cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cloud Identity Services - Restrict Logon to Corporate Identity Provider groups without IAS sync

Go to solution
Marçal_Oliveras
Active Contributor

on ‎11-21-2023 3:36 PM

0 Kudos

Hi,

I configured Entra ID (Azure AD) as Corporate Identity Provider. Then I setup one of my apps to use Azure AD as the default IdP. Everything works fine, and I can also map role collections in the BTP subaccount from groups in Azure AD.

The problem is that absolutely all AAD users can login now if they know the link, no matter to what groups or apps they belong. They don't get any role assigned if they don't belong to a group, so they can't do anything after logging in, but they get created as shadow users in the subaccount.

I would like to prevent the logon based on groups and I found the documentation on how to do that by configuring the "Corporate IdP Identity Federation".

However, this setup assumes that users exist in the IAS tenant and they belong to IAS groups. What I want is to just use IAS as a proxy and to not even create the users in the IAS tenant as I have now.

Is it possible to do that? Or is it mandatory to sync the corporate IdP users in IAS?

Show replies
Show replies
Answer
View Entire Topic
sushilgupta857
Active Participant
‎11-21-2023 6:14 PM

Hi marcalvidaxl,

Regarding your query:

Without syncing the Users to IAS - it will not work.

If you have users in IAS along with Corporate IDP identity fedration option - use risk based authentication (put all the users who wants to login in one groups) and restrict the access to this group only.

But this functionality requires Users to be present in IAS.

Now what you can try is - you must have created enterprise application for IAS in Azure AD which you performed the trust configuration. In that enterprise application - you will see Users and Groups tab - only onboard the users who want to access your application in Azure AD enterprise application. This will block their access on Azure AD.

If you don't want to sync users to IAS - you will need to find alternative to block the access either on your application side or on your azure AD( like explained above).

Let me know if it helps !

Thanks and Regards

Sushil K Gupta

Show replies
Show replies
Marçal_Oliveras
Active Contributor
‎11-22-2023 8:32 AM
0 Kudos

Hi sushilgupta857,

Thanks, I mark this as the right answer because it's the most complete. The problem blocking in the Azure AD side is that there I only have one app (Cloud Identity Services) and what I want is to block users based on their groups per app.

For example, users belong to Operations group, should be able to login to Cloud ALM, users belonging to Integration group should be able to login to Integration Suite and user belonging to DevOps should be able to login to the BTP Cockpits of all subaccounts.

But I think I asked the wrong question for this since I asked about a general rule to block authentication for Azure AD and not at app level. However, I see it's the same problem. In Cloud Identity Services applications, I could setup "Conditional Authentication" based on user groups, but also here it only allows to use IAS groups and not directly the Entra ID groups. So it also requires synchronization.

That's what I guess I should do if I had synch in place and mapping of Azure AD groups to IAS groups:

Ask a Question