When performing a server migration, hostname update, or domain change in an SAP landscape, one of the most common issues administrators encounter is an unexpected error when accessing the SAML2 transaction.
Instead of loading the SAML configuration screen, the system returns:

HTTP 500 Internal Server Error for HTTP Allow List

In many cases, this error is triggered by the HTTP Allow List security restrictions introduced in newer SAP NetWeaver releases. When the server or domain information changes, the old host entries may no longer be considered valid, causing the SAML2 endpoint to fail during initialization.

Why the Error Occurs

SAP systems use an internal HTTP Allow List mechanism to control which hosts, domains, or URLs are permitted for internal HTTP/HTTPS communication.
After a server or domain change:

• The previous hostname becomes invalid

• The new domain is not yet added to the allow list

• SAML2 attempts to access metadata or endpoints using the new URL

• The system blocks the request

• This results in an HTTP 500 error inside the SAML2 transaction

In short:
The SAML2 UI cannot load because the new URL is not trusted by the system.

SNOTE :

2704178 – The error HTTP 500 “Redirect is not possible” occurs in /sap/public/myssocntl or in /sap/public/bc/icf/logoff – SAP for Me

Solution Steps :

✔️ 1. Updating the HTTP Allow List

Add the new server/domain entries to the HTTP Allow List via:
Transaction: UCONCOCKPIT → HTTP Allow List

Typical entries that must be added:

• New hostname

• New FQDN

• HTTPS base URL

• SAML2 metadata endpoints

✔️ 2. Regenerating SAML Metadata

Once the allow list is updated, open SAML2, and regenerate:

• Service Provider metadata

• Identity Provider metadata (if required)

This ensures all URLs match the new domain.

✔️ 3. Clearing Cache & Restarting ICM

Depending on the system, you may need to:

• Run SMICM → Restart

• Clear browser & SAP GUI cache

• Reinitialize SAML2 configuration