Showing results for 
Search instead for 
Did you mean: 

Connect Cutomer IAS to our BTP Subaccount using Estrablish Trust (OpenID Connect)

0 Kudos

Hi Experts,

we want to connect a customer IAS to our BTP. This works fine by exchanging the SAML Metadata files.

But as we're encountering this restriction when using SAML, we want to switch to OpenID Connect Protocol. This can be done by using the Establish Trust button in the Trust Configuration (like here). But as the customer IAS is not related to our Global Account, it does not show up (at least that is my assumption). In the documentation, I could find the following chapter related to this Problem, which mentions the following prerequisite:

The Identity Authentication tenant is associated with the customer IDs of the relevant global account of SAP BTP.

So my guess is, the Customer ID is the missing piece. I tried to follow the steps described in the linked chapter, but I cannot complete step 4, because in my case, there is no drop-down in the IAS like it is described in the docs...
My user has all required permissions.

carlos.roggan wrote in his Blog the following:
In the wizard you should see at least one entry of IAS tenant that is assigned to your account by SAP.
If not, you probably need to open a support ticket.

So my questions are, how do I find out our Customer ID and how to add the Customer ID to the IAS? Is it really necessary to open a support ticket? Would be nice if customers could fix this by themselves.

Thanks & Regards


View Entire Topic
0 Kudos

Hi @nicorunge @istvanbokor ,

Maybe I'm gonna say a crazy thing. But, it would be technically possible to use an IAS (Let's call it IAS-1) acting as a proxy to another IAS (IAS-2), added as Corporate Identity Provider on IAS-1? Then, on your Aplication on IAS-1 set a condition to redirect authentication to IAS-2?

IAS-1 should be binded to Global Account where your CAP aplication is hosted.

That way, you would have a subaccount trusting your IAS-1 (Added with OIDC proptocol), and IAS-1 relaying authentication to IAS-2.



0 Kudos

Hi @Francisco,

thanks for reading the long discussion and your suggested solution! I really appreciate it!

I'm far from an IAS expert, but I think I understood your suggestion. It would look something like this:

  • Customer SuccessFactors System
  • Customer IAS
  • Provider IAS
  • Provider BTP/CAP Application

How complicated is it to set up an authentication redirect?
Would you say one should use a new IAS per customer to keep this separate in a multitenant context?

I am very curious about @istvanbokor opinion whether this is a possible/valid approach. Or whether SAP currently has other recommendations how a customer IAS can be connected via OIDC.

Thanks & regards