Hey everyone,

We are currently struggling to setup access to the Administration Console of the SAP Cloud Identity Service via a Corporate IDP.

As described in the following articles, this should be possible.

• Is it possible to enable Single-Sign On ( SSO ) to login to IAS administration console - SAP Communi...
• Azure as IDP for IAS - SAP Community
• Authenticating Identity Provider for an Application - SAP Help 

What we did:

1. Created a new enterprise application inside Entra ID with the SAML file downloaded from SAP IAS and assigned the user to the application (as explained here)
2. Created Corporate Identity Provider inside SAP IAS with SAML file downloaded from Entra ID application
3. Added Conditional Authentication Rule to the Administration Console Application
   -> Use Corporate IDP for a specific domain (Default set to Identity Authentication)

Result:

When https://<tenant-id>.trial-accounts.ondemand.com/admin/ is called, it redirects to Corperate IDP (after email input)

There, the login will take place normally and there is a redirect to the follwoing urls:

1. (GET) https://<tenant-id>.trial-accounts.ondemand.com/admin/
2. (GET) https://<tenant-id>.trial-accounts.ondemand.com/saml2/idp/sso?sp=oac.accounts.sap.com&RelayState=htt...
3. (POST) https://<tenant-id>.trial-accounts.ondemand.com/saml2/sp/acs/oac.accounts.sap.com

The last call returned: 404 - Not Found

When we add the conditional authentication rule to another application, it works.

Is there anything we have overlooked?

Thanks for the help!