Dear.

I have a scenario where a Third-Party application that isn't in SCP needs to consume an API Proxy of SAP API Management, that proxy will consume an OData through OData Provisioning that is in the same sub-account that SAP API Management and the OData Provisioning has a destination pointing to an ECC (Cloud Connector) using a Trust connection, on the https://blogs.sap.com/2018/01/19/part-1-single-sign-on-from-fiori-application-to-sap-gateway-via-sap... we have the explanation for an SAP Fiori in a sub-account to consume an API proxy from an SAP API Management in another sub-account and trust is established between parts and SAP Fiori will send a header Authorizarion: SAML2.0 base64_encoded_saml_response. I think that part https://blogs.sap.com/2018/01/19/part-2-single-sign-on-from-fiori-application-to-sap-gateway-via-sap... that explain that SAP API Management must be set as Trusted on SAP Gateway must be done in the same way. My doubt is about how third-party should generate the base64_encoded_saml_response to send in a request to API Proxy in a way that API Management Generate SAML Assertion Policy can be used to generate a short-lived SAML assertion which can then be passed to the SAP Backend to establish a SAML IdP Initiated flow.

For validation what should the certificate used by Validate SAML Assertion? Because in that case, we don't have the SAP subaccount like for Fiori generating a base64_encoded_saml_response.

For the second part, the gateway is already configured, but in that case, the access isn't on-premise but through OData Provisioning. For Generate SAML Assert should I use the key pair used on Trust of SAP API Management sub-account that was set as Trusted on Gateway, right?

I have a similar scenario that I'll need to access On-Premise XSOData via SAML too, but initiated by a Third-party in the same way, I think that the same solution for scenario 1 will be enough for both.

Best regards