Hello everyone,

I appreciate the thoughtful question posed. Clarifying the term "BTP User" is essential—whether it pertains to Platform (Cockpit Admin - Platform IdP) or Business Users (Application IdP). Disabling the "available for user login" option in the Trust Configuration of the respective BTP Subaccount may not be a prudent choice. Disabling the IAS user is also not a good idea, given the fact this user still needs access to other applications.

Consideration has been given to the notion of temporarily deactivating an application in IAS, thereby restricting logins to the associated BTP Subaccount. It would be advantageous if IAS could support a customizable message, such as a maintenance page, for enhanced user communication.

Regrettably, the current state of affairs does not align with this vision. One plausible workaround involves implementing a robust group concept. By employing Risk-Based Authentication Rules, a rule can be formulated to deny access to specific groups. Ideally, these groups should be predefined and configured beforehand. This approach facilitates the creation of a DENY rule tailored to specific applications, which can be activated within a specified time frame. Also allowing a RBA rule in IAS to be scheduled would be a cool feature. These groups need to be integrated into the IdDS, with the IdDS API serving as a mechanism to dynamically manage group membership through a suitable tool.

These are but a few musings, and with a bit more brainpower, who knows what other scenarios might unfold?

Cheers Carsten