3428298 - Activate IAS Upgrade - Test Now Error

• Encountered an error when trying to test and run the Activate IAS Upgrade via Upgrade Center 
• IAS is using a third party IDP. 
• Collect the SAML trace and it would show that the AssertionConsumerServiceURL is using the *cloud.sap URL instead of the ondemand.com which is what was listed on the tenant settings of the IAS tenant.
• Error usually depends on the IDP used
  • For Azure - it would show as : AADSTS50011: The reply URL 'https://example/saml2/idp/xxx/example.example.example.nl' specified in the request does not match the reply URLs configured for the application 'https://example.example'. Make sure the reply URL sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/urlMismatchError to learn more about how to fix this 
  • For ADFS - "An error occurred. Contact your administrator for more information." is showing 
    

SAP SuccessFactors HCM Core

1. Go to Upgrade Center
2. Run the Activate IAS 
3. Click Test Now 

Starting with 2311 release, all the IAS configuration done with Initiate IAS Upgrade upgrade center task or via new tenant provisioning process are done on cloud.sap domain, so the IAS to corporate IDP communication would be on cloud.sap domain as well.

The ondemand and cloud.sap URL are technically the same URL. One can download the metadata by using either https://<<IAS_TENANT>>.accounts.ondemand.com/saml2/metadata?action=download or 
https://<<IAS_TENANT>>.accounts.cloud.sap/saml2/metadata?action=download

Please do not change any SAML configuration in IAS tenant settings, as this could have a negative effect on other applications set up in IAS.

For the workaround, please see below: 

• For customers using Azure as the third party IDP, please check 3204561 - Error AADSTS50011 or AADSTS50105 when trying to authenticate via IAS and adjust the URL on your IDP configurations with the same one from the SAML trace. 
• For customers using ADFS - check and adjust the SAML Assertion Consumer Endpoints on your ADFS configurations with the *cloud.sap URL
• For customers using OKTA - please check 3229323 - Corporate IdP OKTA: Identity provider cannot process the response due to wrong configuration - SAP for Me 
• You could also use this https://<<IAS_tenant>.accounts.cloud.sap/saml2/metadata?action=download to download the IAS metadata with cloud.sap URL  

• 3204561 - Error AADSTS50011 or AADSTS50105 when trying to authenticate via IAS
• 3229323 - Corporate IdP OKTA: Identity provider cannot process the response due to wrong configuration - SAP for Me 

SSO, activate, test, IAS, upgrade center, SF, SuccessFactors , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , Problem