Hi,
I configured Entra ID (Azure AD) as Corporate Identity Provider. Then I setup one of my apps to use Azure AD as the default IdP. Everything works fine, and I can also map role collections in the BTP subaccount from groups in Azure AD.
The problem is that absolutely all AAD users can login now if they know the link, no matter to what groups or apps they belong. They don't get any role assigned if they don't belong to a group, so they can't do anything after logging in, but they get created as shadow users in the subaccount.
I would like to prevent the logon based on groups and I found the documentation on how to do that by configuring the "Corporate IdP Identity Federation".
However, this setup assumes that users exist in the IAS tenant and they belong to IAS groups. What I want is to just use IAS as a proxy and to not even create the users in the IAS tenant as I have now.
Is it possible to do that? Or is it mandatory to sync the corporate IdP users in IAS?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.