cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Azure as IDP for IAS

Go to solution
MauricioMiao
Contributor

on ‎2023 Aug 29 12:13 PM

0 Kudos
1,142

Hi,

We want to configure Azure as IDP for IAS itself, I mean, use Azure to provide SSO and identity authentication to log in to IAS Admin, is it possible?

Regards

Mauricio

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Martin-Pankraz
SAP Champion
SAP Champion
‎2023 Sep 11 7:24 AM
0 Kudos

Hey mauriciomiao,

I see you already got great answers from SAP on the matter. Beyond that I encourage you to have a look at our best practice guide for Azure AD with SAP IAS here. It discusses the various scenarios beyond your initial request to the IAS admin portal.

KR

Martin

Accepted Solutions (1)

Accepted Solutions (1)

dyaryura
Contributor
‎2023 Aug 29 1:06 PM
0 Kudos

Hi Mauricio

You'll see two System apps for IAS. you can change the conditional authentication and use your IDP but you have to be very careful when changing these apps and make sure you do not lock yourself out due to wrong config:

Show replies
Show replies
DanH
Product and Topic Expert
Product and Topic Expert
‎2023 Sep 01 9:57 PM
0 Kudos

Hi Diego,

Definitely something customers can suggest as a product improvement. However, I can think of a reason it's unlikely to be offered. The IAS login rules serve two purposes. One is to allow logins and the other is to limit them. The reason most customers that choose SSO logins for admins is because it's a corporate policy. Admins are not allowed to do password logins. So having them all tied to SSO except one emergency account (that the Admins have some special procedure to get the password wherever it's stored) meets that requirement. Your suggestion is to just make it easier for Admins to login by offering SSO and non SSO. If enough customers ask for such a feature the IAS team would need to figure out how to offer it and also include an option to turn it off.

Thanks, Dan

Answers (2)

Answers (2)

DanH
Product and Topic Expert
Product and Topic Expert
‎2023 Sep 01 3:11 PM

Adding to Diego's comment about being careful. If your IAS Admin logins are through your SSO and something breaks on your SSO side (your company changes the SSO certificate for example) you won't be able to get into IAS to make the needed changes to get the logins working again. The best practice is to create one IAS Admin that has username/password permission to login to IAS as an emergency backup. Keep the credentials stored securely somewhere and only share them with the IAS Admin if needed.

Show replies
Show replies
dyaryura
Contributor
‎2023 Sep 01 9:47 PM
0 Kudos

Good note on this Daniel!

Maybe passwordless option is a good alterative to consider in order to avoid admins remember additional passwords but on the other hand I'm not truly convinced with the idea since passkeys can be stored on some external device not managed by the company, i think we need an "enterprise passkey" solution for this scenario.

In other to keep things simple and use the company IDP, wouldn't be nice to have the the option "corporate IDP" at this level in the console? I think it would simplify a lot of things and shouldn't be a big change from IAS developing team...

MauricioMiao
Contributor
‎2023 Sep 01 9:16 PM
0 Kudos

Thank you guys!

Regards

Mauricio

Show replies
Show replies
Ask a Question