cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can we configure 2 IDPS in SCP one is internal IDP and another AZURE External IDP

Incture
Explorer

on ‎02-07-2019 7:32 AM

0 Kudos

Hi All,

Can we configure SSO using two ID services.

Our requirement is that we need to access the SAP Cloud Platform Application from SAP Cloud Platform ID service and Azzure AD service(external).

We need to authenticate user individually at a same time, like the sap application should be authenticated via SAP IDP user and at the same time Azzure AD user also should be able to access.

But the users are not similar in both IDP services.

Final output will be that people from internal IDP should be able to access the SCP App also the External User from Azzure should also be able to access the SCP App.

For the two IDP's are requires can this be configured ??

If so can you please guide us the flow how it can be configured.

Regards,

Basis

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

lucasvaccaro
Product and Topic Expert
Product and Topic Expert
‎02-08-2019 11:44 PM

Hello,

Yes, you can add multiple IdP's, however, if you want to use SAP ID service (accounts.sap.com), you must select Configuration Type = Default. In this case, SAP ID Service will be the default identity provider and you can add other identity providers, but they can be used for IdP-initiated authentication only.

More information at:
https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/dc618538d97610148155d97dcd1...

Also, since you don't have control over SAP ID service, you'll only be able to map users to roles using the S-user ID (one by one). In case of Azure, you can map groups to roles (assuming that Azure sends the user's groups to SCP in the SAML assertion). If a person has an S-user ID and an Azure account, SCP will see them as 2 different users when logging in with SAP ID service and Azure.

If you have an Identity Authentication tenant, then you will select Configuration Type = Custom and add both IdP's as Application Identity Providers. One will always be the default, meaning that if you want to logon with the other, you will have to use IdP-initiated SSO or to call the application using the parameter ?saml2idp=<idp name> (check the link above).

Best Regards,
Lucas

Show replies
Show replies
Ask a Question