cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BTP SSO for Platform Users with SAML instead OpenID Connect

becksen
Participant

on ‎10-26-2022 10:59 PM

We're currently setting up SAP BTP Launchpad Service and want to use SSO via Identity Authentication Service (IAS). For Application users it works like a charm to access the Launchpad.


But for accessing the BTP Cockpit as subaccount admin SSO is not working. While setting up the trust on Global Account with IAS (SAP Help BTP Custom Identity Provider), an application is created on IAS. Unfortunately it is not possible to change the protocol from OpenID Connect to SAML 2.0. Hence we're redirected to SAP ID Service for authentication. The requirement is to use SAML 2.0 like we do for the Launchpad Service.


Has anybody gained experience how to use SAML instead of OpenID Connect? It is greyed out and can't be changed. A manual new trust is not possible.

We're on Global Account with Feature Set B, Subaccount is multi-environment and cloud foundry capabilities are active.

Regards,

Timmy

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

celofiorito
Product and Topic Expert
Product and Topic Expert
‎11-11-2022 12:44 PM

I think for the Global Account you have to rely on the default SAP ID configuration. I may be wrong but the SAML is only for Subaccount and the services that are there...and for that you have everything working fine.

Show replies
Show replies
becksen
Participant
‎11-11-2022 2:04 PM

Hi marcelo.fiorito ,

yes you're right. SAP confirmed that Global Account does not support SAML. It is not on the roadmap, hence they asked to open an improvement request.

Regards,

Timmy

Wallace
Active Participant
‎11-16-2022 5:47 PM
0 Kudos

Any area where we can assist by upvoting the improvement request? We're a bit between the chairs, Saml and Oauth...

Sorry for slow response, got behind a bit on notifications...

Thanks, Wallace

vinita_kasliwal
Active Contributor
‎10-27-2022 12:58 AM

Hey Timmy

Did you try these steps

https://help.sap.com/docs/SAP_CONVERSATIONAL_AI/f36ad14527694a6fad161093090618ec/f3aee5c4106c4172a00...

Create a new trust configuration and upload your SAML data

Also check this link

https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/2ce3938c66d94479848bff3090999027.html

Let me know if it helped?

Regards

Vinita

Show replies
Show replies
becksen
Participant
‎10-27-2022 10:54 AM
0 Kudos

Hi Vinita,

thanks for your input. This seems to be applicable only for "application users" and was successfully implemented. In our case we want to setup SSO for "platform users" to access Global Account or Subaccount using our identity provider.

The trust configuration has to happen on Global Account level, unfortunately it is not possible establish a custom trust with SAML metadata. You can select Identity Authentication only from a given list, and the application created on IAS side does also not allow to change the protocol to SAML.

SAP has unfortunately confirmed that this is standard behavior and I should open an improvement request :-(.

Regards,
Timmy

davide_bramati
Advisor
Advisor
‎05-12-2023 8:40 AM
0 Kudos

Hi TImmy,

did you solve the issue?

I have a customer with a similar requirement. On global account level, the customer has already established trust with the IdP but, on the IAS the customer is unable to go into edit mode to define the attribute.

Is it because the option to add an attribute is compatible only for the SAML and not for the OpenID (which is automatically activated as soon as the trust is made on the GA)?

Are there any alternatives to this configuration that allow the customer to use its Azure groups to access its BTP Global Account?

Thank you

Davide

Show replies
Show replies
Ask a Question