Hi, the authentication process using X.509 client certificates against the SAP ID Service is not supported in option 1. Therefore, you need to switch to option 2 and enable SAC as a SaaS application for SAML to outsource authentication to an IDP of your choice. Typically, most customers already have an existing IDP.
We recommend using the SAP Identity Cloud Services (IAS) as the primary IDP for all your SAP applications. Although SAC is one of the few SaaS applications not bundled with SAP Identity Cloud Services, if your customer has the BTP, they can establish two tenants for free and attach SAC to it. Once SAC forwards authentication requests to your IAS tenant, you can enable X.509 authentication.
Please note that you will need to create an incident with SAP and provide your PKI chain for import into the IAS to support mTLS authentication. If you prefer to use IAS as a proxy, you can delegate authentication to another IDP such as Entra ID, ADFS, Okta, Ping, etc., and set up X.509-based authentication for your users using existing smart cards for strong authentication.
Cheers Colt
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.