How to configure Conditional Authentication to send users to IAS instead of Entra ID
This is the case where the IAS is implemented and you have already configured a corporate authenticator like EntraID (former Azure), Okta, etc. So, for a group of employees/users you want them to use the IAS user and password, instead of the corporate one (Entra ID). Usually, this feature is enabled for a group of external employees, consultants, etc.
The typical configuration is to set the Entra ID/Azure authenticator as default and provide the “Identity Authentication” log on link to the external employees/consultants.
How to set the “Conditional authentication” in SAP IAS
Follow this steps:
1.Choose a Corporate Identity Provider as Default
2. Provide the “Identity Authentication link” to external employees/consultants.
Second Option: Create a rule to identify the users and redirect to different Identity Providers.
1. The first step is to create a group of users for the users that will be identified by the Corporate IdP.
Navigate to Home -> Applications & Recourses -> Applications -> [ the application using Corp. IdP ] -> Conditional Authentication (the “Default Authenticating Identity Provider” is set to a Corporate IdP)
- Navigate to Home -> Applications & Recourses -> Applications -> [ the application using Corp. IdP ] -> Conditional Authentication (the “Default Authenticating Identity Provider” is set to a Corporate IdP)
- In case the “Default Authenticating Identity Provider” is not Identity Authentication, set to Identity Authentication (this allows to add a new rule)
- Click “+ Add Rule”
- Set the “Identity provider” to the desired Corporate IdP
- Set “User Group” to the group created in Step 1.
- Click “Ok“
- Set the “Default Authenticating Identity Provider” back to Identity Authentication
- Click “Save”
The result: Users who are contained in the group created in step 1 will be authenticated with the chosen Corprorate IdP, the users not contained in the group created in step 1 will be authenticated though IAS.
