on 11-01-2023 1:15 PM
Hi All, can you please explain as to why the users will need to be in IAS for a IDP for Context "Group" and 'User type'. The same is mentioned in
Add a New Authentication Rule | SAP Help PortalHi Plaban,
if you provide more details about your requirements and objectives here, we might be able to provide a better answer. The presence of (one or many) external IDPs does not exclude the fact of having users in IAS. What I mean is that even if the user needs to be present in IAS (referring to the user profile and not necessarily that they need credentials or need to log in with this user), there is still a need for and benefit to having an external IDP for authentication justified.
Conditional Authentication Rules, as the name implies, require certain conditions. For example: I have an application and want to redirect all users from the "Company_XYZ" group to the Corporate IdP. To do this, groups/users need to be created in IAS or provided via SCIM. Then, when the user accesses the application, they provide their login identifier, and it is checked whether this user in IAS is a member of this group. If yes, their AuthNRequest is forwarded to the external IDP.
Makes sense?
Cheers Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Plaban,
The answer to your question somewhat depends on your specific goals and the focus of your inquiry. To be honest, I didn't fully understand it. I assume you want to determine, within IAS, which user types or users from specific groups should be directed to a Corporate IdP through rules, most likely without user interaction.
IAS, acting as a proxy and lacking user profiles in the user store, cannot make these decisions. It cannot verify group memberships for users of the Corporate IdP; it receives user information through a SAML Response. However, specific attributes from the Corporate IdP's assertion could be used in RBA rules to make certain decisions based on them after the authenticating IdP has sent the user back to IAS. This might be of interest. The proxy IdP always has the final say on whether the authentication process ultimately succeeds or fails. However, this approach also seems to require user persistence
By the way, the discussion of why this is necessary and the benefits it offers is an ongoing issue, so I would prefer to direct you to the blog (link) for more information. I recommend that anyone delving deeper into SAP BTP/SaaS Cosmos and considering ID Lifecycle automation in the next 1-2 years addresses this aspect early on.
Cheers Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
All rules expect IP range requires users to be present in IAS user store. For these rules IAS checks the user's criteria and decide which IdP to authenticate - IAS or corporate IdP. With correct transformations, corporate IdP users are not aware that they also exist on IAS, since they are like 'shadow users'. But if you don't want to have them, you can use IP range definitions.
Best regards,
Istvan
Hi Istvan,
Checking the criteria is done at the rule definition, itself. the link Add a New Authentication Rule | SAP Help Portal does not mention Email Domain as a criteria for a user to be present in IAS. Can you please confirm if 'Domain' also requires the user to be synched up in IAS. And does IAS hold domain value when synched from Azure
On 2nd thoughts, unless IAS knows which user has which group, it cannot direct the authentication to a part. IDP.
Regards
Plaban
User | Count |
---|---|
75 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.