cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IAS Conditional Authentication: Authentication rules

plaban_sahoo
Participant

on ‎11-01-2023 1:15 PM

0 Kudos

Hi All, can you please explain as to why the users will need to be in IAS for a IDP for Context "Group" and 'User type'. The same is mentioned in

Add a New Authentication Rule | SAP Help Portal

if a user has to be present in IAS, then it defeats the purpose of having a IDP added

Regards
Plaban
Show replies
Show replies
sushilgupta857
Active Participant
‎11-21-2023 6:05 PM
0 Kudos

Hi Plaban Sahoo,

It's the first question which came to my mind when i started working on IAS 3 years back. I worked on SAP Successfactors application integration with IAS ( IAS can be integrated with multiple SAP SAAS applications - SAP SF is one of them).

I have tried to answer this specific question in my blog:

Why Identity authentication is required for SAP SuccessFactors Application

Kindly go - through it and let me know if you still have questions.

If users details are not present in IAS, you will just be able to use IAS as proxy mode which acts similar how it was without IAS.

The link which you shared will have a pre-requisite of having user details in IAS tenant.

Thanks and Regards

Sushil K Gupta

Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Colt
Active Contributor
‎11-02-2023 6:04 AM
0 Kudos

Hi Plaban,

if you provide more details about your requirements and objectives here, we might be able to provide a better answer. The presence of (one or many) external IDPs does not exclude the fact of having users in IAS. What I mean is that even if the user needs to be present in IAS (referring to the user profile and not necessarily that they need credentials or need to log in with this user), there is still a need for and benefit to having an external IDP for authentication justified.

Conditional Authentication Rules, as the name implies, require certain conditions. For example: I have an application and want to redirect all users from the "Company_XYZ" group to the Corporate IdP. To do this, groups/users need to be created in IAS or provided via SCIM. Then, when the user accesses the application, they provide their login identifier, and it is checked whether this user in IAS is a member of this group. If yes, their AuthNRequest is forwarded to the external IDP.

Makes sense?

Cheers Carsten

Show replies
Show replies
Colt
Active Contributor
‎11-01-2023 2:25 PM
0 Kudos

Hi Plaban,

The answer to your question somewhat depends on your specific goals and the focus of your inquiry. To be honest, I didn't fully understand it. I assume you want to determine, within IAS, which user types or users from specific groups should be directed to a Corporate IdP through rules, most likely without user interaction.

IAS, acting as a proxy and lacking user profiles in the user store, cannot make these decisions. It cannot verify group memberships for users of the Corporate IdP; it receives user information through a SAML Response. However, specific attributes from the Corporate IdP's assertion could be used in RBA rules to make certain decisions based on them after the authenticating IdP has sent the user back to IAS. This might be of interest. The proxy IdP always has the final say on whether the authentication process ultimately succeeds or fails. However, this approach also seems to require user persistence

By the way, the discussion of why this is necessary and the benefits it offers is an ongoing issue, so I would prefer to direct you to the blog (link) for more information. I recommend that anyone delving deeper into SAP BTP/SaaS Cosmos and considering ID Lifecycle automation in the next 1-2 years addresses this aspect early on.

Cheers Carsten

Show replies
Show replies
plaban_sahoo
Participant
‎11-02-2023 5:01 AM
0 Kudos

Hi

Carsten, from your answer i can say that you might have not been through the link i gave. The link says to have the user present in IAS. So, if user has to exist in IAS, there is no need of an external IDP.

Regards

Plaban

istvanbokor
Advisor
Advisor
‎11-02-2023 10:20 AM
0 Kudos

Hi,

All rules expect IP range requires users to be present in IAS user store. For these rules IAS checks the user's criteria and decide which IdP to authenticate - IAS or corporate IdP. With correct transformations, corporate IdP users are not aware that they also exist on IAS, since they are like 'shadow users'. But if you don't want to have them, you can use IP range definitions.

Best regards,
Istvan

plaban_sahoo
Participant
‎11-03-2023 12:05 PM
0 Kudos

Hi Istvan,

Checking the criteria is done at the rule definition, itself. the link Add a New Authentication Rule | SAP Help Portal does not mention Email Domain as a criteria for a user to be present in IAS. Can you please confirm if 'Domain' also requires the user to be synched up in IAS. And does IAS hold domain value when synched from Azure

On 2nd thoughts, unless IAS knows which user has which group, it cannot direct the authentication to a part. IDP.

Regards

Plaban

Ask a Question