Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 4
|Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform|
Let’s do a recap of the previous blog post. IAS is configured as the only IdP with SAP Cloud Platform account. All authentication requests are forwarded to Azure AD as IAS is setup as a proxy. IAS uses Conditional Authentication to forward all authentication requests to Azure AD by default.
Here is a scenario where you have two IdPs which you are using in your organization and depending on certain rules like email domain or IP range, you want the users to be authenticated with the respective IdPs. We shall continue to leverage what we have used so far for this scenario. IAS will hold users with email domain – Gmail.com and Azure AD will hold users with email domain – Outlook.com. Depending on the email address provided initially by the user, IAS will decide if the user needs to be authenticated using IAS or Azure AD.
The only configuration change which is now required for this is in the “Conditional Authentication” under the Trust tab of application in IAS. In the previous blog, we set Azure AD as the default. Change this to “SAP Cloud Platform Identity Authentication” as shown below. Click on the “Add Rule” button.
In the Conditional Authentication Rule, we can define the rules as to when a particular IdP needs to be used. For example, you can define the rules based on user groups, IP Ranges or email domains. In this example, I have used Azure AD as the IdP to be used when the email domain is outlook.com
Your screen should look like below. Save your changes.
You do not need to change anything further in the SAP Cloud Platform account. As you can see below, I have only one entry in the Trusted Identity Providers in SAP Cloud Platform account.
Now when I try to access the supplier portal site, it will take me to IAS login page and provide only the Email ID field.
When I provide a user with email domain as Outlook.com, it redirects me to the Azure AD sign in page.
After successful authentication, it takes me to the supplier portal site
Let’s try the same thing with different email domain – Gmail.com
When I provide a Gmail account and click on continue, it opens up the password field in the same screen (as shown below)
I can login successfully using the user (created in IAS with the email domain as Gmail). However, this user will not see any apps.
The reason being, we had removed the group mappings between IAS and SAP Cloud Platform groups earlier. We need to add this back again (highlighted in red below)
Now when you try to login again with the same user, it will display the apps.