Skip to Content
Technical Articles
Author's profile photo Yogananda Muthaiah

Configure your own IDP – SSO in SAP CPQ

Single sign-on (SSO) is a session/user authentication process that permits users to enter a single name and password to access multiple applications. While SSO uses a single login (username/password) to access all applications within the same organization, federated SSO (FSSO) goes a step further and extends SSO across enterprises.

In other words, FSSO allows access to multiple systems across different organizations, benefitting both users and organizations.

Choose one of your Top Identity Providers in the Market to configure in SAP CPQ

  • SAP IAS (Identity Authentication Services)
  • Microsoft Azure
  • Okta
  • Auth0
  • others…
Note : 
SAP CPQ currently supports SAML2.0 only. 


  • Identity Provider Metadata XML
  • SAP CPQ Environment with Admin role
  • Pick users to enable Single-Sign on Mode
  • Raise a Support Ticket for tenant Restart after Configured.

Identity Providers Settings

As shown below screenshot you can add, select, or configure your identity provider.

  • Select identity provider – select an existing identity provider from the dropdown menu. In order to appear in this menu, existing identity providers need to be enabled by the SAP CPQ Support team for each domain individually.

    The current status of the selected identity provider is displayed right next to it. If you wish to activate an identity provider, you can do so by clicking Activate at the bottom of the page.

  • Add new identity provider – click to add a new identity provider. Once you fill in the fields, make sure to save and activate your settings. Once you create a new identity provider, it’s visible only in the domain where it was created. To make it visible on other domains, you need to contact the SAP CPQ Support team.

You can configure your identity provider via the following fields:

  • Download SAP CPQ metadata with selected certificates – download the service provider XML metadata file with the signing and encryption certificates that are selected for that specific selected identity provider. This button becomes available after an identity provider is selected or added.

  • Name (required) – enter the identity provider application’s unique name.

  • Metadata location (required) – This field contains the relative path to the identity provider metadata XML file that was uploaded. The metadata file is typically stored in the App_Data folder.

    • Download metadata document – click to download the identity provider XML data file. You can download the IdP file if you need to compare and check if there have been any updates to it. If nothing is updated, there’s no need to reupload the file – instead, you only need to update some settings (for example, a routing or an attribute).

    • Upload metadata document – click to upload the identity provider XML data file.

Download SAP CPQ Metadata which is a service provider (sp) and Client Admin will upload it to the IdP System.


you can define the routings with the relative URL segments used to access the application via the federation protocol. The URL segment is used for SP-initiated FSSO. The routing name and the URL should be unique. It’s necessary to define and enable at least one routing in this section for the federated single sign-on to work. Moreover, here you can see a list of all the routings that exist for the IdP.

You can create multiple routings to be used for accessing the same identity provider. The system generates every new routing based on your current tenant and the ordinal number of the newly created routing in the list of routings. To add a new routing, follow the procedure below.

a Click Edit under Routings –> Save and Add buttons display.

b Click Add.   A new routing is added.

c Click toggle button to Enable which will auto-populate the value

d Click Save

Save and Activate

Once you’ve configured the settings of the identity provider, follow the instructions to make your settings active.

  1. Click Save in the bottom-right corner of the page.

    The settings are now saved, although they’re still not active.

    Alternatively, click Delete in the bottom-right corner of the page to delete the selected identity provider.

  2. Click Activate to make the settings active.

    After clicking Activate and saving the settings, you need to contact the SAP CPQ Support team to refresh the federation, after which the new settings become active.

    Alternatively, click Deactivate to deactivate the selected identity provider.

Once configured successfully, Raise a Support Ticket for the SAP CPQ Technical Support team to restart the tenant to pick your configuration in the application server.

Once tenant restart is completed based upon confirmation, Go to specific users you selected, will log in through Single Sign-On mode.

Short Demo for users signing through Single Sign-on (SSO) to SAP CPQ using SAP IAS

Federation Troubleshooting

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Michał Borasiński
      Michał Borasiński

      Hello Yogananda Muthaiah ,

      I go through with Your blog but after I've configured the IAS and CPQ there is an error message: 'Access denied ! You are not authenticated to access this application.'.

      Could You let me know what can be the potential wrong configuration or how I can resolve this issue?

      Or maybe someone occur the same issue after whole configuration and found out the solution?

      Best Regards,


      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Michał Borasiński

      If message shows "Access is denied" that means, user is not available in CPQ domain or in IAS.  can you trace it through SAML logs ?