Hi @MartinPankraz,

first thanks for the great explanation and the How-To Video for Hitchhiker 103a. I successfully managed to receive an token when only using Principal Propagation via OAuth 2.0..

However, a more common scenario in my opinion would be that the system supports both (normal SAML2 SSO for FLP f.e. and the PrincipalPropagation for OAuth 2.0)

I tried this approach by adding an additional "Identity Provider" in the SAML2 Configuration. But as soon as I add this one and activate it, the OAuth fails because of "Exception was Attribute 'Recipient' of element 'SubjectConfirmationData' is invalid".

Is there any way or additional config to do when I want to use both mechanisms?

Thanks and best regards,
Sascha

Nevermind. Sorry was an caching issue.

@sweiDl great to hear you were able to resolve! Would you mind sharing your config in high level words for the community to pick up if they have similar challenges?

It is important to use the flags on Azure AD enterprise app registration the right way to support SAML and OAuth in parallel.

I expect you put sth like this?

KR
Martin

Hey @MartinPankraz,

sure.. here's what we did:

Basically we just added the second reply URL for the normal SAML2.0 endpoint inside the Azure Configuration.

On SAP Side it was important that we changed the Assertion Consumption Service inside the SAML2 Provider to the ACS URL:

with those two additional steps we were able to follow your guide and implement both oauth2 and saml2 on the same system and client.