Related Information
Tenant OpenID Connect Configurations
Change Tenant Texts Via Administration Console
Configure Master Data Texts Via Administration Console
Configure Links Section on Sign-In Screen
Add Instructions Section on Sign-In Screen
Configure X.509 Client Certificates for User Authentication
Configure Allowed Logon Identifiers
Configure User Identifier Attributes
Configure Trust this browser Option
Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices
Enable Users to Recover Password with Security Questions
Enable Users to Recover Password with PIN Code
Configure Initial Password and E-Mail Link Validity
Use Custom Domain in Identity Authentication
Change a Tenant's Display Name
Configure Default Risk-Based Authentication for All Applications in the Tenant
Configure Sinch Service in Administration Console
Configure RADIUS Server Settings (Beta)
Configure Mail Server for Application Processes
Send System Notifications via E-Mails
Configure Default Language for End User Screens
Reuse Identity Authentication Tenants for Different Customer IDs
Configure IdP-Initiated SSO with Corporate Identity Providers
In the IdP-Initiated single sign-on (SSO), the authentication starts at the identity provider (IdP). The user is first authenticated at the identity provider, and after that he or she is allowed to access the protected resource at the application ((service provider (SP)).
- The user access the identity provider via a link.
- The identity provider requires credentials.
- The user provides credentials, and he or she is authenticated.
- The identity provider sends assertion about the user to the service provider.
- The service provider validates the assertions and gives access rights to the user.
- The identity provider redirects the user to the protected resource.
The service provider (SP) metadata that is used to configure the trust must contain the default assertion consumer service (ACS) endpoint that can process unsolicited SAML responses.
When SAP BTP acts as a service provider, the ACS endpoint should be the URL of the protected application resource. To point to the application protected URL, change the ACS endpoint on the identity provider side . For more information about how to change the ACS endpoint in Identity Authentication, see Configure Trust.
The link for IdP-Initiated SSO follows the pattern: https://<tenant_ID>.accounts.ondemand.com/saml2/idp/sso?sp=<sp_name>[&RelayState=<sp_specific_value>&index=<index_number>]
The following table lists the URL parameters you can use for IdP-initated SSO.
URL Parameters for IdP-Initiated SSO
Parameter
Mandatory
Description
spYes
Name of the SAML 2 service provider for which SSO is performed. The
sp_namevalue of the parameter equals to theEntity IDof the service provider. This parameter is needed for Identity Authentication to know which service provider to redirect the user to after successful authentication.
RelayStateNo
Relay state forwarded to the service provider with the SAML response.
Not supported for the Cloud Foundry environment.
indexYou can choose by the index the correct ACS endpoint for unsolicited SAML response processing. Provide the
indexparameter when the default ACS endpoint which has been configured via the administration console cannot process unsolicited SAML responses.Enter the index number of the endpoint of the assertion consumer service of the service provider as the target of the SAML response. Otherwise the identity provider uses the default endpoint configured for the trusted service provider.
A non-digit value or a value for an index entry that is not configured returns an error message.
login_hintNo
The
login_hintparameter facilitates the user when he or she is known to the service provider (SP). Thus it prevents the user from re-typing the user identifier on the logon or conditional screen.Supported values are the allowed logon identifiers for the users. The options are (For SAML 2.0User ID, Login Name, and E-Mail. For more information, see Configure Allowed Logon Identifiers .
Richard Wilson, tenant administrator at Company A, would like to set up an IdP-initiated SSO process and has configured the default assertion consumer service (ACS) endpoint correctly at the cloud identity provider. Dona Moore, who is an employee at Company A, tries to access the identity provider, but because she does not have a valid session she is prompted to provide credentials. Once Dona has logged in at the IdP, a session is created for her. She is automatically redirected to her application (the default ACS URL as specified in the service provider (SP) metadata)).
- User provides credentials; logs on.
- Identity Authentication sends assertions.
- Service provider validates assertions; gives access rights.
- User accesses content.
-
You are assigned the Manage Tenant Configuration role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
-
You have specified the default assertion consumer service (ACS) endpoint in the configuration of a trusted service provider (SP) in the administration console for Identity Authentication. For more information, see Configure Trust.
By default, IdP-Initiated SSO is enabled in Identity Authentication. The tenant administrator can disable the IdP-Initiated SSO process via the administration console for Identity Authentication.
When IdP-Initiated SSO is disabled, users cannot access their profile page.
It takes 2 minutes for the configuration changes to take place.
Use this procedure to disable or enable the IdP-Initiated SSO process.
-
Access the tenant's administration console for Identity Authentication by using the console's URL.
The URL has the following pattern:
https://<tenant ID>.accounts.ondemand.com/adminTenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID. For more information about your tenants, see Viewing Assigned Tenants and Administrators.
If you have a configured custom domain, the URL has the following pattern:
<your custom domain>/admin. -
Choose the Tenant Settings tile.
-
Use the slider next to IdP-Initiated SSO to disable or enable it.
If the operation is successful, you receive a confirmation message.