SAP Business Transformation Platform IAS provides simple and secure access to Web based applications with a variety of authentication methods at anytime and from anywhere. The service was previously know as SAP Cloud ID service.
Authentication and Single Sign-On in the Cloud
IAS provides secure and simple access based on the following factors:
- Identity federation based on SAML 2.0.
- Web Single Sign-On SSO and desktop SSO.
- Secure on-premise integration to reuse existing authentication systems.
- Social login and two-factor authentication.
- Risk-based authentication.
IAS provides user and access management based on the following factors:
- User administration and integration with on-premise user stores.
- User groups and application access management.
- User self-service, for example, password reset, registration, and user profile maintenance.
- System for Cross-domain Identity Management (SCIM) API.
IAS provides the following enterprise features:
- Branding of end user UIs.
- Password and privacy policies.

IAS is interoperable with all application supporting SAML* 2.0 standard or OpenID Connect (OIDC).
Delegated Authentication IAS as a Proxy to a Corporate Identity Provider (IdP)
IAS has the following IdP proxy features:
- Authentication is delegated to corporate IdP login.
- Reuse of existing SSO infrastructure.
- Easy and secure authentication for employee scenarios.
- Federation based on the SAML 2.0 standard.
Delegated Authentication - Authentication with an On-Premise User Store
IAS can connect to an on-premise user store.
- Users credentials are taken from:
- Active Directory (through LDAP).
- AS Java (which can be either local UME, ABAP store or AD).
- There is no user replication required to the Cloud.
- Internal network ports do not need to be exposed to the Internet.
- Other IAS product features can be used including UI configuration policies and two-factor authentication.
Delegated Authentication Re-use of Windows Domain Authentication (SPNEGO)

SPNEGO authentication provides the following:
- Users authenticated with Microsoft Active Directory can utilize SSO for Cloud applications without re-authentication.
- Reuse of existing corporate identity infrastructure.
- Secure authentication and SSO for Cloud and on-premise Web applications.
Delegated Authentication Conditional Authentication

Depending on several factors, different types of users can be re-rerouted to different IDPs for authentication.
As a proxy to multiple IdPs, IAS provides:
- A secure business network and allows partner users to login via their corporate IdP.
- Authentication that is initiated by the corporate IdP.
- An optional check for correct user group assignment can be configured upon successful authentication; a sync of users from IdPs to groups in IAS is required.