Technical Articles
Configuring the Admin access for Identity Authentication service
One of the common approaches to protecting SAP solutions using SAP Cloud Platform Identity Authentication service (IAS). IAS acts as an Identity Provider and authenticates the user before letting them access to the SAP Solutions. Infact, IAS is being bundled with lot of the SAP SaaS solutions like SuccessFactors, SAP Jam etc and offered as the default Identity Provider. You can configure IAS as a proxy to a corporate Identity provider thereby enabling your end users to provide the same user ID and password (of the corporate Identity provider) when accessing the SAP Solutions. This is the most common scenario in which IAS is used and this has been explored in the below set of blogs.
- Setting up Authentication for Cloud Portal using Cloud Identity
- Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform
Now that you know how to setup access to SAP Solution using IAS and your corporate Identity Provider, the next thing you might want to consider is configuring IAS Administration console to also use your corporate identity provider to authenticate those administrators who need access to IAS. This way, your admins do not need to remember an additional user name/password and their access can be streamlined via their existing corporate identity provider. This blog will walk you through those steps.
The first thing to ensure before you proceed with these steps is that you would need an admin user which is maintained in your corporate identity provider. In the below example, I am using Azure AD as my corporate Identity Provider and the test user is “murali20190101@outlook.com”
Access the application “Administration Console”. This application contains the configurations of the administration console for SAP Cloud Platform Identity Authentication service. This is a standard application which you will see in your IAS Tenant. You can read more about how you can use this application in SAP Help.
You can change the configuration to enforce stronger password policy or even change the default authenticating Identity Provider. In the below example, under “Conditional Authentication”, I have set it to “Azure AD”. This has already been configured as a corporate identity provider as explained in the above blog post.
For reference, here is my configuration of the Azure AD where I have created an application for Identity Authentication service and configured trust between IAS and Azure AD.
Once the application has been configured, ensure that the users are assigned to this application. In the below example, I have added the user “murali20190101@outlook.com” within this application. This will be the same user who is an administrator of the IAS tenant.
Now when you try to access the IAS Administration console via https://<tenant-name>.accounts.ondemand.com/admin, you will see an Azure Login screen as shown below
Note: To ensure that you configuration is correct, first check if the trust setup is correct by testing this against other solutions/SAP Cloud Platform by using IAS as a proxy with your corporate Identity Provider. Once you find it working, you can then change the configuration in the IAS Application Administration Console. You don’t want to lock yourself out.
Great series, thank you for all the useful related IAS content.
I have a question if you don't mind regarding automatic provisioning.
Using SAP IAS as a proxy, with AzureAD as the corporate IdP, when enabling automatic user provisioning on AzureAD so that users are created on IAS automatically, it sends an activation link to the user. As IAS is acting as a proxy why will it require the user to enable (active and set password) their account on IAS, even though they will never login to IAS in the first place ?
Thank you.
Hi Murali
Maybe you know the answer: Since we plan to provide one IAS Tenant as a central service for several customer applications and some of them wish to have control over their user management (kind of self service): Is it possible to restrict the view of users in User Management Tab to specific user groups? Or to somehow hide users that are not in the scope of one specific customer or his applications?
Thank you very much
Jonas Meyer