cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IAS OIDC setup, but getting error, IDP disabled by system administrator, seeking guidance

Go to solution
Wallace
Active Participant

on ‎02-22-2023 6:48 PM

0 Kudos

We realize the need to establish an OIDC compliant/capable IAS that connects to our Corporate IDP. The Corporate IDP is OIDC capable.

We followed steps to in this blog: Connecting SAP IAS as a proxy to Azure AD using OpenID Connect | SAP Blogs
In BTP, I stood up a SAP build sub-account and instances, using the booster, against this IAS setup.
When going to the instance, I'm getting a consistent:

error as in the attached file

Grateful for your thoughts guidance.
Best Regards, Wallace2023-02-21-11-59-52.jpg

Show replies
Show replies
srmuc69
Product and Topic Expert
Product and Topic Expert
‎02-22-2023 9:01 PM
0 Kudos

Hi Wallace,

are you a admin of the subaccount you setup the OIDC from BTP to the IAS tenant and used Azure AD as corporate IDP? I have setup the same on my account and it is working fine.

Were are you located in the world? I am in the US on the East Coast and I could try to help with with a screensharing and comparing.

You can reach me [email removal] and I work in the BTP GCOE.

Cheers

Stefan

AlexGourdet
Product and Topic Expert
Product and Topic Expert
‎02-22-2023 10:15 PM

Hello,

Please consider follow one another and you'll be able to privately exchange messages with each other on the SAP Messages.

As sharing private contact detail is a violation of the SAP rule of engagement and thus it's been removed.

Regards,

Alex

Answer

Accepted Solutions (1)

Accepted Solutions (1)

Wallace
Active Participant
‎02-28-2023 10:43 AM
0 Kudos

Thanks, in the end, this was a simple mistake - ticking the IDP SSO box on the IAS config and then ensuring the "callback" link was proper on Azure AD side.

Grateful to carsten.olt1 for the blog, quick response and to sressing for the help/guidance.

This is now working and will enable more BTP easier, as OIDC seems to become the de facto standard with BTP and some BTP services are requiring OIDC.

Wallace

Show replies
Show replies

Answers (1)

Answers (1)

Colt
Active Contributor
‎02-23-2023 7:20 AM
0 Kudos

Hello Wallace,

I tried to understand your question and the screenshot provided.

It seems (assuming) as if the user was trying to access a BTP subaccount using an IdP-Initiated URL (specifying the SP/RelayState as a URL parameter). The goal was probably to forward this request to the corporate IdP. However, SAP IAS rejects this because IdP-Initiated SSO is not permitted for this application. Setting in the application (Trust all Corporate Identity Providers) - thats my guess?

It is also important to note that currently (as far as I know) only Azure Active Directory is officially supported by SAP as an OIDC Identity Provider.

Does that help?

Cheers Carsten

Show replies
Show replies
Wallace
Active Participant
‎02-24-2023 3:32 PM
0 Kudos

Thanks Carsten,
Was out of office yesterday, looking into this and will come back, accept answer or with more information/question.
Wallace

Ask a Question