Identity federation in IAS: authentication via corporate IDP and Authorization via IAS user store.
there is an option of identity federation if customers want to use their corporate IDP for authentication such as azure AD and use sap specific application identity provider for any sap applications/platforms such as SAP Web IDE or SAP Cloud Platform Integration. Recently I have come across request from customers where they had this particular type of requirement.
PREREQUISITES: you need to configure IAS as a proxy for azure AD. follow the below link for that configuration
after you have configured IAS as a proxy then you can use identity federation.
After clicking the identity federation option in the identity providers section, you just need to enable the switches and configure identity federation.it has 3 options:
1) enable the user store in IAS. : this would allow you to use your own sap user store for authorization. you might have groups created in SAP Cloud Platform which you can match in IAS user store.
the other two options are allowing IAS users only. so if you have a user in user store in IAS then only the application screen will be shown else you will get a 403 forbidden error. use this option when you do not want external users to even redirected to sap applications after successful authentication via azure or any IDP.
the last option is allowing risk based authentication and other policies for your authorization via IAS. use that if you have a risk based authentication requirement. more info on the below blog for conditional authentication and authorization:
Hope this helps