cancel
Showing results for 
Search instead for 
Did you mean: 

IAS/ SSO login for user with two different SF username but same email

zebashah
Participant
0 Kudos
406

Dear Team,

We want to introduce different login method's for Admins vs  normal Users.

Current scenario : Example User John is an admin as well as an employee he has however one email address maintained in SF and two user id's a_John & P_John . He  uses  the same SF url to login into both accounts (At this stage SSO is not enabled ) and he use's userid to login .

in Future : Client will upgrade to use IAS / IPS . However in IAS unique email address is needed  hence only one account is synced with the email in IAS .

User wants a way to login into the SF system in which SSO is enabled such that he can access both his accounts via the same email . Login methods could be different for an admin id vs he as normal employee / user .

Please suggest how we can achieve this. Can we have conditional login for admins such that they have a choice to enter SF either as a admin or employee ? or can we have SSO enabled for user as a employee and disable for admins ? Please suggest Whats  are the possibilities & solutions.

Thanks,

Zeba

View Entire Topic
dyaryura
Contributor
0 Kudos

Hi Zeba

You'll need to keep unique emails in order to be able to synch SF users to IAS. You can assign dummy emails to users in SF and add a transformation in IAS so IPS will generate unique emails for all those users with same email. Let's say you add a dummy email to the Admin users in SF like "SSFFADMINS@TEST.com" and using the IPS transformation you'll usually end up creating a user in IAS like "afd343-f-....@sap-test.de".

You can then enable conditional authentication to the SF application and you'll see a link like this:

dyaryura_0-1724540379360.png

the Admin user should be able to login to SF using the link you see in conditional auth. This will authenticate the user using the password in IAS and you can enable MFA in IAS for the user.

You can also work with conditional auth by assigning users to different groups (i.e you can assign a group to admin users) so they can use a different authentication method. The issue with this is that you'll end up complicating the SSO experience for the rest of the users since you'll get a first screen from IAS asking the user to enter the email/ID and redirecting to IAS/ or different IDPs depending on groups assigned or certain conditions of the users/ network.

You can check more details here https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-conditional-auth...

Thanks

Diego

 

 

sushilgupta857
Active Participant
Hi, You can remove the unique email address restriction in IAS - goto IAS tenant settings - logon alias - uncheck unique from Email address column. You can have same behaviour how you have in SF login now. Let me know if it helps !
abdulbasit
Active Contributor
0 Kudos

Hi Zeba,

I addition to methods suggested by Diego, I would also consider using different attribute as Subject Name Identifier on IAS. You can change the configuration to use different attribute on IAS for SSO instead of e-mail, but you need to make sure that this attribute is synchronized from SF to IAS with IPS. 

Abdul.

 

zebashah
Participant
0 Kudos
Hi @Sushil , It worked but now I am worried as how will SSO with Identity provider work ?
sushilgupta857
Active Participant
0 Kudos
Hi Zeba, This functionality comes with its own restriction. In scenario when we disable email as unique - we will not be able to use it for login. Users can use loginName to perform the login. There can be many approaches which can be configured - some are suggested by other people in comments. One of it can be - Use IAS as proxy - give that URL to all the SSO users. Don't enable identity fedration in IAS (this will not consider the attributes from IAS) and SSO should work. Now on conditional auth - screen you will get another URL for password based users. Share that another URL with user - ask him to use loginName of other ID which he wants to use as password.