3349895 - Cloud Connector Principal Propagation - error related to login.microsoftonline.com (or other SAML authentications)

• In Cloud to On-Premise (ABAP System) + Principal Propagation scenario, an error related to login.microsoftonline.com (or other SAML authentications) is raised.

For example:

• Following error is raised in Cloud Application:

"Access denied to system login.microsoftonline.com:443. In case this was a valid request, ensure to expose the system correctly in your cloud connector." 

"401 Not Authorized"

•  In most cases, Cloud Application only say the connection doesn't work, during further analysis you find following content in ICM trace level 2:
  
  

=====
[Thr 140517112649472] HTTP response (rewritten) [108/90761/1]:
[Thr 140517112649472]   HTTP/1.1 302 Moved temporarily
[Thr 140517112649472]   content-type: text/html; charset=utf-8
[Thr 140517112649472]   content-length: 0
[Thr 140517112649472]   cache-control: no-cache, no-store, must-revalidate, private
[Thr 140517112649472]   pragma: no-cache
[Thr 140517112649472]   expires: Thu, 01 Jan 1970 00:00:00 GMT
[Thr 140517112649472]   location: https://login.microsoftonline.com/XXXXX
=====

OR

In case of other SAML authentications

=====
[Thr 139850493720320] HTTP response (rewritten) [137/960701/1]:
[Thr 139850493720320]   HTTP/1.1 302 Found
[Thr 139850493720320]   content-type: text/html; charset=utf-8
[Thr 139850493720320]   content-length: 0
[Thr 139850493720320]   cache-control: no-cache, no-store, must-revalidate, private
[Thr 139850493720320]   pragma: no-cache
[Thr 139850493720320]   expires: Thu, 01 Jan 1970 00:00:00 GMT
[Thr 139850493720320]   location: https://test.accounts.ondemand.com/saml2/xxxx
=====

• from traffic trace of cloud connector, login.microsoftonline.com (or other SAML authentications) can also be found in "Response data" section.
• from ljs_trace.log / scc_core.trc) of cloud connector, following content could be found:

=====
2023-08-21 05:48:14,142 +0000#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpLocationHeaderHandler#tunnel-client-1089-6#0x8ef12eff#Location header represents unknown host: login.microsoftonline.com. The value of the header remains unchanged: https://login.microsoftonline.com/...
=====

OR

=====
2025-06-18 03:04:29,031 +0000#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpLocationHeaderHandler#tunnel-client-82-3#0x6475bfb8#Location header represents unknown host: test.accounts.ondemand.com. The value of the header remains unchanged: https://test.accounts.ondemand.com/saml2/xxxx...
=====

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

• SAP Cloud Connector 2.16.2 - 2.18
• Cloud to On-Premise (ABAP System) + Principal Propagation

Principal Propagation, PP, Principal, Propagation, pattern, email, e-mail, mail, username, name, authentication, assertion, pop-up, pops up, popup, username, password, back-end, backend, ABAP, SAP CC, SAP Cloud connector, SAPCC, connector, IDP, sub-account, subaccount, email, username, e-mail, mail, login_name, SCC, trusted_reverse_proxy, kernel 7.53, trust_client_with, CERTULE, SSL Server Standard, CA, Certificate Authority, subject pattern, PP, trusted_reverse_proxy, certificate, sample, subject pattern, assertion, SAML, SAML2, BTP, Subject DN, Issuer, SAN, Subject Alternative Names, 302, 401, 401 Unauthorized, location, response,  HTTP response, HTTP/1.1,  login.microsoftonline.com., 302 Found, 302 Moved temporarily, , KBA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , BC-CST-IC , Internet Communication Manager , BC-MID-ICF , Internet Communication Framework , Bug Filed