SAP Knowledge Base Article - Preview

3433542 - How to find IP addresses used by cf login --origin command and add it to Risk-Based Authentication in IAS ?


The command "cf login --origin <IdP name>" is used to log in to Cloud Foundry. On the IAS side, within the relevant application, Risk-Based Authentication (RBA) is configured to restrict access, with the default action set to "Deny." Consequently, when the command "cf login --origin <IdP name>" is executed, access is denied, resulting in a 401 error. The logs indicate this denial with the message "Denied by RBA rules," as observed below:

 "<time stamp>","<incoming IP address>",anonymous,INFO,"ID","state=""failed"", action=""login"", objectType=""user"", objectId=""P00xxxx"", cause=""rbaRulesCheckFailure"", message=""Denied by RBA rules"", category=""audit.authentication"", credentialType=""{UID_PW=authenticated}"", originalCallerIp="""", workflow=""openIdConnect"", serviceProvider=""btp-platform"" "  

To allow the access, it is necessary to add above incoming IP address to the rule list of Risk-Based Authentication. The incoming IP address is changing, so a list of the possible IP addresses is necessary. 



  • SAP Cloud Identity Services
  • BTP


BTP all versions ; SAP Cloud Identity Services all versions


KBA , BC-IAM-IDS , Identity Authentication Service , BC-CP-CF-SEC-IAM , UAA, Authentication, Authorization, Trust Mgmnt , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.