on 04-08-2024 2:33 PM
Hi Experts,
We have implemented Azure AD with SAP IAS. Users are provisioned from Azure AD to SAP IAS using IPS.
Now, I want to provision these users/groups from SAP IAS to the BTP using IPS and then assign BTP roles to them.
I want to disable the 'Shadow user' option in the trust configuration.
How can I automatically create users in SAP BTP who (for example) are members of a group in SAP IAS ?
Many Thanks
Best regards
Hello @tskwin
I think you cannot create BTP users automatically, especially when you have switched shadow users off, see:
[...]Usually, you want your administrators to be fully
aware of which users they allow to log on. If you’ve
switched off automatic creation of shadow users for a
certain identity provider, you enforce that only those
users can log on where shadow users have been created
explicitly. [...]
What we have set:
So, in our case, we have have setup Security Groups in Entra ID and assigned business users in Entra ID. The IPS provisions users and groups to IAS, the assignment of groups remains in IAS. In BTP we map the different groups to role collections. So if a user logs on to the application, authenticates via IAS (SSO to IdP), the user will be created in BTP as a shadow user (first time logon) and the role mapping happens invisible (you cannot see a direct role assignment in BTP users)
Hope that helps.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @mnoe,
Thank you.
We have implemented this scenario (Azure Groups -> BTP Role Collection), where users are added to Azure Groups and then these groups are added to SAP BTP as role collections.
You described this scenario: (Azure_Groups -> IAS_Groups -> BTP Role Collection).
Is there any specific reason or advantage to provisioning users to SAP IAS (Azure_Groups -> IAS_Groups -> BTP Role Collection)?
And what are the benefits of the second scenario (Azure_Groups -> IAS_Groups -> BTP Role Collection)?
Thank you very much.
Best Regards
Hello @tskwin,
I think you are referring to the option to pass the group assigments through the saml2 attribute (attribute mapping) and map the Azure group in the role collection.
I wasn't aware of that when I implmeneted "our" solution, howver I think it depends individually what is best, in IAS I can see and can control memberships for thoise groups, like if I want external users (no user master data in Azure) to join a group and with the mapping in BTP. Vendor support in our case, external users with no domain membership can be created manually in IAS and receive group assignments there.
Cheers
User | Count |
---|---|
74 | |
9 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.