Hello Himanshu.
We did manage to get IDP led SSO to work, but in a different way to expected. My original investigation was focused on initiating the process from calling the SAP UI5 web service URL
as above.
However to realise the solution explicit use of relay states was required. After creating a federation relationship between SAP as the service provider and the external identity provider, a relay state was created per UI5 application:
The external idenitity provider must be configured to use relay states and must map
idp relay state to SAP application relay state. e.g. if idp relay state is configured as
EGBHCM02 this will map to SAP relay state GBHCM02.
Access is initiated from external idp, where user identification, session management and creation of SAML 2.0 token happens before redirecting to SAP using relay state. In this scenario then:
IDP URL: https://<external_idp>.com/path/<external_relaystate>
e.g. https://<external_idp>.com/path/EHPGBHCM02
Calls the SAPUI5 application with SAML 2.0 token and SAP relay state to SAML 2.0 endpoint:
/sap/saml2/sp/acs/<client>?SAMLRequest=<SAML 2.0 token>&RelayState=<SAP_RELAY_STATE>
Many thanks
Mike