Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 5
|Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform|
In this blog, I wanted to focus bit more on leveraging capabilities of Azure AD when you have already configured IAS as a proxy.
IAS itself has capabilities around Multi-factor authentication & Risk based authentication.You can find more info on how to enable this in this blog post “Enable Two-Factor Authentication with SAP Cloud Platform Identity Authentication”
However, I come across scenarios, where customers want to continue leveraging their Azure AD instance to provide Multi-factor authentication and other conditional access policies. Here is a quick walk through of the steps.
Select your application in your Azure AD service. In the below example, I am continuing to use the app “IAS”. Under Conditional Access, you can add “New Policy”
Within the policy, you can define the (1) users/groups to whom the policy needs to apply.
(2) The Cloud apps – in this case its just IAS
(3) The Grant section to allow access after Multi-factor authentication
I have left conditions under Assignments empty. I will use that in the next example. Save your policy and enable it.
When you try to access the Portal site, it will now ask for SMS code after you have provided the user name and password.
There have been requirements where customers want to lock down the access of the SAP Cloud Platform apps to a particular country/region. For such scenario, you can configure “Named Locations” at the “Enterprise Applications” Level (shown below). Create a location and select the list of countries you want to include. In my example, I selected Australia and New Zealand.
Once you have defined your named location, you can create a new conditional access policy for the “IAS” app as shown below. Here in the conditions, we would select the location defined earlier and set Grant as “Block Access”. This would block access to users who are trying to access the app from Australia and New Zealand.
Now when you try to access the supplier portal site, it will display a message ” You cannot access this right now” after you provide your user name and password.
Hope you found this blog series useful. If you do have questions, please post them as questions in the forum.