on 2024 Aug 23 10:09 AM
Dear Team,
We want to introduce different login method's for Admins vs normal Users.
Current scenario : Example User John is an admin as well as an employee he has however one email address maintained in SF and two user id's a_John & P_John . He uses the same SF url to login into both accounts (At this stage SSO is not enabled ) and he use's userid to login .
in Future : Client will upgrade to use IAS / IPS . However in IAS unique email address is needed hence only one account is synced with the email in IAS .
User wants a way to login into the SF system in which SSO is enabled such that he can access both his accounts via the same email . Login methods could be different for an admin id vs he as normal employee / user .
Please suggest how we can achieve this. Can we have conditional login for admins such that they have a choice to enter SF either as a admin or employee ? or can we have SSO enabled for user as a employee and disable for admins ? Please suggest Whats are the possibilities & solutions.
Thanks,
Zeba
Hi Zeba
You'll need to keep unique emails in order to be able to synch SF users to IAS. You can assign dummy emails to users in SF and add a transformation in IAS so IPS will generate unique emails for all those users with same email. Let's say you add a dummy email to the Admin users in SF like "SSFFADMINS@TEST.com" and using the IPS transformation you'll usually end up creating a user in IAS like "afd343-f-....@sap-test.de".
You can then enable conditional authentication to the SF application and you'll see a link like this:
the Admin user should be able to login to SF using the link you see in conditional auth. This will authenticate the user using the password in IAS and you can enable MFA in IAS for the user.
You can also work with conditional auth by assigning users to different groups (i.e you can assign a group to admin users) so they can use a different authentication method. The issue with this is that you'll end up complicating the SSO experience for the rest of the users since you'll get a first screen from IAS asking the user to enter the email/ID and redirecting to IAS/ or different IDPs depending on groups assigned or certain conditions of the users/ network.
You can check more details here https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-conditional-auth...
Thanks
Diego
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Zeba,
I addition to methods suggested by Diego, I would also consider using different attribute as Subject Name Identifier on IAS. You can change the configuration to use different attribute on IAS for SSO instead of e-mail, but you need to make sure that this attribute is synchronized from SF to IAS with IPS.
Abdul.
User | Count |
---|---|
69 | |
11 | |
10 | |
10 | |
9 | |
7 | |
7 | |
7 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.