2024 Jun 13 5:05 PM - edited 2024 Jun 14 8:03 AM
Hi, I'm a bit confused about how to achieve my goals which is to use Cloud Identity Services (CIS) as the only Identity Provider for all my BTP subaccounts, applications and services including "Platform Users", but the users must be replicated from Entra ID and authenticate also via the Microsoft solution.
This is a summary of what I want:
It seems there are 2 ways to provision users to CIS, one is by planning a periodic job in CIS itself to pull the list of users via GraphAPI and replicate the changes in the target system, in this case CIS. This is explained in this blog and it allows me to filter groups and users belonging to them as I need.
The 2nd option is to create Enterprise App directly in Entra ID which will push, the list of users to CIS as in this Microsoft tutorial. This option is easier, but I doesn't seem to be able to push neither the groups nor the list of groups where the user belongs as I wanted. The scoping option also doesn't allow to filter by a list of groups.
I tried option 1 and I have all the users and groups in CIS the way I wanted. Now I would like to solve the authentication part, but the documentation I can find doesn't seem aligned with the option 1 of user provisioning via GraphAPI registered app. Should I create a 2nd Enterprise Application for the authentication part? Or am I missing something?
I'm also confused on how to have SSO but at the same time only users replicated to CIS should be able to login.
Hi,
considering your last statement -
Use risk based authentication in IAS - if you want to restrict / allow specific types of users to access the application.
Reading the description - it seems you want to authenticate in both IAS and Microsoft AD. Use conditional authentication and setup rules there to meet your requirements.
Both of above functionalities will work because you already synced the users.
Regards
Sushil K Gupta
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @sushilgupta857 , I want the user to be a Cloud Identity Services user because some services like BTP Platform Users or Cloud ALM only support this option. But I want the authentication to be with Entra ID to have SSO and enforce the company security policies for SAP BTP services like the Entra ID MFA or the validation the validation of an allowed browser for example.
I tried the setup of Entra ID as proxy, but then I faced some issues:
User | Count |
---|---|
69 | |
12 | |
11 | |
10 | |
9 | |
8 | |
7 | |
6 | |
6 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.