on 11-21-2023 3:36 PM
Hi,
I configured Entra ID (Azure AD) as Corporate Identity Provider. Then I setup one of my apps to use Azure AD as the default IdP. Everything works fine, and I can also map role collections in the BTP subaccount from groups in Azure AD.
The problem is that absolutely all AAD users can login now if they know the link, no matter to what groups or apps they belong. They don't get any role assigned if they don't belong to a group, so they can't do anything after logging in, but they get created as shadow users in the subaccount.
I would like to prevent the logon based on groups and I found the documentation on how to do that by configuring the "Corporate IdP Identity Federation".
However, this setup assumes that users exist in the IAS tenant and they belong to IAS groups. What I want is to just use IAS as a proxy and to not even create the users in the IAS tenant as I have now.
Is it possible to do that? Or is it mandatory to sync the corporate IdP users in IAS?
Hi Marcal,
You can choose not use IAS as user store and just have your user in your Azure IdP and target systems with the right permissions.
In IAS go to your Corporate Identity Provider >Identity Federation
Then turn off User store for IAS by choosing option one:
For more detail please check the link:
Thanks,
Amin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
77 | |
9 | |
9 | |
7 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.