restrictions-when-using-custom-identity-providers-for-platform-users-6f0a623.md

Restrictions When Using Custom Identity Providers for Platform Users

The following is a list of restrictions that apply to the use of custom identity providers with platform users.

Supported with Restrictions When Using Custom Identity Providers for Platform Users

Supported with Restrictions	Description
Maximum number of parallel sessions per user per identity provider	Each user is allowed a maximum of 10 parallel sessions, per identity provider. This number considers all tools, including the cockpit and CLIs. Note: When accessing the cockpit, a user is allowed one session in each region. For example, if you access https://emea.cockpit.btp.cloud.sap, it counts as the first session and https://amer.cockpit.btp.cloud.sap as the second one.
Single logout (SLO)	For platform users of custom identity providers, logging out from the SAP BTP cockpit (including Neo cockpit) terminates the session in the used SAP Cloud Identity Services tenant and sessions of other applications that connect to the same tenant. What is required is that the sessions support this kind of logout. This requirement doesn't apply for other instances of the SAP BTP cockpit except for instances where the user initially logged out from. In this case, sessions remain active.

Supported with Restrictions for Neo Subaccounts Before the Changes in the Trust Configuration

The following is a list of restrictions that only apply for Neo subaccounts when using custom identity providers for platform users.

• All individual Neo subaccounts that have been created before July 2023.

• Neo subaccounts in global accounts that have custom identity providers for platform users. For these subaccounts, SAP Note 3330671 hasn't been applied yet.

Supported with Restrictions	Description
Working with custom domains for an SAP Cloud Identity Services tenant	SAP BTP always uses the default domain of the SAP Cloud Identity Services tenant, regardless of a potentially configured custom domain. Therefore, when you use this tenant as a platform identity provider: Single sign-on (SSO) doesn't work between applications that use this custom domain and cloud management tools. Exception: if you use the same SAP Cloud Identity Services tenant for both platform and business users, as custom domain is a tenant setting. The OpenID Connect (OIDC) issuer in the Name field of the SAP Cloud Identity Services tenant must be the default domain (<origin>.accounts.ondemand.com). For more information, see Tenant OpenID Connect Configurations.
OpenID Connect (OIDC) issuer in the Name field of the SAP Cloud Identity Services tenant	Caution: Don't change the Name field after configuring trust. Changing the issuer breaks the trust between the systems.
Neo CLI	No restriction for new Neo subaccounts if this prerequisite is fulfilled. For basic authentication, the Neo CLI has limited support for existing Neo subaccounts when using custom identity providers for platform users.
Neo Git service	Logging on with a password to the Neo Git service doesn't work with custom identity providers for platform users.
Cloud connector	Logging on with a password to the Cloud connector doesn't work with custom identity providers for platform users.
SAP HANA studio	No restriction for new Neo subaccounts if this prerequisite is fulfilled.