Group Assignments Based on User Attributes – a Flexible Solution for Managing Conditional & Risk-Based Authentication and Much More
Triggering group assignments based on a user attribute is among the recent enhancements of Identity Provisioning capabilities.
What does this mean and how can you make use of it?
It means that you can directly assign or unassign whatever users you want (based on their attribute values) to any group that exists on the target system. As simple it sounds, as powerful it is.
Before You Start
- This feature is supported for SCIM-based target systems that support PATCH operations, like Identity Authentication version 2.
Note: A similar functionality is still possible with Identity Authentication version 1. However, it is not recommended for complex scenarios where the users’ groups on the target systems are managed additionally via another identity management processes (as assignments done by those processes could be overwritten).
- The user group you want to assign should exist on the target system.
Use Case Scenario
Let’s say you are managing your users in SAP SuccessFactors (SFSF) and synchronizing them to Identity Authentication service.
Although there are many use case scenarios where this flexible management of user group assignments can be used, these two are the most common ones:
- Configuring conditional authentication based on the value of the loginMethod attribute in SFSF that differentiates users authenticated by Identity Authentication from those authenticated by corporate identity provider.
- Enforcing two-factor authentication by Identity Authentication service based on user attributes that are coming from the user source system (via group assignments).
For the purpose of this scenario, we’ll show you how to configure risk-based authentication in your Identity Authentication service using the new feature.
Let’s take as an example the following requirement: The employees working in the Executive Office division must login to the SFSF application with two-factor authentication (TFA). All the rest should be able to access it just with username and password. And of course, if any of these “Executive” employees move on to other division, this TFA should be no longer required as part of the login to SFSF application.
You probably know that rules for risk-based authentication can be configured on a group, and not on an attribute (in our case division= Executive Office). Well, this is where the latest enhancement steps in to help you.
Achieving the above scenario requires separate configuration in three places:
1. In SAP SuccessFactors, make sure all users that work in the Executive Office division have the attribute division= Executive Office (EXEC).
In this scenario, we’ll give you an example with 2 users:
- Martin Snow – works in the Executive Office division
- John Parker – works in the Corporate Services division
2. In Identity Authentication, create a group and configure risk-based authentication rule with TFA based on it.
In this scenario, we’ll name it: TFA-Required. It’s Group ID is: bf9e73e6-759e-4d93-a6d4-0e2171aad239
3. In Identity Provisioning, configure SAP SuccessFactors source system and Identity Authentication target system.
In this scenario:
- SAP SFSF uses SCIM API version 2 and is configured with certificate-based authentication
- Identity Authentication uses SCIM API version 2 and is configured with certificate-based authentication
Note: Be aware that currently in bundle tenants SAP SFSF version 2 is preconfigured to work with Identity Authentication version 1.
4. Open the Identity Authentication system, select the Transformations tab and choose Edit.
5. Add the following transformation code at the end of the user entity:
What does this transformation tell us?
- “condition” – Apply this mapping to all users with division attribute set to Executive Office (EXEC).
- “constant” – Assign all the users matching the condition to the given group “TFA-Required” by specifying its group ID.
- “targetVariable” – Execute assign operation.
- “condition” – Apply this mapping to all users with no division attribute set to Executive Office (EXEC).
- “constant” – Unassign all the users matching the condition from the specified group “TFA-Required” by specifying its group ID.
- “targetVariable” – Execute unassign operation.
Note: You can add more than one group IDs in the “constant” array element, that is, you can assign and unassign users to/from multiple groups at the same time.
Note: The group ID that should be specified in the transformation mapping is the SCIM ID of the group resource in IAS SCIM v2 API which is also visible in the SAP Cloud Identity Services administration console under Users & Authorizations -> User Groups -> details of the group:
6. Finally, run a provisioning job.
Login With TFA
- User Martin Snow is provisioned to Identity Authentication with attribute division set to Executive Office (EXEC).
2. He is assigned to group TFA-Required.
3. He tries to login to the SFSF application with username and password.
4. In addition to the basic authentication, two factor authentication is required.
Once he scans the QR code and provides the Passcode, he can login to the SFSF application.
Login Without TFA
- User John Parker is provisioned to Identity Authentication with attribute division set to Corporate Services (CORP_SVCS).
2. As expected, he is not assigned the TFA-Required group.
3. He tries to login to the SAP SFSF application with username and password.
4. He is not required to provide TFA and logs in successfully.
A few important notes about direct group assignments:
- It works for standard provisioning and real-time provisioning.
- It works for target systems with or without enabled bulk operations.
- If the group you want to assign to a user does not exist on the target during user creation, the user provisioning fails.
For more information, see Enabling Group Assignment.