Hi Marco,
This is an interesting question, and one I've been pondering a bit myself lately. While I'd be very interested in hearing what the HCP development team has to say on this, here's the hack that I came up with:
- Use whatever facilities your local IdP has to generate a SAML EntityDescriptor file. You can see what this basic markup looks like on the IdP bundled with the SAP HCP Tools by following the steps described here.
- Open up the EntityDescriptor file and identify all of the (local) URLs contained within.
- Set up a reverse proxy in a DMZ which communicates with the on-premise IdP.
- Go into the EntityDesciptor file and replace all of the local URLs with reverse proxy-based URLs.
- Install the revised EntityDesciptor file as per usual within the SAP HCP Cockpit (following the steps outlined for the local IdP in the link above).
The other option described in the online help documentation is to connect to an on-premise SAP AS Java system using the SAP HANA Cloud Connector as described here. You could probably implement a similar approach using the Cloud Connector for other IdPs, but it would require some custom development I think.
Anyway, hope this helps. I also hope this sparks some additional conversation in the forum on this topic as I think it's an important one.
Thanks,
James