Hello Vasu;

For the Web based access on the on-premise systems you shouldn't have any major complexity. As the Web based uses HTTP protocol, it is compatible with SAML2 so you can centralize both your cloud solutions and on-premise(web based access) in IAS as proxy towards your Entra ID.

For the SAPGUI based access it gets a bit trickier but is also feasible. Different from the Web based which uses HTTP, SAPGUI access uses the SNC protocol which only supports Kerberos or X.509 certificates for SSO. In this case to centralize the SSO, you will need to use the Secure Login Service for SAPGUI, which is the replacement for SSO 3.0. This BTP service generates short-lived X.509 certificates so users can use it as the SSO token for SAPGUI. The BTP service supports SSO through IAS as proxy towards your Entra ID.

It works in a way that every user will need to authenticate against your corporate IDP to generate the certificates that will be valid between 1-12 hours(you can setup this in SLS for SAPGUI) if I'm not mistaken.

-For the cloud solutions you will need to refer to their product documents to see how it is implemented, but a lot of solutions already have wizards to execute the trust configuration towards IAS.
-For the Web based access on on-premise solutions (both Java and ABAP) this wiki should provide you some guidance: https://help.sap.com/docs/SUPPORT_CONTENT/security/3362974627.html
-For the SAPGUI SSO with SLS for SAPGUI please refer to https://help.sap.com/docs/SUPPORT_CONTENT/security/3362974627.html

Please refer to the reference architecture on Cloud leading authentication as well: https://discovery-center.cloud.sap/refArchDetail/ref-arch-cloud-leading-authentication

Cheers!