Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 


Hi Everyone,

This is Anita Gupta, I am currently working in EY as SAP Basis and BTP administrator.

In this blog post, we will be talking about an amazing feature which SAP just released in BTP Security which will decrease the manual efforts immensely.

This blog post will guide you to perform migration of trust configuration from  SAML to OIDC.

Why we want to do it and how this will be helpful ?

There are certain functionalities (like some automated processes defined by SAP) which only works with  OIDC. For example: Now if there is an OIDC trust between Subaccount and IAS- Developers can bind their applications to specific cloud identity service instances and it creates another IAS application(OIDC) which can provide more control  and developers can control authentication at every application level they are binding to.

Now if we have performed trust setup using SAML protocol with IAS tenant and we have been using it for a while - there will be multiple users created against this Identity provider. and if we want to switch to OIDC, there will be certain steps to be performed.

  • Export the list of users along with details of role collections.

  • Cleanup of Users created against this Identity provider

  • Delete the trust configuration

  • Establish trust configuration again using "Establish trust button"

  • Provision all the users again manually with new Identity provider.

All these manual activities can be performed with few set of BTP CLI commands and can make your simple a little simple with respect to BTP Security.

If we talk in terms of time - it will reduce the manual work of weeks to few minutes.

Now before you get started, let's follow below pre-requisite steps to make sure we don't get stuck in between ...


  • You should have Security Administrator Privileges inside subaccount in which you want to perform this migration.

  • BTP CLI should be download and configured. We can't perform this activity from UI layer and will need to run commands to perform the migration.

  • In the SAP BTP cockpit under Custom Identity Provider for Applications, there are no trust configurations with the OpenID Connect protocol.

let's see how it looks before we perform the migration

Pre-Migration Trust Configuration Status

SAML trust configuration with origin key - samltrust

Users exist against this Identity provider.

When perform login using SSO to IAS - we can see SAML traces , assertions in SAML Tracer.

Now lets get started ...

Steps to perform migration

Open Command prompt( in case of windows) or terminal (in case of linux and macOS) and Login to BTP using BTP CLI

btp login --sso

Press Enter

It prompts to open browser to perform login using your ID.

Click on Yes

Login Successful


List all subaccounts to find the subaccount id to login to specific subaccount

btp list accounts/subaccount


Perform login to specific subaccount by running below command

btp target --subaccount 32295e80-db37-4a83-a3a9-645c42b805ea


Check for available identity providers

btp list security/available-idp


Perform Migration from SAML to OIDC connectivity

btp migrate security/trust samltrust --idp

Let's see how it looks once migration is performed

Post Migration Trust Configuration Status

It changes the origin key of old saml configuration to oidc-migration-backup and set it as inactive and perform trust configuration with OIDC and keeps the origin key same as older one.

You can update the details like link text for user logon by clicking on the change button


When you login  using SSO to IAS - SAML tracer don't capture any traces(SAML assertion) and we can see the oidc traces inside IAS troubleshooting logs.



In this blog post we learnt how to migrate the SAML Trust configuration to OIDC using BTP CLI.


Frequently asked questions

Question 1: We are unable to see any option to perform Migration from SAML to OIDC in BTP subaccount

Answer: As part of Q2-2023 SAP has released this functionality and it can only be performed using BTP CLI as of now. Please refer to SAP Standard documentation for more information


Question 2: Can i perform it in SAP BTP - Feature Set A?

Answer: BTP CLI is not available in Feature set A and these steps are only applicable for Feature Set B.


Question 3: Is this activity performed for which kind of users - Platform users or Business Users.

Answer: As we are establishing trust inside a subaccount (or performing changes) - this is applicable only for Business users who are accessing that subaccount or applications inside that subaccount.

Labels in this area