Skip to Content
Technical Articles
Author's profile photo Murali Shanmugham

Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 5

In this blog, I wanted to focus bit more on leveraging capabilities of Azure AD when you have already configured IAS as a proxy.

IAS itself has capabilities around Multi-factor authentication & Risk based authentication.You can find more info on how to enable this in this blog post “Enable Two-Factor Authentication with SAP Cloud Platform Identity Authentication

However, I come across scenarios, where customers want to continue leveraging their Azure AD instance to provide Multi-factor authentication and other conditional access policies. Here is a quick walk through of the steps.

Select your application in your Azure AD service. In the below example, I am continuing to use the app “IAS”.  Under Conditional Access, you can add “New Policy”

Within the policy, you can define the (1) users/groups to whom the policy needs to apply.

 

(2) The Cloud apps – in this case its just IAS

(3) The Grant section to allow access after Multi-factor authentication

I have left conditions under Assignments empty. I will use that in the next example. Save your policy and enable it.

When you try to access the Portal site, it will now ask for SMS code after you have provided the user name and password.

There have been requirements where customers want to lock down the access of the SAP Cloud Platform apps to a particular country/region. For such scenario, you can configure “Named Locations” at the “Enterprise Applications” Level (shown below). Create a location and select the list of countries you want to include. In my example, I selected Australia and New Zealand.

Once you have defined your named location, you can create a new conditional access policy for the “IAS” app as shown below. Here in the conditions, we would select the location defined earlier and set Grant as “Block Access”. This would block access to users who are trying to access the app from Australia and New Zealand.

Now when you try to access the supplier portal site, it will display a message ” You cannot access this right now” after you provide your user name and password.

Hope you found this blog series useful. If you do have questions, please post them as questions in the forum.

 

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Matt Harding
      Matt Harding

      Thanks for the detailed series Murali - 1 additional post that would round it all out is to include how this works for Platform identities since the Trial doesn't allow playing around with this set-up unfortunately.

      Anyway, keep up the great work.

      Matt

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Thanks Matt. I have updated my old blog post on Platform Identity Provider with more information.

      Setup a Platform Identity Provider for SAP Cloud Platform

      I have also added another blog post - Setting up Platform Roles to secure your SAP Cloud Platform cockpit

       

      Author's profile photo Matt Harding
      Matt Harding

      Thanks Murali - That post indeed does help (though on trial, I'm pretty sure this line is incorrect, and on my production instances for SCPI (but not WebIDE), the platform identity provider tab appears by default):

      "As soon as you add an “Application Identity Provider”, you will get access to a tab – Platform Identity Provider."

      Also, the SAP Cloud Connector limitation sounds like a major showstopper since for 2-way SCPI integration with SAP, this is fundamental (unless you are just using MFA with S-ID's which seems to be the only workable option for the moment).

      Now just hoping for the post or announcement from someone at SAP which simply states - "If you are serious about SCP, you must buy IAS!"

      Cheers,

      Matt

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Previously, Platform Identity Provider tab shows up when you enable "Application Identity Provider".  There have been changes to this behaviour. Now, customers need to look for a tile called "Platform Identity Provider" in services menu and enable it.

      Author's profile photo Ka Shun Wong
      Ka Shun Wong

      Can we enable the MFA in IAS even though it is served as a proxy of Azure AD (or other corporate IDP)?

      Thanks,

      Carson

      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      No, I dont think this is possible. IAS will handover the process to Corporate IdP

      Author's profile photo Hernan Muraro
      Hernan Muraro

      Hi Murali Shanmugham  thank you for share this document. I have one question, Its possible use Azure AD in authorizations with the use of AD roles? or only I can use it in authentication?

      thank you again!

      Author's profile photo Eduardo da Cunha Kaminski
      Eduardo da Cunha Kaminski

      Hi Murali Shanmugham thank you for share

      I have a question. It's possible to use Conditional Authentication (Part 4) and Multi-Factor Authentication (Part 5) to different IdP?

      For exemple

      Conditional Authentication > Authentication Rules

      @Outlook.com > Azure

      @Gmail.com > MS AD (with scc)

      Default Identity Provider = @* > IAS

       

      Risk-Based Authentication > Authentication Rules

      @Outlook.com > Allow (IDP rules is = Azure + MFA )

      @Gmail.com > TOTP Two-Factor Authentication

      Default Action = Deny

      create the groups to Risk-Based Authentication, mapping MS AD, and Azure groups in IAS?

       

      thank you

      Author's profile photo Bollu Spandana
      Bollu Spandana

      Hi Murali, I have a situation.

       

      We are moving our Mobile Platform to Cloud Foundry Mobile services and want to check all the available possibilities where all the requests going from the Cloud Foundry Mobile Services to the Cloud Connector (which is on the On-Prem) should be authenticated on LDAP first or even before communicating with the Cloud Connector.

       

      Could you help me with your suggestions or any guide for the same.

       

      Thanks

      Pradeep

      pradeep.aleti@gmail.com

      Author's profile photo Dinesh Ananda
      Dinesh Ananda

      ​HI Murali,

      Very useful. I'm trying to do POC on similar topic with Azure AD conditional access policy. However we noticed, Azure AD does not recognise the Device ID [ blank] when the request send via IAS. This prevent enable some conditional access policies such as managed cooperate device vs unmanaged device policy.

      Have to noticed similar issue and what can be the fix ?

      Thanks in advance.

      PS: I've asked similar question on other post as well.

      image.png