Technical Articles
Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 4
Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform |
Part 1 – Configuring Identity Authentication Service with SAP Cloud Platform Part 2 – Configuring Azure Active Directory with SAP Cloud Platform Part 3 – Configuring Identity Authentication service as a Proxy for Azure AD Part 4 – Configuring Conditional Authentication in Identity Authentication Service |
Let’s do a recap of the previous blog post. IAS is configured as the only IdP with SAP Cloud Platform account. All authentication requests are forwarded to Azure AD as IAS is setup as a proxy. IAS uses Conditional Authentication to forward all authentication requests to Azure AD by default.
Here is a scenario where you have two IdPs which you are using in your organization and depending on certain rules like email domain or IP range, you want the users to be authenticated with the respective IdPs. We shall continue to leverage what we have used so far for this scenario. IAS will hold users with email domain – Gmail.com and Azure AD will hold users with email domain – Outlook.com. Depending on the email address provided initially by the user, IAS will decide if the user needs to be authenticated using IAS or Azure AD.
The only configuration change which is now required for this is in the “Conditional Authentication” under the Trust tab of application in IAS. In the previous blog, we set Azure AD as the default. Change this to “SAP Cloud Platform Identity Authentication” as shown below. Click on the “Add Rule” button.
In the Conditional Authentication Rule, we can define the rules as to when a particular IdP needs to be used. For example, you can define the rules based on user groups, IP Ranges or email domains. In this example, I have used Azure AD as the IdP to be used when the email domain is outlook.com
Your screen should look like below. Save your changes.
You do not need to change anything further in the SAP Cloud Platform account. As you can see below, I have only one entry in the Trusted Identity Providers in SAP Cloud Platform account.
Now when I try to access the supplier portal site, it will take me to IAS login page and provide only the Email ID field.
When I provide a user with email domain as Outlook.com, it redirects me to the Azure AD sign in page.
After successful authentication, it takes me to the supplier portal site
Let’s try the same thing with different email domain – Gmail.com
When I provide a Gmail account and click on continue, it opens up the password field in the same screen (as shown below)
I can login successfully using the user (created in IAS with the email domain as Gmail). However, this user will not see any apps.
The reason being, we had removed the group mappings between IAS and SAP Cloud Platform groups earlier. We need to add this back again (highlighted in red below)
Now when you try to login again with the same user, it will display the apps.
Hi Murali,
Thank you very much for this awesome blog series on Cloud Identity Service. Super helpful information.
Looking for more great posts.
-
Venu
Hi Murali Shanmugham ,
Thanks for the details and info. I have one query. In the above case when rule is added, it still asks user prompt to enter email ID and then it shows Microsoft AD Login page is displayed. Is it possible to directly hit Microsoft AD page without user entering the prompt in SAP IAS logon page based on domain? i.e if domain is outlook.com take to Microsoft Logon AD and if it gmail.com take to SAP IAS Logon page
Thanks
Raman