cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Use Corporate IDP to access Administration Console of Cloud Identity Service

nnk
Discoverer

‎2025 Mar 06 12:57 PM - edited ‎2025 Mar 06 12:58 PM

0 Kudos
752

Hey everyone,

We are currently struggling to setup access to the Administration Console of the SAP Cloud Identity Service via a Corporate IDP.

As described in the following articles, this should be possible.

 

What we did:

  1. Created a new enterprise application inside Entra ID with the SAML file downloaded from SAP IAS and assigned the user to the application (as explained here)
  2. Created Corporate Identity Provider inside SAP IAS with SAML file downloaded from Entra ID application
  3. Added Conditional Authentication Rule to the Administration Console Application
    -> Use Corporate IDP for a specific domain (Default set to Identity Authentication)

 

Result:

When https://<tenant-id>.trial-accounts.ondemand.com/admin/ is called, it redirects to Corperate IDP (after email input)

There, the login will take place normally and there is a redirect to the follwoing urls:

  1. (GET) https://<tenant-id>.trial-accounts.ondemand.com/admin/
  2. (GET) https://<tenant-id>.trial-accounts.ondemand.com/saml2/idp/sso?sp=oac.accounts.sap.com&RelayState=htt...
  3. (POST) https://<tenant-id>.trial-accounts.ondemand.com/saml2/sp/acs/oac.accounts.sap.com

The last call returned: 404 - Not Found

When we add the conditional authentication rule to another application, it works.

Is there anything we have overlooked?

 

Thanks for the help!

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

dyaryura
Contributor
‎2025 Mar 10 2:08 PM
0 Kudos

Hi

I had the same issue before the user was created in IAS. Once created it works fine.

Check this note also: https://me.sap.com/notes/3507977/E

Make sure your user in EntraID has the correct attributes for the app. i.e if you are using email, the user in entraID needs to have a vlaid email set. you can check attributes passed from EntraID to IAS using SAML-tracer tool in Chrome/Mozilla

Show replies
Show replies
nnk
Discoverer
‎2025 Mar 17 6:14 AM
0 Kudos
Sadly, this did not resolve the issue for me.
dyaryura
Contributor
‎2025 Jul 17 1:46 AM
0 Kudos
Hi I just did a new config on this and the key point is mentioned in the note: Select Email for Subject Name Identifier according to (Optional) Configure the Subject Name Identifier Sent to the OpenID Connect Corporate IdP. (https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/optional-configure-subject...) as per defualt the EntraID is created with "None". Note this config is NOT in the app, but in the Corp IDP config.
Ask a Question