Skip to Content
Technical Articles
Author's profile photo Phil Cooley

3 Clicks to Activate Trust with Cloud Foundry and IAS

I wrote a blog post nearly 2 years ago on activating trust with 3 clicks – this related to a subaccount on the SAP Cloud Platform Neo environment and a SAP Cloud Identity Authentication Service tenant. You can read this here.

Low and behold I found out recently that the same option is available on the Cloud Foundry environment. Yes – it is that easy and it will automatically configure both the subaccount and create an application in the IAS tenant.

The intention of this blog post is to show how easy it is to set up trust between a SAP Cloud Platform Cloud Foundry subaccount and a SAP Cloud Identity Authentication Service (IAS) tenant.

Key Prerequisite

Obviously you will need an IAS tenant – this will provide access to users outside of a company’s internal identity provider. I recommend using an IAS tenant for external users that are not users in your internal corporate environment.

3 Clicks to Activate Trust

Initially, the SAP ID service is the only existing Trust configuration that is enabled. This is set as the Default. This means that authentication takes place through the S userid and utilises SAP’s free SAP ID service.

Figure:1 Initial Trust settings

We are now going to set up trust with the IAS tenant with 3 clicks!

Click 1: Select the [Establish Trust] button to start setting up trust with the aligned IAS tenant. 

Figure:2 Trust settings


The following pop-up will appear.


Figure:3 Establish Trust pop-up


Click 2: Select the specific Identity Authentication tenant by selecting from the drop down list.

Multiple entries will show up in the drop down list if you have multiple IAS tenants available.


Select the correct IAS tenant.


Click 3: Click on the [Establish Trust] button to save the settings.

After a few dot dot dots you will see the IAS tenant assigned.

Once this is done trust will be established successfully and a message toast message will be displayed.


So the completed settings will look like this. Notice a new Identity provider has been added to the list – the Custom IAS tenant.

Figure:4 Completed Trust settings with IAS tenant



You can also make decisions on whether to have both identity providers in operation. You may want to deactivate the SAP ID service so you can change this and make it inactive. Just make sure you deactivate the Available for user Logon and Create Shadow users checkboxes first.

You can also jump straight to the Admin console by selecting the Identity provider name – in this case Custom IAS tenant.


This will bring up the Trust configuration overview page of the Identity provider. Click on the highlighted link to get to the IAS Admin console.

Figure:5 Trust Configuration Overview screen

You should then be directed to the login page.

Figure:6 IAS Tenant Admin console logon page

That pretty much completes this blog but I will leave one more note here. The 3 click approach can still be used even if the SAP Cloud Platform subaccount is authenticating via MS ADFS or any other custom identity provider.

Thanks for reading!

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Omer Bakirci
      Omer Bakirci

      Hi Phil,


      Thanks for explanation. I got 403 Forbidden error when I tried establish trust. What could be the cause of this problem?




      Author's profile photo Phil Cooley
      Phil Cooley
      Blog Post Author

      Hi Omer Bakirci check if you are a member of the Global account and I believe you may need to be an Org Manager of the subaccount. The above was carried out with these settings plus the additional security roles (User & Role Administrator).

      Make sure you are assigned these roles then try again.

      Kind Regards

      Phil Cooley

      Author's profile photo Lau Lautrup
      Lau Lautrup

      Hey Phil nice post. We are using this setup with a corporate idp (SAML) at the ias side. when users are logging in we don't get the email, firstname and lastname of the shadow user that are setup.  Instead it writes as email. Do you know how to forward the assertion attributes when using this method (Openid Connect)

      Author's profile photo Valerie Lehert
      Valerie Lehert

      Dear Lau

      Have you managed to solve this issue?

      Author's profile photo Lau Lautrup
      Lau Lautrup

      Hey Vaelrie. Yes, the assertion attribute names must be:




      If you don't have access to the corporate idp you can enrich them in ias:


      Author's profile photo Amarsrinivas Eli
      Amarsrinivas Eli

      Hi Experts,

      I received IAS tenant but I could not able to see the IAS tenant in the Trust Configuration Drop Down. Is there any specific intial setup I have to do like config or authorizations, am the admin and have all roles. please help on the same.


      Author's profile photo Zsolt Monoki
      Zsolt Monoki

      Hey, have you managed to solve this?

      Author's profile photo Christoph Hoertnagl
      Christoph Hoertnagl

      I have the same issue. Any updates on this?