Skip to Content
Technical Articles

Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 5

In this blog, I wanted to focus bit more on leveraging capabilities of Azure AD when you have already configured IAS as a proxy.

IAS itself has capabilities around Multi-factor authentication & Risk based authentication.You can find more info on how to enable this in this blog post “Enable Two-Factor Authentication with SAP Cloud Platform Identity Authentication

However, I come across scenarios, where customers want to continue leveraging their Azure AD instance to provide Multi-factor authentication and other conditional access policies. Here is a quick walk through of the steps.

Select your application in your Azure AD service. In the below example, I am continuing to use the app “IAS”.  Under Conditional Access, you can add “New Policy”

Within the policy, you can define the (1) users/groups to whom the policy needs to apply.

 

(2) The Cloud apps – in this case its just IAS

(3) The Grant section to allow access after Multi-factor authentication

I have left conditions under Assignments empty. I will use that in the next example. Save your policy and enable it.

When you try to access the Portal site, it will now ask for SMS code after you have provided the user name and password.

There have been requirements where customers want to lock down the access of the SAP Cloud Platform apps to a particular country/region. For such scenario, you can configure “Named Locations” at the “Enterprise Applications” Level (shown below). Create a location and select the list of countries you want to include. In my example, I selected Australia and New Zealand.

Once you have defined your named location, you can create a new conditional access policy for the “IAS” app as shown below. Here in the conditions, we would select the location defined earlier and set Grant as “Block Access”. This would block access to users who are trying to access the app from Australia and New Zealand.

Now when you try to access the supplier portal site, it will display a message ” You cannot access this right now” after you provide your user name and password.

Hope you found this blog series useful. If you do have questions, please post them as questions in the forum.

 

9 Comments
You must be Logged on to comment or reply to a post.
  • Thanks for the detailed series Murali - 1 additional post that would round it all out is to include how this works for Platform identities since the Trial doesn't allow playing around with this set-up unfortunately.

    Anyway, keep up the great work.

    Matt

      • Thanks Murali - That post indeed does help (though on trial, I'm pretty sure this line is incorrect, and on my production instances for SCPI (but not WebIDE), the platform identity provider tab appears by default):

        "As soon as you add an “Application Identity Provider”, you will get access to a tab – Platform Identity Provider."

        Also, the SAP Cloud Connector limitation sounds like a major showstopper since for 2-way SCPI integration with SAP, this is fundamental (unless you are just using MFA with S-ID's which seems to be the only workable option for the moment).

        Now just hoping for the post or announcement from someone at SAP which simply states - "If you are serious about SCP, you must buy IAS!"

        Cheers,

        Matt

        • Previously, Platform Identity Provider tab shows up when you enable "Application Identity Provider".  There have been changes to this behaviour. Now, customers need to look for a tile called "Platform Identity Provider" in services menu and enable it.

  • Hi Murali Shanmugham thank you for share

    I have a question. It's possible to use Conditional Authentication (Part 4) and Multi-Factor Authentication (Part 5) to different IdP?

    For exemple

    Conditional Authentication > Authentication Rules

    @Outlook.com > Azure

    @Gmail.com > MS AD (with scc)

    Default Identity Provider = @* > IAS

     

    Risk-Based Authentication > Authentication Rules

    @Outlook.com > Allow (IDP rules is = Azure + MFA )

    @Gmail.com > TOTP Two-Factor Authentication

    Default Action = Deny

    create the groups to Risk-Based Authentication, mapping MS AD, and Azure groups in IAS?

     

    thank you

  • Hi Murali, I have a situation.

     

    We are moving our Mobile Platform to Cloud Foundry Mobile services and want to check all the available possibilities where all the requests going from the Cloud Foundry Mobile Services to the Cloud Connector (which is on the On-Prem) should be authenticated on LDAP first or even before communicating with the Cloud Connector.

     

    Could you help me with your suggestions or any guide for the same.

     

    Thanks

    Pradeep

    pradeep.aleti@gmail.com