Action:
-
-If you have a policy configured with the `user.excludedAttributes` attribute exchange the `user.excludedAttributes` with the `user.attributes` attribute in combination with the "NOT IN" operator.
-
-If the policy is configured with the `user.аttributes` attribute used with the "=" operator, it supports only one attribute. For more attributes, use the "IN" operator adding each attribute separately.
-
-
-
-
-Required
-
-
-
-
-Deprecated
-
-
-
-
-Changed
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-10-11
+2024-01-17
-2023-10-11
+2024-01-16
@@ -707,12 +557,12 @@ Identity Authentication
-In-App Help
+Upgrade Dates
-SAP Companion context-sensitive in-app help has been implemented in the administration console for SAP Cloud Identity Services. You can start the in-app help by selecting the *Help* control. The administration console provides *Help Topics*, *Guided Tours*, and *What's New* content. See [SAP Companion User Guide](https://help.sap.com/docs/SAP_ENABLE_NOW/46fcbeb139c4487ba713638cd75d1a19/6208110e6cac1014b670eace620bbd24.html?version=latest).
+SAP Cloud Identity Services planned production releases \(updates\) change to every second Tuesday, 14:00 UTC from every second Wednesday, 10:00 UTC. See[Updates and Notifications](updates-and-notifications-8e44a7a.md).
-Corporate IdP
+Canada \(Toronto\) data center \(DC\) is now decommissioned as of the high availability setup. The United States \(Colorado\) DC now handles the traffic from the decommissioned DC. The following IPs are no longer valid:
-
-
+- *LB IPs* - 130.214.238.92
+- *NAT IPs* - 130.214.238.32/27
+- *First IP - Last IP* - 130.214.238.32-130.214.238.63
-Identity Authentication added new parameter `idp` which allows sign in to specific application with specific corporate identity provider. See [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md)and [Configure IdP-Initiated SSO](Operation-Guide/configure-idp-initiated-sso-5d59caa.md).
+See [Regional Availability](regional-availability-be600ca.md).
@@ -854,12 +644,12 @@ Info only
-General Availability
+Deprecated
-New
+Announcement
@@ -879,12 +669,12 @@ Identity Authentication
-2023-09-28
+2024-01-11
-2023-09-27
+2024-01-11
@@ -905,7 +695,7 @@ Identity Authentication
-Off-Cycle Upgrade
+Regular Upgrade
@@ -945,4819 +735,24 @@ Identity Authentication
-2023-09-07
+2024-01-04
-2023-09-07
+2024-01-04
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Regular Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
+
-Technology
-
-
-Not applicable
+
-
-
+## What's New Archived
-Identity Authentication
-
-
-
-
-2023-08-30
-
-
-
-
-2023-08-30
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Manage Administrators
-
-
-
-
-Tenant administrator can add another administrator with login name as identifier. See [Add User as Administrator](Operation-Guide/add-administrators-bbbdbdd.md#loio1dc498bff0674743a1a3a0ec3f0bf298).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-30
-
-
-
-
-2023-08-30
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Off-Cycle Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-18
-
-
-
-
-2023-08-17
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Regular Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-16
-
-
-
-
-2023-08-16
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Risk-Based Authentication
-
-
-
-
-New authentication method *Trusted IdP SAML Assertion* is available when you create a new rule for risk-based authentication. See [Create a New Rule](Operation-Guide/configure-risk-based-authentication-for-an-application-bc52fbf.md#loio18d02ab9cc7d4caf83d8654c8c51a175) .
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-16
-
-
-
-
-2023-08-16
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Implicit Grant Type Not Enabled by Default
-
-
-
-
-Today, when you create a new OpenID Connect \(OIDC\) application in Identity Authentication, the `Implicit` grant type is enabled by default.
-
-With the planned change, new applications have the `Implicit` grant type **disabled** by default.
-
-Action: Check if you require the `Implicit` grant type for new applications:
-
-- Yes: Ensure your processes for creating new applications include explicitly enabling the `Implicit` grant type.
-
- - For the administration console, see [Configure OpenID Connect Application for Implicit Flow](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/c64180e84cae4303ba80b2d4b59788b7.html).
-
- - For the Identity service, see [Reference Information for the Identity Service of SAP BTP](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/9379444abf3f4e2cbaade7c4001df381.html).
-
-
-- No: Nothing to do.
-
-
-
-
-
-
-
-Required
-
-
-
-
-General Availability
-
-
-
-
-Announcement
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-16
-
-
-
-
-2023-11-22
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Refresh Token Flow of OIDC Protocol Restricted to Validity of Web Session
-
-
-
-
-Today, you can set the validity of refresh tokens with the token policy configuration for OpenID Connect \(OIDC\). We already recommend that you add the `offline_access` scope to authorization code requests if you want the validity of refresh tokens to exceed the session timeout. Barring no other changes, the refresh token remains valid for its configured validity.
-
-With the planned change, the service couples the validity of refresh tokens to the session timeout. Refresh tokens expire with the user session, unless you add the `offline_access scope`.
-
-Action: Check if you define a refresh token validity for your applications longer than 12 h:
-
-- Yes: Ensure that you decouple the refresh token from the user session with the `offline_access` scope.
-
- For more information, see [Token Policy Configuration for Applications](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/c4ba52e748554863917b046bf1b7b355.html).
-
-- No: Nothing to do.
-
-
-
-
-
-
-
-Required
-
-
-
-
-General Availability
-
-
-
-
-Announcement
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-16
-
-
-
-
-2023-11-22
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Regular Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-03
-
-
-
-
-2023-08-02
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Subscribed Applications
-
-
-
-
-In the configuration of applications, we have combined the *Default Attributes* and *Assertion Attributes* into a single screen named *Application Attributes*. This change gives administrators a complete overview of the user attributes defined by the multitenant application. See [Configure Default Attributes for Subscribed Applications](Operation-Guide/configure-default-attributes-for-subscribed-applications-621017f.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-Changed
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-09
-
-
-
-
-2023-08-30
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Terms of Use Documents
-
-
-
-
-Tenant administrator can delete an entire terms of use documents set. See [\(Optional\) Delete a Terms of Use Document](Operation-Guide/optional-delete-a-terms-of-use-document-6ad5df5.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-03
-
-
-
-
-2023-08-02
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Privacy Policy Documents
-
-
-
-
-Tenant administrator can delete an entire privacy policy documents set. See [\(Optional\) Delete a Privacy Policy Document](Operation-Guide/optional-delete-a-privacy-policy-document-4b66ac1.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-03
-
-
-
-
-2023-08-02
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Support for Prompt Parameter
-
-
-
-
-The `prompt` parameter is an optional parameter of an OAuth 2.0 Authorization Request in the OpenID Connect Core 1.0 specification. The service supports the *none* and *login* values for this parameter.
-
-See [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/94ff0b4b0baa45a893c7cd24254b72b7.html).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-08-03
-
-
-
-
-2023-08-02
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Off-Cycle Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-28
-
-
-
-
-2023-07-28
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Regular Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-19
-
-
-
-
-2023-07-19
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Removal of Applications of Type Reuse
-
-
-
-
-Applications of type reuse instance aren't visible in the administration console anymore. Changes to these applications didn't have any effect.
-
-
-
-
-Info only
-
-
-
-
-Deleted
-
-
-
-
-Changed
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-19
-
-
-
-
-2023-07-19
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-OpenID Connect
-
-
-
-
-Tenant administrator can configure Identity Authentication to execute the authorization code flow enhanced with PKCE against the corporate identity provider. See [Configure Trust with OpenID Connect Corporate Identity Provider](Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-19
-
-
-
-
-2023-07-19
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-OpenID Connect
-
-
-
-
-Identity Authentication аdded the `apt_id` to the list of the supported parameters. It is required for multitenant scenarios to identify corresponding Identity Authentication application. See [Call Identity Authentication End Session Endpoint](Operation-Guide/call-identity-authentication-end-session-endpoint-ec674f4.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-19
-
-
-
-
-2023-07-19
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-User Management
-
-
-
-
-Identity Authentication added the `SCIM ID` to the list of the supported attributes for the export users option. See [Export Existing Users of a Tenant of Identity Authentication](Operation-Guide/export-existing-users-of-a-tenant-of-identity-authentication-40c29d2.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-19
-
-
-
-
-2023-07-19
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Regular Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-12
-
-
-
-
-2023-07-05
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Notifications
-
-
-
-
-As of the Jul 5, 2023 upgrade, the first administrator in every new tenant, created after that date, and all newly created administrators are automatically subscribed for system notifications. See [Send System Notifications via Emails](Operation-Guide/send-system-notifications-via-emails-aa04a8b.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-12
-
-
-
-
-2023-07-05
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-REST API
-
-
-
-
-User Management REST API now supports the `applicationId` parameter. The user is created for the application with the specified ID. See [User Registration](Development/user-registration-0aa433c.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-12
-
-
-
-
-2023-07-05
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-User Groups
-
-
-
-
-Tenant administrator can search for specific member in a group via SCIM ID. See [List and Search Users in Groups](Operation-Guide/list-and-search-users-in-groups-4ac340a.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-12
-
-
-
-
-2023-07-05
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Authentication
-
-
-
-
-Support unauthenticated requests with public tokens. See [Call Identity Authentication Introspect Token Endpoint](Operation-Guide/call-identity-authentication-introspect-token-endpoint-a05f14c.md), [Call Identity Authentication Revoke Token Endpoint](Operation-Guide/call-identity-authentication-revoke-token-endpoint-3501e42.md), and [Call Identity Authentication List Sessions Endpoint](Operation-Guide/call-identity-authentication-list-sessions-endpoint-daf7e44.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-07-12
-
-
-
-
-2023-07-05
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Off-Cycle Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-06-29
-
-
-
-
-2023-06-28
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Corporate IdPs
-
-
-
-
-Tenant administrator can copy the settings from a corporate IdP that is already existing in the tenant to a new corporate IdP. See [Create Corporate IdP in Administration Console](Operation-Guide/create-corporate-idp-in-administration-console-ae99ba9.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-06-29
-
-
-
-
-2023-06-28
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-06-09
-
-
-
-
-2023-06-08
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Corporate IdP
-
-
-
-
-Tenant administrator can set the interval for the automatic refresh of the OpenID Connect metadata of the corporate identity provider. See [Configure Trust with OpenID Connect Corporate Identity Provider](Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-06-09
-
-
-
-
-2023-06-08
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-OpenID Connect Configurations
-
-
-
-
-Tenant administrator can set the maximum wait time for front-channel logout. See [Tenant OpenID Connect Configurations](Operation-Guide/tenant-openid-connect-configurations-3d6abcc.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-06-09
-
-
-
-
-2023-06-08
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-05-25
-
-
-
-
-2023-05-25
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Corporate IdPs
-
-
-
-
-You can change the default attributes sent to the application to uppercase or lowercase letters depending on your needs. See [Attributes with Default Values](Operation-Guide/attributes-with-default-values-a2f1e46.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-05-25
-
-
-
-
-2023-05-25
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-05-17
-
-
-
-
-2023-05-17
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-05-11
-
-
-
-
-2023-05-11
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-OpenID Connect
-
-
-
-
-Identity Authentication now supports new optional parameter `logout_uri` in the `/oauth2/authorize` endpoint. See [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md), [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow with PKCE](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-a721157.md), and [Configure the Client to Call Identity Authentication Authorize Endpoint for Implicit Flow](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-implicit-flow-1ca3dc0.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-05-11
-
-
-
-
-2023-05-11
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Tenant Settings
-
-
-
-
-You can now reuse your existing tenant for configurations and automated subscriptions. See [Reuse SAP Cloud Identity Services Tenants for Different Customer IDs](Operation-Guide/reuse-sap-cloud-identity-services-tenants-for-different-customer-ids-ebd0258.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-05-04
-
-
-
-
-2023-05-04
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-04-27
-
-
-
-
-2023-04-27
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-04-20
-
-
-
-
-2023-04-20
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Rewording of Security Recommendations
-
-
-
-
-We improved security recommendation [BTP-IAS-0017](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-IAS-0017) to list the specific authorizations that we feel are critical not just to the service, but to your landscape as well.
-
-In addition, we reviewed and improved the readability of the other recommendations for the service to make clear when the recommendations apply.
-
-See [SAP Security Recommendations for Identity Authentication](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-Changed
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-04-20
-
-
-
-
-2023-04-20
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Deprecation of Security Recommendation BTP-IAS-0016
-
-
-
-
-Security recommendation BTP-IAS-0016 was too broadly formulated to provide clear guidance to our customers. We removed the recommendation from the list.
-
-For other recommendations for the service, see [SAP BTP Security Recommendations for Identity Authentication](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-service=Identity%20Authentication).
-
-
-
-
-Info only
-
-
-
-
-Deprecated
-
-
-
-
-Changed
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-04-20
-
-
-
-
-2023-04-20
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-SMS Verification
-
-
-
-
-Sinch Authentication 365 is deprecated.
-
-Action: We recommend you to configure Sinch Verification in the administration console and start using it. See [Configure Sinch Service in Administration Console](Operation-Guide/configure-sinch-service-in-administration-console-f4a04ed.md).
-
-
-
-
-Recommended
-
-
-
-
-Deprecated
-
-
-
-
-Announcement
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-04-13
-
-
-
-
-2023-04-13
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Tenant Offering
-
-
-
-
-You can now create an SAP Cloud Identity Services trial tenant from an SAP BTP trial account. A trial tenant is intended for testing purposes of SAP Cloud Identity Services – Identity Authentication and Identity Provisioning. See [Tenant Model and Licensing](tenant-model-and-licensing-93160eb.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-04-13
-
-
-
-
-2023-04-13
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Authorizations Based on Policies
-
-
-
-
-\(Beta\) You can configure and assign a granular access control based on policies for the administrators of SAP Cloud Identity Services. See [Configure Authorizations Based on Policies](Operation-Guide/configure-authorizations-based-on-policies-08fea39.md).
-
-
-
-
-Info only
-
-
-
-
-Beta
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-04-04
-
-
-
-
-2023-04-04
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-03-31
-
-
-
-
-2023-03-31
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-User Management
-
-
-
-
-You can configure which user ID attribute can be visible on the *User Management* section in the administration console. See [Search Users](Operation-Guide/search-users-06078a6.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-03-31
-
-
-
-
-2023-03-31
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Global User ID
-
-
-
-
-You can reuse previous versions of the *Global User ID* for one and the same user. See [Search Users](Operation-Guide/search-users-06078a6.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-03-31
-
-
-
-
-2023-03-31
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-OpenID Connect Configurations
-
-
-
-
-You can extend the standard OpenID Connect metadata. See [Tenant OpenID Connect Configurations](Operation-Guide/tenant-openid-connect-configurations-3d6abcc.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-03-31
-
-
-
-
-2023-03-31
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Corporate IdPs
-
-
-
-
-You can check which applications have established trust with a specific corporate identity provider in the administration console. See [Configure Trust with OpenID Connect Corporate Identity Provider](Operation-Guide/configure-trust-with-openid-connect-corporate-identity-provider-8ff83a1.md) and [Configure Trust with SAML 2.0 Corporate Identity Provider](Operation-Guide/configure-trust-with-saml-2-0-corporate-identity-provider-33832e5.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-03-31
-
-
-
-
-2023-03-31
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Configuration of Authorization Policies
-
-
-
-
-Authorization management enables administrators to configure authorization policies throughout multiple environments and assign them to users. In the administration console, administrators can create custom authorization policies. They can edit an existing one by adding or deleting restrictions, changing user attribute values, or by combining rules of multiple authorization policies in a new one. See [Configuring Authorization Policies](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/982ac5f91d2346fda8dd8096e861fc36.html?version=Cloud).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-03-31
-
-
-
-
-2023-03-31
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-03-16
-
-
-
-
-2023-03-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Administration Console
-
-
-
-
-The Horizon theme is now available for the administration console of SAP Cloud Identity Services, both the web and mobile version. See [How Far is the Horizon for SAP Cloud Identity Services?](https://blogs.sap.com/2023/03/15/how-far-is-the-horizon-for-sap-cloud-identity-services/).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-
-
-
-
-
-2023-03-16
-
-
-
-
-2023-03-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Troubleshooting
-
-
-
-
-You can filter and view troubleshooting logs directly in the administration console for SAP Cloud Identity Services. See [View Troubleshooting Logs](Monitoring-and-Reporting/view-troubleshooting-logs-6e7543f.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-
-
-
-
-
-2023-03-16
-
-
-
-
-2023-03-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-OpenID Connect
-
-
-
-
-You can configure the access token format. See [Token Policy Configuration for Applications](Operation-Guide/token-policy-configuration-for-applications-c4ba52e.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-
-
-
-
-
-2023-03-16
-
-
-
-
-2023-03-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-03-01
-
-
-
-
-2023-03-01
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-15
-
-
-
-
-2023-02-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-User Management
-
-
-
-
-Application user import was enhanced with new parameters : `userType` and `urn:ietf:params:scim:schemas:extension:sap:2.0:User:mailVerified`. See [Import or Update Users for a Specific Application](Operation-Guide/import-or-update-users-for-a-specific-application-33838e0.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-15
-
-
-
-
-2023-02-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Applications
-
-
-
-
-You can return an application's configuration to its inherited state with the *Inherit from Parent* option via the administration console. See [Edit Applications](Operation-Guide/edit-applications-69d8cad.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-15
-
-
-
-
-2023-02-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Troubleshooting
-
-
-
-
-You can use the troubleshooting logs to analyze OpenID Connect issues with applications and corporate identity providers. See [Logging OpenID Connect Tokens](Monitoring-and-Reporting/logging-openid-connect-tokens-b6c42b5.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-15
-
-
-
-
-2023-02-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-OpenID Connect
-
-
-
-
-Identity Authentication now supports the `groups` value of the `scope` parameter. See [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-94ff0b4.md) and [Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow with PKCE](Operation-Guide/configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-a721157.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-15
-
-
-
-
-2023-02-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-OpenID Connect
-
-
-
-
-Identity Authentication now supports new parameter - `scope` for the service endpoint that returns the tokens issued by the corporate identity provider received during the OpenID Connect \(OIDC\) authentication process. See [Exchanging Identity Authentication Tokens for Tokens from Corporate Identity Providers](Development/exchanging-identity-authentication-tokens-for-tokens-from-corporate-identity-providers-a66753a.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-15
-
-
-
-
-2023-02-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Identity Service
-
-
-
-
-You can use the `refresh-usage-after-renewal` parameter to define the validity of the old refresh token after requesting a new one through the refresh token grant type. See [Reference Information for the Identity Service of SAP BTP](Integrating-the-Service/reference-information-for-the-identity-service-of-sap-btp-9379444.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-15
-
-
-
-
-2023-02-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Administration Console
-
-
-
-
-You can now configure and work with Identity Provisioning in the administration console for SAP Cloud Identity Services.
-
-The entire provisioning functionality, which includes adding, enabling, disabling, deleting, and resetting provisioning systems, running jobs, viewing and downloading logs, is integrated there and can be accessed in the navigation area under SAP Cloud Identity Services.
-
-The latest step in tightening SAP Cloud Identity Services integration allows you to manage your configurations in one place without the need to switch between consoles. To benefit from it, your Identity Provisioning tenant must run on SAP Cloud Identity Services infrastructure.
-
-See [Configure Identity Provisioning in SAP Cloud Identity Services Administration Console](https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/03223babed91493c9305e40269e909d2.html?state=DRAFT&version=Cloud).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-15
-
-
-
-
-2023-02-15
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-09
-
-
-
-
-2023-02-07
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-03
-
-
-
-
-2023-02-03
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-02-02
-
-
-
-
-2023-02-01
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-01-24
-
-
-
-
-2023-01-24
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Manage Applications
-
-
-
-
-Tenant administrator can manage applications in Identity Authentication via API. It offers endpoints for CRUD operations \(GET, PUT, POST, PATCH, DELETE\) over the applications. See [SAP Cloud Identity Services Application Directory](https://api.sap.com/api/SCI_Application_Directory/overview).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-
-
-
-
-
-2023-01-23
-
-
-
-
-2023-01-23
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-01-22
-
-
-
-
-2023-01-20
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-User Management
-
-
-
-
-Tenant administrator can search users by `SCIM ID` in the administration console. See [Search Users](Operation-Guide/search-users-06078a6.md) and [Add Users to a Group](Operation-Guide/add-users-to-a-group-d2e1a01.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-01-22
-
-
-
-
-2023-01-20
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-System Upgrade
-
-
-
-
-Identity Authentication has been upgraded.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-01-19
-
-
-
-
-2023-01-18
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Regional Availability
-
-
-
-
-Identity Authentication is now available with a single data center \(DC\) for the AWS infrastructure in India. See [Regional Availability](regional-availability-be600ca.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-01-19
-
-
-
-
-2023-01-18
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Tenant Settings
-
-
-
-
-The `Login Name` user identifier can be configured as required or nonrequired. See [Configure User Identifier Attributes](Operation-Guide/configure-user-identifier-attributes-8b9fa88.md).
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-New
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-01-19
-
-
-
-
-2023-01-18
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-Administration Console
-
-
-
-
-The administration console was renamed from `Identity Authentication` to `SAP Cloud Identity Services`.
-
-
-
-
-Info only
-
-
-
-
-General Availability
-
-
-
-
-Changed
-
-
-
-
-Technology
-
-
-
-
-Not applicable
-
-
-
-
-Identity Authentication
-
-
-
-
-2023-01-19
-
-
-
-
-2023-01-18
-
-
-
-
-
-
-Identity Authentication
-
-
-
-
-- Neo
-- Kyma
-- Cloud Foundry
-
-
-
-
-
-
-User Management
-
-
-
-
-Identity Authentication renamed user identifier `User UUID` to `Global User ID` in the administration console. The technical name of the attribute remains unchanged `userUuid`.
-
-