Skip to Content

Trust Configuration between SAP Cloud Platform Neo Account and SAP IoT Application Enablement


This blog is outdated. Please use the official documentation.


If you want to use the SAP WebIDE to access data from SAP IoT Application Enablement and you have not configured the destinations yet or you have already configured them, but you don’t see any data and you’re just receiving 500 – Internal Server errors, then you should check, if the trust between your SAP Cloud Platform Neo Account and SAP IoT Application Enablement is already configured.

There are three steps you should do to create the trust.

I.            Trust configuration in subaccount

  1. Open the SAP Cloud Platform cockpit:
  2. Select the global account and subaccount for which you want to set up the trust.
  3. In the navigation area on the left side expand Security and click on Trust.
  4. Within the Local Service Provider tab, click Edit and change the Configuration Type to Custom
  5. Download the SCI tenant metadata using the following link:

    You can find the SCI-Tenant name in your Welcome to SAP IoT Application Enablement! Mail.

  1. Go back to your Cloud Platform Cockpit and switch to the tab Application Identity Provider.
  2. Click Add Trusted Identity Provider.
  3. Click on Browse and select the downloaded metadata file.
  4. Switch to the tab Attributes and Add Assertion-Based Attribute.
  5. Insert Groups in both text boxes.
  6. Click Save.
  7. Go back to the Local Service Provider tab and click Get Metadata.


II.            Trust configuration in SCI tenant

  1. Open the administration console of your SCI tenant using the following link:
  2. In the navigation area on the left side expand Applications & Resources and click on Applications.
  3. Click on +Add enter the name of your Cloud Platform Neo account and click Save.
  4. Select your new application in the left and then SAML 2.0 Configuration on the right.
  5. Click on Browse and select the metadata you downloaded in step 12 of the first part. 
  6. Now got to Name ID Attribute and select E-Mail. Save your changes.
  7. Go to Assertion Attributes and +Add Groups. The value in the text box should be Groups Furthermore, change the value of E-Mail to mail. 


III.            Trust configuration in the XSA admin UI

  1. Open the XSA admin UI.

    You can find the SAAS-Tenant name in your Welcome to SAP IoT Application Enablement! Mail.

  1. Click at the + button at the lower left side of the page to add a new identity provider.
  2. Copy the XML code you downloaded in step 12 of the first section and paste it inside the field Metadata on the right side of the page.
  3. Click on Parse
  4. Switch to the Role Collections tab and create two new entries:
    • <SAAS-TENANT>-userdamin Groups equals <SAAS-TENANT>-userdamin
    • <SAAS-TENANT>-thingsuperuser Groups equals <SAAS-TENANT>-thingsuperuser 


After you have configured the trust, you can now create the destinations in SAP Cloud Platform to really access the data and use SAP WebIDE. The destination configuration can be found in the official SAP Application Enablement documentation.

You must be Logged on to comment or reply to a post.
    • Hi,

      Unfortunately Application Enablement is not available on SAP Cloud Platform trial at the moment. You would need an Application Enablement tenant as well as SCI and a full Neo Account to do this.




  • Hi,

    I am trying to Configuring SAML Trust between Neo Environment and Cloud Foundry Environment. I have done all the steps as per SAP's document(SAP IoT Application Enablement Reuse Controls and Templates)(Document Version: 1.43.0 – 2017-11-03). But while accessing the SAP Web IDE, i am getting error as shown in below:

    HTTP Status 500 - An internal application error occurred. Request: 2213115024 p1711111118trial:webide


    Note: My Cloud foundry environment is on different account and Neo environment is on different account.

    I am able to fetch the data from IoT 4.0 with Postman.





    • Dear User,

      please familiarize yourself with the Community Rules of Engagements [1] and especially with #9 - do not cross post. You have already asked this question in here [2]

      Anton (Moderator)



  • Hi Jan,

    thank you for sharing your knowledge. Does SCI stands for SAP Cloud Platform Integration? This is a Cloud Service I have to buy in addition? There is no other way to connect the IoT Service with AIN?

    Best regards,

    • Hi,

      No SCI is the SAP Cloud Platform Identity Authentication. This is the Identity Provider which is used for AIN as well as AE. It is anyway used to handle the authentication for the two solutions. So, you don't need any additional products.

      I guess with the connection between IoT and AIN you are referring to my other blog post? So please keep in mind that I don't talk about IoT Services there, but about SAP IoT Application Enablement.



      • Thank you for replying. I had some problems to distinguish from IoT Service and IoT AE. I definitly want to use Iot AE. I have to wait for the licence, but then I will try your example.