Hi @sushilgupta857 - Thanks a lot for the reply.

We are using PING FEDERATE as our Corporate Idp which means PING FEDERATE is also the default authenticating identity provider.

We are using the SAML User Column in Provisioning. It is mapped to CUSTOM11 which is Corporate ID in the system. Corporate ID is the unique identifier for all the users. Every user in the system is mapped to a unique corporate ID. Sail Point generates a unique Q ID for each user which is linked to the corporate ID of the user. Custom11/Corporate ID is part of SF User (UDF) file which is being flown from BizX/EC to IAS when the IAS job is run.

In Applications - Trust - Conditional Authentication - Allow Identity Authentication Users Log On 

Allow users stored in Identity Authentication service to log on (Checkbox is selected).

The logon url is https://xxxxxx.accounts.cloud.sap/saml2/idp/sso?sp=https://www.successfactors.com/XXXXXXXintT3&idp=h...

the above logon url is being used for UN & PWD users to log in and also the MFA users.

You can enter the Email or User Name and the password to log in.

We have created 3 Groups - SSO, PWD and MFA.

We have added the below transformation which makes the SSO (Everyone Else) group as the default group and all users created in IAS would initially be part of Everyone Else group.

{
"targetPath": "$.groups[0].value",
"constant": "EVERYONE ELSE",
"scope": "createEntity"
},

Post the users are created, depending on the user if we want to change the user to PWD or MFA group, we would manually unassign the user from SSO group and assign it to PWD group. Post assigning the user to PWD group manually, setting the initial password to log in and changing the password when prompted.

However what is happening is when we move the users manually from one group (SSO) to other group (PWD) and try logging in with UN & PWD, we are not able to log in and the system comes up with Invalid Log in Message.

We have different scenarios which we want to achieve like moving of users from one group to other - SSO to PWD, PWD to SSO, PWD to MFA, MFA to PWD, SSO to MFA and MFA to SSO depending to which group user belongs or can be moved in future to either PWD / MFA.

For MFA - we are using the Web Authentication Method, user should enter the UN & PWD and also the external key (YubiKey) and enter his PIN to log in.

MFA group is added as an authentication rule to the Risk Based Authentication in the Applications & Resources - Applications - Authentication and Access.

How do we achieve successful log in of users when we manually assign the users to different groups since changing users from one group to another is not affecting the logon. 

Please advice.

Regards,

Hi VL1,

Just saw the email.

Though screenshots are not clearly visible, i am able to understand that you are using IAS as proxy to corporate IDP. and you use a different URL for password users which gets visible when you enable the check box - allow IAS user to authenticate.. something.

Now you have 3 groups created - if you are not using conditional auth - so these groups are not serving any purpose. Will need help with more details on how you want to use these groups and how you are maintaining users inside these groups (manual or through transformations)

We have a loginMethod field in SF which can be used to put users to different groups in IAS as per it's type like SSO or PWD however if you just put them in groups and not use them then they will not serve any purpose except giving a count that these many users are SSO or PWD.

Changing users from one group to another will not impact logon as you are not using rules based conditional authentication or risk based auth to enable 2 factor or blocking the access.

Please let me know if it helps or if you have any other queries

Regards