Skip to Content
Technical Articles
Author's profile photo Istvan Bokor

Connect Okta to SAP Cloud Platform Identity Authentication Service

In this blog, we will explore how to establish trust between your SAP Identity Authentication Service and Okta as a corporate identity provider.

Once the connection between your Okta and the SAP Cloud Platform Identity Authentication Service is done, you can simply use it to connect it to several applications and environments.


  1. You have an active license for SAP Cloud Platform Identity Authentication Service.
  2. Manage Applications and Manage Corporate Identity Providers authorizations are assigned to you as Administrator in IAS.
  3. You have access to Okta Admin portal.

Step 1: Log in to Okta admin portal and create SAML 2.0 application

Log in to Okta admin portal by going to and provide your credentials.

Click on ‘Use single sign on‘ – ‘Add App‘ option.

Note: in Okta there is no predefined SAP Cloud Platform Identity Authentication Service application, you have to create and configure it manually.

For more information about configuration on Okta side, refer to official Okta documentation: Create a SAML integration using AIW (Application Integration Wizard).

In the ‘New Application Integration’ tab choose Web as the platform, and SAML 2.0 as sign on method:

As the last part of the application creation, you can define a custom application name, logo, and visibility. Finally, click the Next button.

Step 2: Create SAML Integration in Okta

In this step, you have to fill in the SAML settings taken from SAP Cloud Platform Identity Authentication Service. Please pay special attention to all steps taken in this part.

Single sign on URL:

To get URL value, follow steps:

  1. Open Identity Authentication Service (IAS) Admin Console: https://<tenantid>
  2. Navigate to ‘Tenant Settings’ tile. Click on ‘SAML2.0 Configuration’.
  3. Copy ‘Assertion Consumer Service Endpoint’ (ACS endpoint) URL.

After copy-pasting the URL, tick the ‘Use this for Recipient URL and Destination URL’ option.

Audience URI (SP Entity ID):

This has to be identical as the ‘Name’ value of your IAS tenant.

To get the URL, follow steps:

  1. Open IAS Admin Console: https://<tenantid>
  2. Navigate to ‘Tenant Settings’ tile. Click on ‘SAML2.0 Configuration’.

Copy value of the ‘Name’ field.

Note: Make sure the audience matches exactly as described in KBA 2693814 – Service Provider does not match specified audience in the SAML2Assertion.

Default RelayState should be empty.

Leave further SAML settings default as well.

Step 3: Download Identity Provider metadata file from Okta

In Okta navigate to ‘Sign On’ tab, then click ‘Identity Provider metadata’ hyperlink to download the metadata in .xml format.

Step 4: Configure trust in the Identity Authentication Service

In this scenario, SAP Cloud Platform Identity Authentication service acts as a proxy to delegate the authentication to the corporate identity provider. For more information check our official SAP documentation: Configure Trust with Corporate Identity Provider.

To use Identity Authentication as a proxy to delegate authentication to an external corporate identity provider you have to configure trust with that corporate identity provider.

To configure trust with the corporate identity provider, follow the procedures below:

Import the downloaded Okta metadata (from Step 3) into Identity Authentication Service:

  1. Open IAS Admin Console: https://<tenantid>
  2. Navigate to ‘Corporate Identity Providers’ in the submenu of ‘Identity Providers’.
  3. Add Identity Provider with a custom name.
  4. Choose SAML 2.0 Configuration and import metadata:

Now almost all the required details are filled in:

Configure HTTP-POST Single Logout Endpoint URL with the same value set for the ‘Name’ value in IAS:

Save the configuration:

As a tenant administrator, you can specify a link that is sent as an extension in the SAML 2.0 Logout Response. The link can be used by the application to redirect the user after successfully logging out of the application when Identity Authentication acts as an identity provider proxy. See our official documentation: Service Provider Initiated Logout with Corporate Identity Providers.

Navigate to the ‘Trust’ tab and choose the ‘Logout Redirect URL‘ option. Define the desired URL where you want to redirect end-users after successful logout:

Step 5: Connect your application to use Okta as the identity provider

In the Admin Console of your IAS, navigate to ‘Applications & Resources’ then click on the ‘Applications’ tab and configure an application or choose an existing one.

Option A: Click on the ‘Conditional Authentication’ option on the ‘Trust’ tab of your application. Set your Okta as ‘Default Identity Provider‘.

For more information see our official documentation: Choose a Corporate Identity Provider as Default.

Option B: Set ‘Trust all corporate Identity Providers’ on. In this case, you should define Conditional Authentication to redirect users to Okta.

For more information see: Configure Conditional Authentication for an Application



After following the above steps, your application should use Okta as a corporate identity provider, and in this case, IAS is acting as a proxy.

Hint: If you are facing issues during configuration, you can download the Troubleshooting logs from your IAS tenant to self-investigate the root cause of the issue. See: KBA 2942816 – How to export troubleshooting logs from Identity Authentication Service.

Also, we advise checking the IAS Guided Answers about the most common issues: KBA 2701851 – SAP Cloud Platform Identity Authentication Service (IAS) – Guided Answers.

Assigned tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Srinivas Bhaktavathsalam
      Srinivas Bhaktavathsalam

      Thanks for the blog!!! ?
      One question, instead of manually updating the details on Okta site, can't we download the IAS metadata XML and upload it in Okta?


      Author's profile photo Istvan Bokor
      Istvan Bokor
      Blog Post Author

      Unfortunately, I could not find this possibility. There are predefined applications in Okta, but there is no such application for SAP Identity Authentication Service, therefore I could not do the configuration easier, only with manual steps.

      Author's profile photo Srinivas Bhaktavathsalam
      Srinivas Bhaktavathsalam

      Got it ?, thanks for the reply!!!

      Author's profile photo Ervin Szolke
      Ervin Szolke

      Great Blog, Istvan!

      Author's profile photo Arun Santhanam
      Arun Santhanam

      Nice & Informative blog.

      Author's profile photo Aji Hussain
      Aji Hussain

      Thanks Istvan,


      Very helpful document

      Author's profile photo Arun Timalapur
      Arun Timalapur

      Hello Istvan,


      Can you please let us know how are the user creation done in SAP IAS. As employees getting hired and separated, how can this be managed.

      Author's profile photo Istvan Bokor
      Istvan Bokor
      Blog Post Author

      Hi Arun Timalapur,

      Could you please explain your question a bit more detailed? Thank you


      Author's profile photo Samadhan Pawar
      Samadhan Pawar

      Hi Istvan,


      This really good blog, very helpful.

      WE are in the process of implementing SSO for SAP Cloud for Customer C4C Marketing tenant with OKTA.

      As Marketing tenant comes up with default SAP IDP, can we use this same method for setting up SSO with Marketing tenant.


      Please advice which doc we need to follow if not the above one.

      Your help is much much appreciated.

      Thanks a lot in advance !!!!




      Author's profile photo Istvan Bokor
      Istvan Bokor
      Blog Post Author

      Hi Samadhan,

      I advise checking this with SAP Cloud for Customer C4C Marketing team if they have such options to change the default SAP ID Service to custom IAS tenants.

      From the IAS perspective we support such scenarios, where the trust/metadata can be exchanged.

      Kind regards,

      Author's profile photo Prasad Prathi
      Prasad Prathi


      Nice blog.

      We have SAP Analytical Cloud (SAC), and SAP Cloud for Customer C4C Marketing.

      Our IDP is OKTA. I have established the SSO between SAC, OKTA using SAML2. Also backend SAP Systems are also enabled using OKTA.

      I have following questions.

      Option 1# We can implement SSO to each SAP cloud tenant to  OKTA

      Option 2# We can have have SSO to SAP IAS to OKTA, then each SAP cloud tenant to SAP IAS


      We did not buy “SAP Cloud Platform Identity Authentication” to implement SAML for Single-sign-on. It is not one time purchase. It is consumption model. The cost will $3.9 unit/month (one unit = 100 Logon requests).

      Is the price is going to be the same or different? If this is one time cost, and not consumption model, I will be very much interested.

      Can you please help?


      Author's profile photo Eason Zhang
      Eason Zhang

      thanks a lot!

      One of our customer want to make the Group mapping between the SCP and OKTA.

      Just need to add the bellow item under "GROUP ATTRIBUTE STATEMENTS (OPTIONAL)"

      then Goto sub-account Security->Trust page to configure the "Role Collection Mappings"