Technical Articles
Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 5
Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform |
Part 1 – Configuring Identity Authentication Service with SAP Cloud Platform Part 2 – Configuring Azure Active Directory with SAP Cloud Platform Part 3 – Configuring Identity Authentication service as a Proxy for Azure AD Part 4 – Configuring Conditional Authentication in Identity Authentication Service |
In this blog, I wanted to focus bit more on leveraging capabilities of Azure AD when you have already configured IAS as a proxy.
IAS itself has capabilities around Multi-factor authentication & Risk based authentication.You can find more info on how to enable this in this blog post “Enable Two-Factor Authentication with SAP Cloud Platform Identity Authentication”
However, I come across scenarios, where customers want to continue leveraging their Azure AD instance to provide Multi-factor authentication and other conditional access policies. Here is a quick walk through of the steps.
Select your application in your Azure AD service. In the below example, I am continuing to use the app “IAS”. Under Conditional Access, you can add “New Policy”
Within the policy, you can define the (1) users/groups to whom the policy needs to apply.
(2) The Cloud apps – in this case its just IAS
(3) The Grant section to allow access after Multi-factor authentication
I have left conditions under Assignments empty. I will use that in the next example. Save your policy and enable it.
When you try to access the Portal site, it will now ask for SMS code after you have provided the user name and password.
There have been requirements where customers want to lock down the access of the SAP Cloud Platform apps to a particular country/region. For such scenario, you can configure “Named Locations” at the “Enterprise Applications” Level (shown below). Create a location and select the list of countries you want to include. In my example, I selected Australia and New Zealand.
Once you have defined your named location, you can create a new conditional access policy for the “IAS” app as shown below. Here in the conditions, we would select the location defined earlier and set Grant as “Block Access”. This would block access to users who are trying to access the app from Australia and New Zealand.
Now when you try to access the supplier portal site, it will display a message ” You cannot access this right now” after you provide your user name and password.
Hope you found this blog series useful. If you do have questions, please post them as questions in the forum.
Thanks for the detailed series Murali - 1 additional post that would round it all out is to include how this works for Platform identities since the Trial doesn't allow playing around with this set-up unfortunately.
Anyway, keep up the great work.
Matt
Thanks Matt. I have updated my old blog post on Platform Identity Provider with more information.
Setup a Platform Identity Provider for SAP Cloud Platform
I have also added another blog post - Setting up Platform Roles to secure your SAP Cloud Platform cockpit
Thanks Murali - That post indeed does help (though on trial, I'm pretty sure this line is incorrect, and on my production instances for SCPI (but not WebIDE), the platform identity provider tab appears by default):
"As soon as you add an “Application Identity Provider”, you will get access to a tab – Platform Identity Provider."
Also, the SAP Cloud Connector limitation sounds like a major showstopper since for 2-way SCPI integration with SAP, this is fundamental (unless you are just using MFA with S-ID's which seems to be the only workable option for the moment).
Now just hoping for the post or announcement from someone at SAP which simply states - "If you are serious about SCP, you must buy IAS!"
Cheers,
Matt
Previously, Platform Identity Provider tab shows up when you enable "Application Identity Provider". There have been changes to this behaviour. Now, customers need to look for a tile called "Platform Identity Provider" in services menu and enable it.
Can we enable the MFA in IAS even though it is served as a proxy of Azure AD (or other corporate IDP)?
Thanks,
Carson
No, I dont think this is possible. IAS will handover the process to Corporate IdP
Hi Murali Shanmugham thank you for share this document. I have one question, Its possible use Azure AD in authorizations with the use of AD roles? or only I can use it in authentication?
thank you again!
Hi Murali Shanmugham thank you for share
I have a question. It's possible to use Conditional Authentication (Part 4) and Multi-Factor Authentication (Part 5) to different IdP?
For exemple
Conditional Authentication > Authentication Rules
@Outlook.com > Azure
@Gmail.com > MS AD (with scc)
Default Identity Provider = @* > IAS
Risk-Based Authentication > Authentication Rules
@Outlook.com > Allow (IDP rules is = Azure + MFA )
@Gmail.com > TOTP Two-Factor Authentication
Default Action = Deny
create the groups to Risk-Based Authentication, mapping MS AD, and Azure groups in IAS?
thank you
Hi Murali, I have a situation.
We are moving our Mobile Platform to Cloud Foundry Mobile services and want to check all the available possibilities where all the requests going from the Cloud Foundry Mobile Services to the Cloud Connector (which is on the On-Prem) should be authenticated on LDAP first or even before communicating with the Cloud Connector.
Could you help me with your suggestions or any guide for the same.
Thanks
Pradeep
pradeep.aleti@gmail.com
HI Murali,
Very useful. I'm trying to do POC on similar topic with Azure AD conditional access policy. However we noticed, Azure AD does not recognise the Device ID [ blank] when the request send via IAS. This prevent enable some conditional access policies such as managed cooperate device vs unmanaged device policy.
Have to noticed similar issue and what can be the fix ?
Thanks in advance.
PS: I've asked similar question on other post as well.