Skip to Content

Using multiple Identity Providers for a Portal site in SAP Cloud Platform

A common requirement when building applications on SAP Cloud Platform is to enable access to various groups within different Identity Providers within your organization. You probably are aware of setting up the trust with your Identity Provider within SAP Cloud Platform. After configuring the trust with your Identity Provider, whenever a user tries to access an application deployed on this account, they will be challenged with the login screen from the configured Identity Provider. The same applies to Portal sites which are configured within the SAP Cloud Platform account.

In this blog, I am going to show how you can setup trust with multiple identity providers and dynamically select the Identity Provider to authenticate the user when accessing a Portal site on SAP Cloud Platform.

Below is the Solution Diagram which shows how each components connect to each other in the landscape. If you would like to create your own Solution Diagrams, please follow the instructions in this wiki.


The account which I am using for the demonstration here is “af2dae200”. I have already posted a blog “Setting up Authentication for Cloud Portal using Cloud Identity” where I have explained in detail all the steps required to setup trust between SAP Cloud Platform account and an Identity Provider. I have followed the same steps and configured the trust for this Cloud Platform account.

I have two Cloud Platform Identity Authentication tenants. I am going to use them as my Identity Providers. You could use any SAML2 based Identity Providers when configuring the trust.

The first one has the name “ias01” and I have configured a new application for account “af2dae200”. I have also used the “Branding and Layout” tab to provide a logo in the login page. To keep things simple, I have uploaded a picture of a flower.

Similarly, I have used another Identity Authentication tenant “hcpta” and configured a new application for account “af2dae200”. For the login page, I have uploaded a picture of a meerkat to differentiate from the other Identity Provider.

In the Cloud Platform account, I have both the identity providers configured and the one with the name “ias01” is set as default.

I have created a Portal site in this account and published it.

When I try to access the Portal site with the below URL, it would pick the default Identity Provider configured for the Cloud Platform account and show the login screen. Note that, it has picked up the Identity Provider with the name “ias01” which shows up in the URL and I get to see the picture of a flower which I have configured for this Identity Provider.


If I want to force this portal site to authenticate against the second identity provider, I need to use a URL parameter called saml2idp as shown below. You can find this documented in section “Using an IdP Different from the Default” of SAP Help.


As you can see, this now provides a different login screen coming from the second Identity Provider. You can try this out by clicking on the above URLs. Using this approach, you should be able to reuse apps/portal sites within a Cloud Platform account when providing access to multiple groups maintained across different identity providers. You do not need to copy individual apps/sites into separate sub-accounts and configure the trust settings in each of them.


You must be Logged on to comment or reply to a post.
  • Thanks Murali for the simple explanation. Will be used quite often I expect as many customers don’t like adding ‘externals’ to their IdP

  • Great stuff, Murali – thanks for sharing.


    A question – is there a configuration option to add auto-failover between IDP’s*?  I can see a use for this where users normally authenticate using on-premise AD for instance, that could failover to SAP Cloud IDP if on-premise systems/connectivity is down.


    *HINT: This should REALLY be on SAP’s backlog for a future release 😉

  • Hi Murali,

    Are you able to confirm SCP Mobile Service also supports multiple IdP’s via the saml2idp parameter when launching mobile applications?




  • We need expert suggestion here.

    We have one UI5 app already running in SAP Cloud Platform NEO subaccount. Which is used by S-Users, that is using default SAP Local Application Identity Provider (SAP ID Service).

    Now we wanted to run another UI5 application in the same SCP Subaccount. But we wanted to use a custom Identity Provider there for new application.

    Is it possible to keep the old application ruining in the same SCP subaccount with SAP Local Application Identity Provider. And new application with Custom Identity provider.

    Will it be possible to keep both Default and Custom IdP in same SCP Subaccount?

    If possible, can anyone please suggest the path forward. Thanks in advance!